def test_login_user_with_idp_already_in_db(db_session): """ Test that if a user is already in the database, has identity_provider configured, and logs in, the session will contain the user's information. """ email = "*****@*****.**" provider = "Test Provider" id_from_idp = "Provider_ID_0001" test_user = User(username=email, email=email, id_from_idp=id_from_idp, is_admin=False) test_idp = IdentityProvider(name=provider) test_user.identity_provider = test_idp db_session.add(test_user) db_session.commit() user_id = str(test_user.id) login_user(email, provider, email=email, id_from_idp=id_from_idp) assert test_user.identity_provider.name == provider assert test_user.id_from_idp == id_from_idp assert test_user.email == email assert flask.session["username"] == email assert flask.session["provider"] == provider assert flask.session["user_id"] == user_id assert flask.g.user == test_user
def login_user(username, provider, fence_idp=None, shib_idp=None, email=None): """ Login a user with the given username and provider. Set values in Flask session to indicate the user being logged in. In addition, commit the user and associated idp information to the db. Args: username (str): specific username of user to be logged in provider (str): specfic idp of user to be logged in fence_idp (str, optional): Downstreawm fence IdP shib_idp (str, optional): Downstreawm shibboleth IdP email (str, optional): email of user (may or may not match username depending on the IdP) """ def set_flask_session_values(user): """ Helper fuction to set user values in the session. Args: user (User): User object """ flask.session["username"] = user.username flask.session["user_id"] = str(user.id) flask.session["provider"] = user.identity_provider.name if fence_idp: flask.session["fence_idp"] = fence_idp if shib_idp: flask.session["shib_idp"] = shib_idp flask.g.user = user flask.g.scopes = ["_all"] flask.g.token = None user = query_for_user(session=current_session, username=username) if user: _update_users_email(user, email) # This expression is relevant to those users who already have user and # idp info persisted to the database. We return early to avoid # unnecessarily re-saving that user and idp info. if user.identity_provider and user.identity_provider.name == provider: set_flask_session_values(user) return else: if email: user = User(username=username, email=email) else: user = User(username=username) idp = (current_session.query(IdentityProvider).filter( IdentityProvider.name == provider).first()) if not idp: idp = IdentityProvider(name=provider) user.identity_provider = idp current_session.add(user) current_session.commit() set_flask_session_values(user)
def create_providers(data, db_session): s = db_session providers = data["providers"] for provider in providers: prov = CloudProvider() prov.name = provider["name"] prov.backend = provider["backend"] prov.service = provider["service"] s.add(prov) s.flush for name, user in list(data["users"].items()): new_user = User() new_user.username = name new_user.email = user["email"] new_user.is_admin = user["is_admin"] s.add(new_user) user["id"] = new_user.id for project in data["projects"]: new_project = Project() new_project.name = project["name"] s.add(new_project) for storage in project["storage_access"]: provider = s.query(CloudProvider).filter_by(name=storage).first() if provider: new_storage_access = StorageAccess(provider_id=provider.id, project_id=new_project.id) s.add(new_storage_access) for bucket in project["buckets"]: new_bucket = Bucket() new_bucket.name = bucket["name"] provider = s.query(CloudProvider).filter_by( name=bucket["provider"]).first() new_bucket.provider_id = provider.id s.add(new_bucket) s.flush() project_to_bucket = ProjectToBucket() project_to_bucket.bucket_id = new_bucket.id project_to_bucket.project_id = new_project.id s.add(project_to_bucket) s.flush() for user in project["users"]: access = AccessPrivilege() access.user_id = data["users"][user["name"]]["id"] access.project_id = new_project.id s.add(access)
def test_login_user_already_in_db(db_session): """ Test that if a user is already in the database and logs in, the session will contain the user's information (including additional information that may have been provided during the login like email and id_from_idp) """ email = "*****@*****.**" provider = "Test Provider" id_from_idp = "Provider_ID_0001" test_user = User(username=email, is_admin=False) db_session.add(test_user) db_session.commit() user_id = str(test_user.id) assert not test_user.email assert not test_user.id_from_idp login_user(email, provider, email=email, id_from_idp=id_from_idp) assert test_user.identity_provider.name == provider assert test_user.id_from_idp == id_from_idp assert test_user.email == email assert flask.session["username"] == email assert flask.session["provider"] == provider assert flask.session["user_id"] == user_id assert flask.g.user == test_user
