def run():
if not request.isSecure() and not getDevelopmentMode():
raise TBadRequest(
'/users/<username>/verify requests must use HTTPS')
dictionary = registry.checkRequest(usage, request)
user = cachingGetUser(self.username.decode('utf-8'))
if not user:
raise TNoSuchUser(self.username)
password = dictionary['password']
if checkPassword(password, user.passwordHash):
# FIXME Hard-coding the 'anon' consumer here isn't great,
# but for now it means we don't have to change the public
# API. -jkakar
api = OAuthConsumerAPI()
consumer = cachingGetUser(u'anon')
accessToken = api.getAccessToken(consumer, user)
renewalToken = api.getRenewalToken(consumer, user)
return {'accessToken': accessToken.encrypt(),
'fullname': user.fullname,
'renewalToken': renewalToken.encrypt(),
'role': str(user.role),
'valid': True}
else:
return {'valid': False}
def testRequestAvatarId(self):
"""
L{FacadeOAuthChecker.requestAvatarId} creates a
L{FluidinfoSession} for the authenticated user only if credentials are
correct.
"""
UserAPI().create([(u'consumer', u'secret', u'Consumer',
u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumerUser = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
consumer = api.register(consumerUser)
token = api.getAccessToken(consumerUser, user)
self.store.commit()
timestamp = 1314976811
headers = {'header1': 'foo'}
arguments = 'argument1=bar'
# FIXME This isn't ideal. It'd be better to use a hard-coded
# signature, because then we'd know when something changed. It's hard
# to do that, though, because the encrypted token generated by
# fluiddb.util.minitoken is always different. -jkakar
request = Request.from_request('GET', u'https://fluidinfo.com/foo',
headers, {'argument1': 'bar'})
signature = SignatureMethod_HMAC_SHA1().sign(request, consumer, None)
nonce = 'nonce'
credentials = OAuthCredentials('fluidinfo.com', consumerUser.username,
token.encrypt(), 'HMAC-SHA1', signature,
timestamp, nonce, 'GET',
u'https://fluidinfo.com/foo', headers,
arguments)
session = yield self.checker.requestAvatarId(credentials)
self.assertEqual(user.username, session.auth.username)
self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateOAuth(self):
"""
L{OAuthConsumerAPI.authenticate} returns the L{User} when passed valid
L{OAuthCredentials}. In the case of OAuth Echo, and in the case of
this test, a consumer makes a request using a token that grants it
access to act on behalf of a particular user.
"""
UserAPI().create([(u'consumer', u'password', u'Consumer',
u'*****@*****.**')])
UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')])
consumer = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(consumer, secret='abyOTsAfo9MVN0qz')
token = api.getAccessToken(consumer, user)
timestamp = 1314976811
headers = {'header1': 'foo'}
arguments = 'argument1=bar'
signature = 'Sno1ocDhYv9vwJnEJATE3cmUvSo='
nonce = 'nonce'
credentials = OAuthCredentials(
'fluidinfo.com', consumer.username, token.encrypt(), 'HMAC-SHA1',
signature, timestamp, nonce, 'GET', u'https://fluidinfo.com/foo',
headers, arguments)
self.assertIdentical(user, api.authenticate(credentials))
def testAuthenticateUserWithOAuthIncorrectSignature(self):
"""
L{FacadeAuthMixin.authenticateUserWithOAuth} raises a
L{TPasswordIncorrect} exception if the signature in the OAuth
credentials is incorrect.
"""
UserAPI().create([
(u'consumer', u'secret', u'Consumer', u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumerUser = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(consumerUser)
token = api.getAccessToken(consumerUser, user)
self.store.commit()
timestamp = 1314976811
headers = {'header1': 'foo'}
arguments = 'argument1=bar'
signature = 'wrong'
nonce = 'nonce'
credentials = OAuthCredentials(
'fluidinfo.com', user.username, token.encrypt(), u'HMAC-SHA1',
signature, timestamp, nonce, 'GET', 'https://fluidinfo.com/foo',
headers, arguments)
deferred = self.facade.authenticateUserWithOAuth(credentials)
return self.assertFailure(deferred, TPasswordIncorrect)
def testAuthenticateUserWithOAuthIgnoresCase(self):
"""
L{FacadeAuthMixin.authenticateUserWithOAuth} ignores the case in the
consumer key.
