def testDirectAdd(self): """ Tests the functionality of an admin user adding a user directly to a group, bypassing the invitation process. """ group = Group().createGroup('g1', self.users[0]) self.assertFalse(Group().hasAccess(group, self.users[1], AccessType.WRITE)) # Admin user can add user 1 directly if they pass force=True. resp = self.request(path='/group/%s/invitation' % group['_id'], method='POST', user=self.users[0], params={ 'force': 'true', 'userId': self.users[1]['_id'], 'level': AccessType.WRITE }) self.assertStatus(resp, 200) user1 = User().load(self.users[1]['_id'], force=True) group = Group().load(group['_id'], force=True) self.assertTrue(Group().hasAccess(group, user1, AccessType.WRITE)) self.assertFalse(Group().hasAccess(group, user1, AccessType.ADMIN)) self.assertTrue(group['_id'] in user1['groups']) # User 1 should not be able to use the force option. resp = self.request(path='/group/%s/invitation' % group['_id'], method='POST', user=self.users[1], params={ 'force': 'true', 'userId': self.users[2]['_id'] }) self.assertStatus(resp, 403) self.assertEqual(resp.json['message'], 'Administrator access required.') user2 = User().load(self.users[2]['_id'], force=True) self.assertFalse(group['_id'] in user2.get('groups', ()))
def session_id(self, params): user = getCurrentUser() user = User().load(user['_id'], fields=['newt'], force=True) return { 'sessionId': user.get('newt', {}).get('sessionId') }
def testDirectAdd(self): """ Tests the functionality of an admin user adding a user directly to a group, bypassing the invitation process. """ group = Group().createGroup('g1', self.users[0]) self.assertFalse(Group().hasAccess(group, self.users[1], AccessType.WRITE)) # Admin user can add user 1 directly if they pass force=True. resp = self.request(path='/group/%s/invitation' % group['_id'], method='POST', user=self.users[0], params={ 'force': 'true', 'userId': self.users[1]['_id'], 'level': AccessType.WRITE }) self.assertStatus(resp, 200) user1 = User().load(self.users[1]['_id'], force=True) group = Group().load(group['_id'], force=True) self.assertTrue(Group().hasAccess(group, user1, AccessType.WRITE)) self.assertFalse(Group().hasAccess(group, user1, AccessType.ADMIN)) self.assertTrue(group['_id'] in user1['groups']) # User 1 should not be able to use the force option. resp = self.request(path='/group/%s/invitation' % group['_id'], method='POST', user=self.users[1], params={ 'force': 'true', 'userId': self.users[2]['_id'] }) self.assertStatus(resp, 403) self.assertEqual(resp.json['message'], 'Administrator access required.') user2 = User().load(self.users[2]['_id'], force=True) self.assertFalse(group['_id'] in user2.get('groups', ()))
def _createOrReuseUser(cls, oauthId, email, firstName, lastName, userName=None): providerName = cls.getProviderName() # Try finding by ID first, since a user can change their email address query = { # PyMongo may not properly support full embedded document queries, # since the object order matters (and Python dicts are unordered), # so search by individual embedded fields 'oauth.provider': providerName, 'oauth.id': oauthId } if providerName == 'google': # The Google provider was previously stored as capitalized, and # legacy databases may still have these entries query['oauth.provider'] = {'$in': ['google', 'Google']} user = User().findOne(query) setId = not user # Existing users using OAuth2 for the first time will not have an ID if not user: user = User().findOne({'email': email}) dirty = False # Create the user if it's still not found if not user: policy = Setting().get(SettingKey.REGISTRATION_POLICY) if policy == 'closed': ignore = Setting().get( PluginSettings.IGNORE_REGISTRATION_POLICY) if not ignore: raise RestException( 'Registration on this instance is closed. Contact an ' 'administrator to create an account for you.') login = cls._deriveLogin(email, firstName, lastName, userName) user = User().createUser(login=login, password=None, firstName=firstName, lastName=lastName, email=email) else: # Migrate from a legacy format where only 1 provider was stored if isinstance(user.get('oauth'), dict): user['oauth'] = [user['oauth']] dirty = True # Update user data from provider if email != user['email']: user['email'] = email dirty = True # Don't set names to empty string if firstName != user['firstName'] and firstName: user['firstName'] = firstName dirty = True if lastName != user['lastName'] and lastName: user['lastName'] = lastName dirty = True if setId: user.setdefault('oauth', []).append({ 'provider': providerName, 'id': oauthId }) dirty = True if dirty: user = User().save(user) return user