def create_awg_user(users, db_session): s = db_session for username in list(users.keys()): user = query_for_user(session=s, username=username) if not user: user = User(username=username) s.add(user) projects = {} for project_data in users[username]["projects"]: auth_id = project_data["auth_id"] p_name = project_data.get("name", auth_id) project = s.query(Project).filter(Project.auth_id == auth_id).first() if not project: project = Project(name=p_name, auth_id=auth_id) s.add(project) projects[p_name] = project groups = users[username].get("groups", []) for group in groups: group_name = group["name"] group_desc = group["description"] grp = s.query(Group).filter(Group.name == group_name).first() if not grp: grp = Group() grp.name = group_name grp.description = group_desc s.add(grp) s.flush() UserToGroup(group=grp, user=user) for projectname in group["projects"]: gap = ( s.query(AccessPrivilege) .join(AccessPrivilege.project) .join(AccessPrivilege.group) .filter(Project.name == projectname, Group.name == group_name) .first() ) if not gap: project = projects[projectname] gap = AccessPrivilege(project_id=project.id, group_id=grp.id) s.add(gap) s.flush() ap = ( s.query(AccessPrivilege) .join(AccessPrivilege.project) .join(AccessPrivilege.user) .filter(Project.name == projectname, User.username == user.username) .first() ) privilege = {"read"} if not ap: project = projects[projectname] ap = AccessPrivilege( project=project, user=user, privilege=privilege ) s.add(ap) s.flush() return user.id, user.username
def test_valid_id_token_without_nonce(app): """ Create a token and then validate it and make sure there are no exceptions when a nonce is not provided. """ issuer = app.config.get('BASE_URL') keypair = app.keypairs[0] client_id = "client_12345" user = User(username='******', is_admin=False) expires_in = 2592000 nonce = None max_age = None signed_token = create_id_token( user=user, keypair=keypair, expires_in=expires_in, client_id=client_id, audiences=[client_id], auth_time=None, max_age=max_age, nonce=nonce ) unsigned_token = UnsignedIDToken.from_signed_and_encoded_token( signed_token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce) unsigned_token.validate( issuer=issuer, client_id=client_id, max_age=max_age, nonce=nonce ) assert not unsigned_token.token.get("nonce")
def test_user(db_session): user = User(id=1, email="*****@*****.**") db_session.add(user) db_session.commit() yield user
def test_map_iss_sub_pair_to_user_with_prior_login_and_prior_DRS_access( db_session, ): """ Test RASOauth2Client.map_iss_sub_pair_to_user when the username passed in (e.g. eRA username) already exists in the Fence database and that user's <iss, sub> combination has already been mapped to a separate user created during a prior DRS access request. In this case, map_iss_sub_pair_to_user returns the user created from prior DRS/data access, rendering the other user (e.g. the eRA one) inaccessible. """ iss = "https://domain.tld" sub = "123_abc" username = "******" email = "*****@*****.**" oidc = config.get("OPENID_CONNECT", {}) ras_client = RASClient( oidc["ras"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # reset users table db_session.query(User).delete() db_session.commit() user = User(username=username, email=email) db_session.add(user) db_session.commit() get_or_create_gen3_user_from_iss_sub(iss, sub, db_session=db_session) username_to_log_in = ras_client.map_iss_sub_pair_to_user( iss, sub, username, email, db_session=db_session) assert username_to_log_in == "123_abcdomain.tld" iss_sub_pair_to_user = db_session.query(IssSubPairToUser).get((iss, sub)) assert iss_sub_pair_to_user.user.username == "123_abcdomain.tld"
def create_user(current_session, username, role, email): """ Create a user for all the projects or groups in the list. If the user already exists, to avoid unadvertedly changing it, we suggest update Returns a dictionary. """ if not username: raise UserError(("Error: Please provide a username")) try: usr = us.get_user(current_session, username) raise UserError(("Error: user already exist. If this is not a" " mistake, please, retry using update")) except NotFound: user_list = [ user["name"].upper() for user in get_all_users(current_session)["users"] ] if username.upper() in user_list: raise UserError( ("Error: user with a name with the same combination/order " "of characters already exists. Please remove this other user" " or modify the new one. Contact us in case of doubt")) is_admin = role == "admin" email_add = email usr = User(username=username, active=True, is_admin=is_admin, email=email_add) current_session.add(usr) return us.get_user_info(current_session, username)
