def test_single_session_per_whistleblower(self):
"""
Asserts that the first_id is dropped from Sessions and requests
using that session id are rejected
"""
yield self.perform_full_submission_actions()
handler = self.request({'receipt': self.lastReceipt})
handler.request.client_using_tor = True
response = yield handler.post()
first_id = response['session_id']
wbtip_handler = self.request(headers={'x-session': first_id},
handler_cls=WBTipInstance)
yield wbtip_handler.get()
response = yield handler.post()
second_id = response['session_id']
wbtip_handler = self.request(headers={'x-session': first_id},
handler_cls=WBTipInstance)
yield self.assertRaises(errors.NotAuthenticated, wbtip_handler.get)
self.assertTrue(Sessions.get(first_id) is None)
valid_session = Sessions.get(second_id)
self.assertTrue(valid_session is not None)
self.assertEqual(valid_session.user_role, 'whistleblower')
wbtip_handler = self.request(headers={'x-session': second_id},
handler_cls=WBTipInstance)
yield wbtip_handler.get()
def test_single_session_per_whistleblower(self):
"""
Asserts that the first_id is dropped from Sessions and requests
using that session id are rejected
"""
yield self.perform_full_submission_actions()
handler = self.request({
'receipt': self.dummySubmission['receipt']
})
handler.request.client_using_tor = True
response = yield handler.post()
first_id = response['session_id']
wbtip_handler = self.request(headers={'x-session': first_id},
handler_cls=WBTipInstance)
yield wbtip_handler.get()
response = yield handler.post()
second_id = response['session_id']
wbtip_handler = self.request(headers={'x-session': first_id},
handler_cls=WBTipInstance)
yield self.assertRaises(errors.NotAuthenticated, wbtip_handler.get)
self.assertTrue(Sessions.get(first_id) is None)
valid_session = Sessions.get(second_id)
self.assertTrue(valid_session is not None)
self.assertEqual(valid_session.user_role, 'whistleblower')
wbtip_handler = self.request(headers={'x-session': second_id},
handler_cls=WBTipInstance)
yield wbtip_handler.get()
def test_single_session_per_user(self):
handler = self.request({
'tid': 1,
'username': '******',
'password': helpers.VALID_PASSWORD1
})
r1 = yield handler.post()
r2 = yield handler.post()
self.assertTrue(Sessions.get(r1['session_id']) is None)
self.assertTrue(Sessions.get(r2['session_id']) is not None)
def test_single_session_per_user(self):
handler = self.request({
'tid': 1,
'username': '******',
'password': helpers.VALID_PASSWORD1,
'authcode': ''
})
r1 = yield handler.post()
r2 = yield handler.post()
self.assertTrue(Sessions.get(r1['session_id']) is None)
self.assertTrue(Sessions.get(r2['session_id']) is not None)
def post(self):
request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc)
tid = int(request['tid'])
if tid == 0:
tid = self.request.tid
delay = random_login_delay()
if delay:
yield deferred_sleep(delay)
session = Sessions.get(request['token'])
if session is None or session.tid != tid:
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
connection_check(self.request.client_ip, tid, session.user_role, self.request.client_using_tor)
session = Sessions.regenerate(session.id)
log.debug("Login: Success (%s)" % session.user_role)
if tid != self.request.tid:
returnValue({
'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id)
})
returnValue(session.serialize())
def post(self):
request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc)
tid = int(request['tid'])
if tid == 0:
tid = self.request.tid
delay = random_login_delay()
if delay:
yield deferred_sleep(delay)
session = Sessions.get(request['token'])
if session is None or session.tid != tid:
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
connection_check(self.request.client_ip, tid, session.user_role, self.request.client_using_tor)
session = Sessions.regenerate(session.id)
log.debug("Login: Success (%s)" % session.user_role)
if tid != self.request.tid:
returnValue({
'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id)
})
returnValue(session.serialize())
def get_current_user(self):
# Check for the session header
session_id = self.request.headers.get(b'x-session')
if session_id is None:
return
session = Sessions.get(session_id.decode())
if session is not None and session.tid == self.request.tid:
self.request.current_user = session
if self.request.current_user.user_role != 'whistleblower' and \
self.state.tenant_cache[1].get('log_accesses_of_internal_users', False):
self.request.log_ip_and_ua = True
return session
def post(self):
request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc)
yield login_delay(self.request.tid)
self.state.tokens.use(request['token'])
session = Sessions.get(request['authtoken'])
if session is None or session.tid != self.request.tid:
login_failure(self.request.tid, 0)
connection_check(self.request.tid, self.request.client_ip,
session.user_role, self.request.client_using_tor)
session = Sessions.regenerate(session.id)
returnValue(session.serialize())
def get_current_user(self):
api_session = self.get_api_session()
if api_session is not None:
return api_session
# Check for the session header
session_id = self.request.headers.get(b'x-session')
if session_id is None:
return
# Check that that provided session exists and is legit
# We need to convert here to text_type as sessions generate a
# random string in text form. It seems sessions assume that it will
# be a string while twisted returns headers in bytes
session = Sessions.get(text_type(session_id, 'utf-8'))
if session is not None and session.tid == self.request.tid:
return session
def get_current_user(self):
api_session = self.get_api_session()
if api_session is not None:
return api_session
# Check for the session header
session_id = self.request.headers.get(b'x-session')
if session_id is None:
return
session = Sessions.get(text_type(session_id, 'utf-8'))
if session is not None and session.tid == self.request.tid:
self.request.current_user = session
if self.request.current_user.user_role != 'whistleblower' and \
self.state.tenant_cache[1].get(u'log_accesses_of_internal_users', False):
self.request.log_ip_and_ua = True
return session