def _createOrReuseUser(cls, oauthId, email, firstName, lastName, userName=None): providerName = cls.getProviderName() # Try finding by ID first, since a user can change their email address query = { # PyMongo may not properly support full embedded document queries, # since the object order matters (and Python dicts are unordered), # so search by individual embedded fields 'oauth.provider': providerName, 'oauth.id': oauthId } if providerName == 'google': # The Google provider was previously stored as capitalized, and # legacy databases may still have these entries query['oauth.provider'] = {'$in': ['google', 'Google']} user = User().findOne(query) setId = not user # Existing users using OAuth2 for the first time will not have an ID if not user: user = User().findOne({'email': email}) dirty = False # Create the user if it's still not found if not user: policy = Setting().get(SettingKey.REGISTRATION_POLICY) if policy == 'closed': ignore = Setting().get(PluginSettings.IGNORE_REGISTRATION_POLICY) if not ignore: raise RestException( 'Registration on this instance is closed. Contact an ' 'administrator to create an account for you.') login = cls._deriveLogin(email, firstName, lastName, userName) user = User().createUser( login=login, password=None, firstName=firstName, lastName=lastName, email=email) else: # Migrate from a legacy format where only 1 provider was stored if isinstance(user.get('oauth'), dict): user['oauth'] = [user['oauth']] dirty = True # Update user data from provider if email != user['email']: user['email'] = email dirty = True # Don't set names to empty string if firstName != user['firstName'] and firstName: user['firstName'] = firstName dirty = True if lastName != user['lastName'] and lastName: user['lastName'] = lastName dirty = True if setId: user.setdefault('oauth', []).append( { 'provider': providerName, 'id': oauthId }) dirty = True if dirty: user = User().save(user) return user
def cilogin(self): code = cherrypy.request.params['code'] data = { 'grant_type': 'authorization_code', 'code': code, 'client_id': 'cilogon:/client_id/' + Setting().get( 'NCIAuth.NCI_client_id'), # 21b3f7acd259afd57d80b831e4ef729d 'client_secret': Setting().get( 'NCIAuth.NCI_client_secret' ), # 'B4VhyuLEINazuL2RJFdkc6M2LTPmPmSwR-81r16udSHbLgJM_fwiPZg9MifbEACCcM44MwkhJzLHZ6Aerpk9nw', 'redirect_uri': Setting().get('NCIAuth.NCI_api_url') + '/nciLogin/CIloginCallback' } res = json.loads( requests.post('https://cilogon.org/oauth2/token', data).content) id_token = res['id_token'] access_token = res['access_token'] data = {'access_token': access_token} userinfo = requests.post('https://cilogon.org/oauth2/userinfo', data) user = json.loads(userinfo.content) NCIemail = user["email"] NCIfirstName = user["given_name"] NCIlastName = user["family_name"] user = User().findOne({'email': NCIemail}) setId = not user dirty = False if not user: policy = Setting().get(SettingKey.REGISTRATION_POLICY) if policy == 'closed': ignore = Setting().get( PluginSettings.IGNORE_REGISTRATION_POLICY) if not ignore: raise RestException( 'Registration on this instance is closed. Contact an ' 'administrator to create an account for you.') login = self._deriveLogin(NCIemail, NCIfirstName, NCIlastName, NCIemail[:NCIemail.index('@')]) user = User().createUser(login=login, password=None, firstName=NCIfirstName, lastName=NCIlastName, email=NCIemail) else: # Migrate from a legacy format where only 1 provider was stored if isinstance(user.get('oauth'), dict): user['oauth'] = [user['oauth']] dirty = True # Update user data from provider if NCIemail != user['email']: user['email'] = NCIemail dirty = True # Don't set names to empty string if NCIfirstName != user['firstName'] and NCIfirstName: user['firstName'] = NCIfirstName dirty = True if NCIlastName != user['lastName'] and NCIlastName: user['lastName'] = NCIlastName dirty = True if setId: user.setdefault('NCI_credential', []).append({'provider': 'NCI'}) dirty = True if dirty: user = User().save(user) girderToken = self.sendAuthTokenCookie(user) raise cherrypy.HTTPRedirect(Setting().get('NCIAuth.NCI_return_url'))
def callback(self): # print cherrypy.request.params['token'] token = cherrypy.request.params['token'] validation = DMSAuthentication("ncifivgSvc", "+vYg<^Y|#4w:r9)", 2) userInfo = validation.validateToken(token) #validation with service NCIemail = userInfo["email"] NCIfirstName = userInfo["first_name"] NCIlastName = userInfo["last_name"] NCIid = userInfo["userID"] user = User().findOne({'email': NCIemail}) setId = not user dirty = False if not user: policy = Setting().get(SettingKey.REGISTRATION_POLICY) if policy == 'closed': ignore = Setting().get( PluginSettings.IGNORE_REGISTRATION_POLICY) if not ignore: raise RestException( 'Registration on this instance is closed. Contact an ' 'administrator to create an account for you.') login = self._deriveLogin(NCIemail, NCIfirstName, NCIlastName, NCIid) user = User().createUser(login=login, password=None, firstName=NCIfirstName, lastName=NCIlastName, email=NCIemail) else: # Migrate from a legacy format where only 1 provider was stored if isinstance(user.get('oauth'), dict): user['oauth'] = [user['oauth']] dirty = True # Update user data from provider if NCIemail != user['email']: user['email'] = NCIemail dirty = True # Don't set names to empty string if NCIfirstName != user['firstName'] and NCIfirstName: user['firstName'] = NCIfirstName dirty = True if NCIlastName != user['lastName'] and NCIlastName: user['lastName'] = NCIlastName dirty = True if setId: user.setdefault('NCI_credential', []).append({'provider': 'NCI'}) dirty = True if dirty: user = User().save(user) girderToken = self.sendAuthTokenCookie(user) raise cherrypy.HTTPRedirect(Setting().get('NCIAuth.NCI_return_url'))