def create_client( username, urls, DB, name="", description="", auto_approve=False, is_admin=False, grant_types=None, confidential=True, arborist=None, policies=None, allowed_scopes=None, ): client_id = random_str(40) if arborist is not None: arborist.create_client(client_id, policies) grant_types = grant_types driver = SQLAlchemyDriver(DB) client_secret = None hashed_secret = None if confidential: client_secret = random_str(55) hashed_secret = bcrypt.hashpw(client_secret.encode("utf-8"), bcrypt.gensalt()).decode("utf-8") auth_method = "client_secret_basic" if confidential else "none" allowed_scopes = allowed_scopes or config["CLIENT_ALLOWED_SCOPES"] if not set(allowed_scopes).issubset(set(config["CLIENT_ALLOWED_SCOPES"])): raise ValueError("Each allowed scope must be one of: {}".format( config["CLIENT_ALLOWED_SCOPES"])) if "openid" not in allowed_scopes: allowed_scopes.append("openid") logger.warning( 'Adding required "openid" scope to list of allowed scopes.') with driver.session as s: user = query_for_user(session=s, username=username) if not user: user = User(username=username, is_admin=is_admin) s.add(user) if s.query(Client).filter(Client.name == name).first(): if arborist is not None: arborist.delete_client(client_id) raise Exception("client {} already exists".format(name)) client = Client( client_id=client_id, client_secret=hashed_secret, user=user, redirect_uris=urls, _allowed_scopes=" ".join(allowed_scopes), description=description, name=name, auto_approve=auto_approve, grant_types=grant_types, is_confidential=confidential, token_endpoint_auth_method=auth_method, ) s.add(client) s.commit() return client_id, client_secret
def create_user(users, db_session, is_admin=False): s = db_session for username in list(users.keys()): user = query_for_user(session=s, username=username) if not user: user = User(username=username, is_admin=is_admin) s.add(user) for project_data in users[username]["projects"]: privilege = project_data["privilege"] auth_id = project_data["auth_id"] p_name = project_data.get("name", auth_id) project = s.query(Project).filter( Project.auth_id == auth_id).first() if not project: project = Project(name=p_name, auth_id=auth_id) s.add(project) ap = (s.query(AccessPrivilege).join( AccessPrivilege.project).join(AccessPrivilege.user).filter( Project.name == p_name, User.username == user.username).first()) if not ap: ap = AccessPrivilege(project=project, user=user, privilege=privilege) s.add(ap) else: ap.privilege = privilege return user.id, user.username
def test_valid_id_token_without_nonce(app): """ Create a token and then validate it and make sure there are no exceptions when a nonce is not provided. """ issuer = config.get("BASE_URL") keypair = app.keypairs[0] client_id = "client_12345" user = User(username="******", is_admin=False) expires_in = 2592000 nonce = None max_age = None token_result = generate_signed_id_token( keypair.kid, keypair.private_key, user, expires_in, client_id, audiences=[client_id], auth_time=None, max_age=None, nonce=None, ) unsigned_token = UnsignedIDToken.from_signed_and_encoded_token( token_result.token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce, ) unsigned_token.validate() assert not unsigned_token.get("nonce")
def test_valid_id_token(app): """ Create a token and then validate it and make sure there are no exceptions """ issuer = config.get("BASE_URL") keypair = app.keypairs[0] client_id = "client_12345" user = User(username="******", is_admin=False) expires_in = 2592000 nonce = "a1b2c3d4e5f6g7h8i9j0k!l@#n$%^q&*stuvwxyz" max_age = None token_result = generate_signed_id_token( keypair.kid, keypair.private_key, user, expires_in, client_id, audiences=[client_id], auth_time=None, max_age=None, nonce=None, ) unsigned_token = UnsignedIDToken.from_signed_and_encoded_token( token_result.token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce, ) unsigned_token.validate()
def test_valid_id_token(app): """ Create a token and then validate it and make sure there are no exceptions """ issuer = app.config.get('BASE_URL') keypair = app.keypairs[0] client_id = "client_12345" user = User(username='******', is_admin=False) expires_in = 2592000 nonce = "a1b2c3d4e5f6g7h8i9j0k!l@#n$%^q&*stuvwxyz" max_age = None signed_token = create_id_token( user=user, keypair=keypair, expires_in=expires_in, client_id=client_id, audiences=[client_id], auth_time=None, max_age=max_age, nonce=nonce ) unsigned_token = UnsignedIDToken.from_signed_and_encoded_token( signed_token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce) unsigned_token.validate( issuer=issuer, client_id=client_id, max_age=max_age, nonce=nonce ) assert True