"""
UserAPI().create([
(u'consumer', u'secret', u'Consumer', u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumerUser = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
consumer = api.register(consumerUser)
token = api.getAccessToken(consumerUser, user)
self.store.commit()
timestamp = 1314976811
headers = {'header1': 'foo'}
arguments = 'argument1=bar'
request = Request.from_request('GET', u'https://fluidinfo.com/foo',
headers, {'argument1': 'bar'})
signature = SignatureMethod_HMAC_SHA1().sign(request,
consumer, None)
nonce = 'nonce'
credentials = OAuthCredentials(
'fluidinfo.com', u'ConsumeR', token.encrypt(),
'HMAC-SHA1', signature, timestamp, nonce, 'GET',
u'https://fluidinfo.com/foo', headers, arguments)
session = yield self.facade.authenticateUserWithOAuth(credentials)
self.assertEqual(user.username, session.auth.username)
self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateAnonymousUserWithOAuth2(self):
"""
L{FacadeAuthMixin.authenticateUserWithOAuth2} should create a
L{FluidinfoSession} for the anonymous user.
"""
anonymous = self.system.users[u'anon']
UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')])
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(anonymous)
token = api.getAccessToken(anonymous, user)
self.store.commit()
credentials = OAuth2Credentials(u'anon', None, token.encrypt())
session = yield self.facade.authenticateUserWithOAuth2(credentials)
self.assertEqual(user.username, session.auth.username)
self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateOAuth2(self):
"""
L{OAuthConsumerAPI.authenticate} returns the L{User} when passed valid
L{OAuth2Credentials}. In the case of OAuth Echo, and in the case of
this test, a consumer makes a request using a token that grants it
access to act on behalf of a particular user.
"""
UserAPI().create([(u'consumer', u'password', u'Consumer',
u'*****@*****.**')])
UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')])
consumer = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(consumer, secret='abyOTsAfo9MVN0qz')
token = api.getAccessToken(consumer, user)
credentials = OAuth2Credentials(u'consumer', u'secret1',
token.encrypt())
self.assertIdentical(user, api.authenticate(credentials))
def testRequestAvatarId(self):
"""
L{FacadeOAuth2Checker.requestAvatarId} creates a
L{FluidinfoSession} for the authenticated user only if credentials are
correct.
"""
UserAPI().create([(u'consumer', u'secret', u'Consumer',
u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumerUser = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(consumerUser)
token = api.getAccessToken(consumerUser, user)
self.store.commit()
credentials = OAuth2Credentials(u'consumer', 'secret', token.encrypt())
session = yield self.checker.requestAvatarId(credentials)
self.assertEqual(user.username, session.auth.username)
self.assertEqual(user.objectID, session.auth.objectID)
def testGetAccessToken(self):
"""
L{OAuthConsumerAPI.getAccessToken} returns an L{OAuthAccessToken} for
a consumer to act on behalf of a L{User}. It includes the consumer,
the user to act on behalf of, and the creation time, after which the
token will not be accepted.
"""
UserAPI().create([
(u'consumer', u'secret', u'Consumer', u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumerUser = getUser(u'consumer')
user = getUser(u'user')
now = datetime.utcnow()
api = OAuthConsumerAPI()
api.register(consumerUser)
token = api.getAccessToken(consumerUser, user, now=lambda: now)
self.assertTrue(isinstance(token, OAuthAccessToken))
self.assertIdentical(consumerUser, token.consumer)
self.assertIdentical(user, token.user)
self.assertEqual(now, token.creationTime)
def testAuthenticateUserWithOAuth2IgnoresCase(self):
"""
L{FacadeAuthMixin.authenticateUserWithOAuth2} creates a
L{FluidinfoSession} for the authenticated user only if credentials are
correct.
"""
UserAPI().create([
(u'consumer', u'secret', u'Consumer', u'*****@*****.**'),
(u'user', u'secret', u'User', u'*****@*****.**')])
consumer = getUser(u'consumer')
user = getUser(u'user')
api = OAuthConsumerAPI()
api.register(consumer)
token = api.getAccessToken(consumer, user)
self.store.commit()
credentials = OAuth2Credentials(u'ConsumeR', u'secret',
token.encrypt())
session = yield self.facade.authenticateUserWithOAuth2(credentials)
self.assertEqual(user.username, session.auth.username)
self.assertEqual(user.objectID, session.auth.objectID)
