def testDirectAdd(self):
"""
Tests the functionality of an admin user adding a user directly to
a group, bypassing the invitation process.
"""
group = Group().createGroup('g1', self.users[0])
self.assertFalse(Group().hasAccess(group, self.users[1], AccessType.WRITE))
# Admin user can add user 1 directly if they pass force=True.
resp = self.request(path='/group/%s/invitation' % group['_id'],
method='POST', user=self.users[0],
params={
'force': 'true',
'userId': self.users[1]['_id'],
'level': AccessType.WRITE
})
self.assertStatus(resp, 200)
user1 = User().load(self.users[1]['_id'], force=True)
group = Group().load(group['_id'], force=True)
self.assertTrue(Group().hasAccess(group, user1, AccessType.WRITE))
self.assertFalse(Group().hasAccess(group, user1, AccessType.ADMIN))
self.assertTrue(group['_id'] in user1['groups'])
# User 1 should not be able to use the force option.
resp = self.request(path='/group/%s/invitation' % group['_id'],
method='POST', user=self.users[1],
params={
'force': 'true',
'userId': self.users[2]['_id']
})
self.assertStatus(resp, 403)
self.assertEqual(resp.json['message'], 'Administrator access required.')
user2 = User().load(self.users[2]['_id'], force=True)
self.assertFalse(group['_id'] in user2.get('groups', ()))
def session_id(self, params):
user = getCurrentUser()
user = User().load(user['_id'], fields=['newt'], force=True)
return {
'sessionId': user.get('newt', {}).get('sessionId')
}
def testDirectAdd(self):
"""
Tests the functionality of an admin user adding a user directly to
a group, bypassing the invitation process.
"""
group = Group().createGroup('g1', self.users[0])
self.assertFalse(Group().hasAccess(group, self.users[1],
AccessType.WRITE))
# Admin user can add user 1 directly if they pass force=True.
resp = self.request(path='/group/%s/invitation' % group['_id'],
method='POST',
user=self.users[0],
params={
'force': 'true',
'userId': self.users[1]['_id'],
'level': AccessType.WRITE
})
self.assertStatus(resp, 200)
user1 = User().load(self.users[1]['_id'], force=True)
group = Group().load(group['_id'], force=True)
self.assertTrue(Group().hasAccess(group, user1, AccessType.WRITE))
self.assertFalse(Group().hasAccess(group, user1, AccessType.ADMIN))
self.assertTrue(group['_id'] in user1['groups'])
# User 1 should not be able to use the force option.
resp = self.request(path='/group/%s/invitation' % group['_id'],
method='POST',
user=self.users[1],
params={
'force': 'true',
'userId': self.users[2]['_id']
})
self.assertStatus(resp, 403)
self.assertEqual(resp.json['message'],
'Administrator access required.')
user2 = User().load(self.users[2]['_id'], force=True)
self.assertFalse(group['_id'] in user2.get('groups', ()))
def _createOrReuseUser(cls,
oauthId,
email,
firstName,
lastName,
userName=None):
providerName = cls.getProviderName()
# Try finding by ID first, since a user can change their email address
query = {
# PyMongo may not properly support full embedded document queries,
# since the object order matters (and Python dicts are unordered),
# so search by individual embedded fields
'oauth.provider': providerName,
'oauth.id': oauthId
}
if providerName == 'google':
# The Google provider was previously stored as capitalized, and
# legacy databases may still have these entries
query['oauth.provider'] = {'$in': ['google', 'Google']}
user = User().findOne(query)
setId = not user
# Existing users using OAuth2 for the first time will not have an ID
if not user:
user = User().findOne({'email': email})
dirty = False
# Create the user if it's still not found
if not user:
policy = Setting().get(SettingKey.REGISTRATION_POLICY)
if policy == 'closed':
ignore = Setting().get(
PluginSettings.IGNORE_REGISTRATION_POLICY)
if not ignore:
raise RestException(
'Registration on this instance is closed. Contact an '
'administrator to create an account for you.')
login = cls._deriveLogin(email, firstName, lastName, userName)
user = User().createUser(login=login,
password=None,
firstName=firstName,
lastName=lastName,
email=email)
else:
# Migrate from a legacy format where only 1 provider was stored
if isinstance(user.get('oauth'), dict):
user['oauth'] = [user['oauth']]
dirty = True
# Update user data from provider
if email != user['email']:
user['email'] = email
dirty = True
# Don't set names to empty string
if firstName != user['firstName'] and firstName:
user['firstName'] = firstName
dirty = True
if lastName != user['lastName'] and lastName:
user['lastName'] = lastName
dirty = True
if setId:
user.setdefault('oauth', []).append({
'provider': providerName,
'id': oauthId
})
dirty = True
if dirty:
user = User().save(user)
return user
def _createOrReuseUser(cls, oauthId, email, firstName, lastName,
userName=None):
providerName = cls.getProviderName()
# Try finding by ID first, since a user can change their email address
query = {
# PyMongo may not properly support full embedded document queries,
# since the object order matters (and Python dicts are unordered),
# so search by individual embedded fields
'oauth.provider': providerName,
'oauth.id': oauthId
}
if providerName == 'google':
# The Google provider was previously stored as capitalized, and
# legacy databases may still have these entries
query['oauth.provider'] = {'$in': ['google', 'Google']}
user = User().findOne(query)
setId = not user
# Existing users using OAuth2 for the first time will not have an ID
if not user:
user = User().findOne({'email': email})
dirty = False
# Create the user if it's still not found
if not user:
policy = Setting().get(SettingKey.REGISTRATION_POLICY)
if policy == 'closed':
ignore = Setting().get(PluginSettings.IGNORE_REGISTRATION_POLICY)
if not ignore:
raise RestException(
'Registration on this instance is closed. Contact an '
'administrator to create an account for you.')