def login_user(request, username, provider): user = current_session.query( User).filter(User.username == username).first() if not user: user = User(username=username) idp = ( current_session.query(IdentityProvider) .filter(IdentityProvider.name == provider).first() ) if not idp: idp = IdentityProvider(name=provider) user.identity_provider = idp current_session.add(user) current_session.commit() flask.g.user = user flask.g.scopes = ["_all"] flask.g.token = None
def add_test_user(db_session, username="******", id="5678", is_admin=True): test_user = User(username=username, id=id, is_admin=is_admin) # id is part of primary key check_user_exists = db_session.query(User).filter_by(id=id).first() if not check_user_exists: db_session.add(test_user) db_session.commit() return test_user
def test_user(db_session): user = User(id=1, email="*****@*****.**") test_user = db_session.query(User).filter_by(id=1).first() if not test_user: db_session.add(user) db_session.commit() yield user
def login_user(request, username, provider): user = query_for_user(session=current_session, username=username) if not user: user = User(username=username) idp = (current_session.query(IdentityProvider).filter( IdentityProvider.name == provider).first()) if not idp: idp = IdentityProvider(name=provider) user.identity_provider = idp current_session.add(user) current_session.commit() flask.session["username"] = username flask.session["provider"] = provider flask.session["user_id"] = str(user.id) flask.g.user = user flask.g.scopes = ["_all"] flask.g.token = None
def test_delete_user_with_access_privilege(app, db_session): user = User(username="******") project = Project(id=1, name="test-project") access_privilege = AccessPrivilege(user=user, privilege=["read"], project=project) db_session.add(user) db_session.add(project) db_session.add(access_privilege) db_session.commit() delete_users(config["DB"], [user.username]) remaining_usernames = db_session.query(User.username).all() assert db_session.query(User).count() == 0, remaining_usernames
def test_create_user_refresh_token_with_no_found_user(app, db_session, kid, rsa_private_key): user = User(username="******") db_session.add(user) jwt_creator = JWTCreator( app.config["DB"], app.config["BASE_URL"], kid=kid, username="******", scopes="fence", expires_in=3600, private_key=rsa_private_key, ) with pytest.raises(EnvironmentError): jwt_creator.create_refresh_token()
def _grant_from_db(self, s, userinfo, to_add, auth_provider): ''' Grant user access to projects in the auth database Args: s: sqlalchemy session to_add: a set of (username, project.auth_id) to be granted Return: None ''' for (username, project_auth_id) in to_add: u = s.query(User).filter(User.username == username).first() if not u: self.logger.info('create user {}'.format(username)) u = User(username=username) u.email = userinfo[username]['email'] s.add(u) self.logger.info('grant {} access to {} in db'.format( username, project_auth_id)) user_access = AccessPrivilege( user=u, project=self._projects[project_auth_id], privilege=['read-storage'], auth_provider=auth_provider) s.add(user_access)
def test_user_d(db_session): """ Test user for delete /user/<username> For delete-user tests you probably want to just use one of the load_*_user_data fixtures """ user = (db_session.query(User).filter_by( username=userd_dict["user_username"]).first()) if not user: user = User( id=userd_dict["user_id"], username=userd_dict["user_username"], email=userd_dict["user_email"], ) db_session.add(user) db_session.commit()
def test_recode_id_token(app, kid, rsa_private_key): """ Test that after signing, unsigning, re-signing, and unsigning again, the contents of the ID Token that should be the same, are. """ issuer = config.get("BASE_URL") keypair = app.keypairs[0] client_id = "client_12345" user = User(username="******", is_admin=False) expires_in = 2592000 nonce = "a1b2c3d4e5f6g7h8i9j0k!l@#n$%^q&*stuvwxyz" max_age = None original_signed_token = generate_signed_id_token( keypair.kid, keypair.private_key, user, expires_in, client_id, audiences=[client_id], auth_time=None, max_age=max_age, nonce=nonce, ) original_unsigned_token = UnsignedCodeIDToken.from_signed_and_encoded_token( original_signed_token.token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce, ) new_signed_token = original_unsigned_token.get_signed_and_encoded_token( kid, rsa_private_key) new_unsigned_token = UnsignedCodeIDToken.from_signed_and_encoded_token( new_signed_token, client_id=client_id, issuer=issuer, max_age=max_age, nonce=nonce, ) assert original_unsigned_token.iss == new_unsigned_token.iss assert original_unsigned_token.sub == new_unsigned_token.sub assert original_unsigned_token.aud == new_unsigned_token.aud assert original_unsigned_token.azp == new_unsigned_token.azp assert original_unsigned_token.nonce == new_unsigned_token.nonce
def test_delete_users(app, db_session, example_usernames): """ Test the basic functionality of ``delete_users``. """ for username in example_usernames: db_session.add(User(username=username)) db_session.commit() # Delete all but the first user; check that the first one is still there # and the rest are gone. delete_users(app.config["DB"], example_usernames[1:]) # Get the list of usernames for users that still exist. # (The `list(zip(...))` trick is to turn a list of 1-tuples into a # flattened list.) remaining_usernames = list(zip(*db_session.query(User.username).all())[0]) assert example_usernames[0] in remaining_usernames for username in example_usernames[1:]: assert username not in remaining_usernames
def test_create_user_access_token(app, db_session, client, kid, rsa_private_key, oauth_client): user = User(username="******") db_session.add(user) jwt_result = JWTCreator( config["DB"], config["BASE_URL"], kid=kid, username="******", scopes=["openid", "user"], expires_in=3600, private_key=rsa_private_key, ).create_access_token() r = client.get("/user", headers={"Authorization": "Bearer " + jwt_result.token}) assert r.status_code == 200
def test_create_id_token(app): """ Naive ID Token generation test. Just makes sure there are no exceptions and something is created. """ keypair = app.keypairs[0] client_id = "client_12345" user = User(username='******', is_admin=False) expires_in = 2592000 token = create_id_token( user=user, keypair=keypair, expires_in=expires_in, client_id=client_id, audiences=[client_id], auth_time=None, max_age=None, nonce=None ) assert token is not None
def test_expired_id_token(app): """ Create a token that is already expired make sure an exception is thrown. """ keypair = app.keypairs[0] client_id = "client_12345" user = User(username='******', is_admin=False) expires_in = 0 nonce = None max_age = None with pytest.raises(IDTokenError): token = generate_signed_id_token( keypair.kid, keypair.private_key, user, expires_in, client_id, audiences=[client_id], auth_time=None, max_age=max_age, nonce=nonce ) assert not token
def test_login_user_already_in_db(db_session): """ Test that if a user is already in the database and logs in, the session will contain the user's information. """ email = "*****@*****.**" provider = "Test Provider" test_user = User(username=email, is_admin=False) db_session.add(test_user) db_session.commit() user_id = str(test_user.id) login_user(flask.request, email, provider) assert flask.session["username"] == email assert flask.session["provider"] == provider assert flask.session["user_id"] == user_id assert flask.g.user == test_user
def test_user_delete_cascade(db_session): """ test deleting a user will cascade to its children """ user = User(username="******") client = Client( name="test_client", user=user, client_id=random_str(40), client_secret=random_str(60), ) db_session.add(user) db_session.add(client) db_session.flush() assert len(user.clients) == 1 db_session.delete(user) assert db_session.query(Client).filter_by( client_id=client.client_id).count() == 0
def create_client( username, urls, DB, name="", description="", auto_approve=False, is_admin=False, grant_types=None, confidential=True, ): grant_types = grant_types driver = SQLAlchemyDriver(DB) client_id = random_str(40) client_secret = None hashed_secret = None if confidential: client_secret = random_str(55) hashed_secret = bcrypt.hashpw(client_secret, bcrypt.gensalt()) auth_method = "client_secret_basic" if confidential else "none" with driver.session as s: user = query_for_user(session=s, username=username) if not user: user = User(username=username, is_admin=is_admin) s.add(user) if s.query(Client).filter(Client.name == name).first(): raise Exception("client {} already exists".format(name)) client = Client( client_id=client_id, client_secret=hashed_secret, user=user, redirect_uris=urls, _allowed_scopes=" ".join(config["CLIENT_ALLOWED_SCOPES"]), description=description, name=name, auto_approve=auto_approve, grant_types=grant_types, is_confidential=confidential, token_endpoint_auth_method=auth_method, ) s.add(client) s.commit() return client_id, client_secret