login = cls._deriveLogin(email, firstName, lastName, userName)
user = User().createUser(
login=login, password=None, firstName=firstName, lastName=lastName, email=email)
else:
# Migrate from a legacy format where only 1 provider was stored
if isinstance(user.get('oauth'), dict):
user['oauth'] = [user['oauth']]
dirty = True
# Update user data from provider
if email != user['email']:
user['email'] = email
dirty = True
# Don't set names to empty string
if firstName != user['firstName'] and firstName:
user['firstName'] = firstName
dirty = True
if lastName != user['lastName'] and lastName:
user['lastName'] = lastName
dirty = True
if setId:
user.setdefault('oauth', []).append(
{
'provider': providerName,
'id': oauthId
})
dirty = True
if dirty:
user = User().save(user)
return user
def cilogin(self):
code = cherrypy.request.params['code']
data = {
'grant_type':
'authorization_code',
'code':
code,
'client_id':
'cilogon:/client_id/' + Setting().get(
'NCIAuth.NCI_client_id'), # 21b3f7acd259afd57d80b831e4ef729d
'client_secret':
Setting().get(
'NCIAuth.NCI_client_secret'
), # 'B4VhyuLEINazuL2RJFdkc6M2LTPmPmSwR-81r16udSHbLgJM_fwiPZg9MifbEACCcM44MwkhJzLHZ6Aerpk9nw',
'redirect_uri':
Setting().get('NCIAuth.NCI_api_url') + '/nciLogin/CIloginCallback'
}
res = json.loads(
requests.post('https://cilogon.org/oauth2/token', data).content)
id_token = res['id_token']
access_token = res['access_token']
data = {'access_token': access_token}
userinfo = requests.post('https://cilogon.org/oauth2/userinfo', data)
user = json.loads(userinfo.content)
NCIemail = user["email"]
NCIfirstName = user["given_name"]
NCIlastName = user["family_name"]
user = User().findOne({'email': NCIemail})
setId = not user
dirty = False
if not user:
policy = Setting().get(SettingKey.REGISTRATION_POLICY)
if policy == 'closed':
ignore = Setting().get(
PluginSettings.IGNORE_REGISTRATION_POLICY)
if not ignore:
raise RestException(
'Registration on this instance is closed. Contact an '
'administrator to create an account for you.')
login = self._deriveLogin(NCIemail, NCIfirstName, NCIlastName,
NCIemail[:NCIemail.index('@')])
user = User().createUser(login=login,
password=None,
firstName=NCIfirstName,
lastName=NCIlastName,
email=NCIemail)
else:
# Migrate from a legacy format where only 1 provider was stored
if isinstance(user.get('oauth'), dict):
user['oauth'] = [user['oauth']]
dirty = True
# Update user data from provider
if NCIemail != user['email']:
user['email'] = NCIemail
dirty = True
# Don't set names to empty string
if NCIfirstName != user['firstName'] and NCIfirstName:
user['firstName'] = NCIfirstName
dirty = True
if NCIlastName != user['lastName'] and NCIlastName:
user['lastName'] = NCIlastName
dirty = True
if setId:
user.setdefault('NCI_credential',
[]).append({'provider': 'NCI'})
dirty = True
if dirty:
user = User().save(user)
girderToken = self.sendAuthTokenCookie(user)
raise cherrypy.HTTPRedirect(Setting().get('NCIAuth.NCI_return_url'))
def callback(self):
# print cherrypy.request.params['token']
token = cherrypy.request.params['token']
validation = DMSAuthentication("ncifivgSvc", "+vYg<^Y|#4w:r9)", 2)
userInfo = validation.validateToken(token)
#validation with service
NCIemail = userInfo["email"]
NCIfirstName = userInfo["first_name"]
NCIlastName = userInfo["last_name"]
NCIid = userInfo["userID"]
user = User().findOne({'email': NCIemail})
setId = not user
dirty = False
if not user:
policy = Setting().get(SettingKey.REGISTRATION_POLICY)
if policy == 'closed':
ignore = Setting().get(
PluginSettings.IGNORE_REGISTRATION_POLICY)
if not ignore:
raise RestException(
'Registration on this instance is closed. Contact an '
'administrator to create an account for you.')
login = self._deriveLogin(NCIemail, NCIfirstName, NCIlastName,
NCIid)
user = User().createUser(login=login,
password=None,
firstName=NCIfirstName,
lastName=NCIlastName,
email=NCIemail)
else:
# Migrate from a legacy format where only 1 provider was stored
if isinstance(user.get('oauth'), dict):
user['oauth'] = [user['oauth']]
dirty = True
# Update user data from provider
if NCIemail != user['email']:
user['email'] = NCIemail
dirty = True
# Don't set names to empty string
if NCIfirstName != user['firstName'] and NCIfirstName:
user['firstName'] = NCIfirstName
dirty = True
if NCIlastName != user['lastName'] and NCIlastName:
user['lastName'] = NCIlastName
dirty = True
if setId:
user.setdefault('NCI_credential', []).append({'provider': 'NCI'})
dirty = True
if dirty:
user = User().save(user)
girderToken = self.sendAuthTokenCookie(user)
raise cherrypy.HTTPRedirect(Setting().get('NCIAuth.NCI_return_url'))
