class TestPinningMiddleware(amo.tests.TestCase):
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.req.amo_user = mock.Mock()
def test_pinned(self):
self.req.amo_user.is_anonymous.return_value = False
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
def test_not_pinned(self):
self.req.amo_user.is_anonymous.return_value = True
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
class TestPinningMiddleware(amo.tests.TestCase):
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get("/")
self.req.API = True
self.req.amo_user = mock.Mock()
def test_pinned(self):
self.req.amo_user.is_anonymous.return_value = False
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
def test_not_pinned(self):
self.req.amo_user.is_anonymous.return_value = True
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def is_authenticated(self, request, **kwargs):
if not settings.SITE_URL:
raise ValueError('SITE_URL is not specified')
auth_header_value = request.META.get('HTTP_AUTHORIZATION')
if not auth_header_value:
return self._error('headers')
oauth_server, oauth_request = initialize_oauth_server_request(request)
try:
key = get_oauth_consumer_key_from_header(auth_header_value)
if not key:
return None
consumer = Access.objects.get(key=key)
oauth_server.verify_request(oauth_request, consumer, None)
# Set the current user to be the consumer owner.
request.user = consumer.user
except Access.DoesNotExist:
log.error(u'Cannot find APIAccess token with that key: %s' % key)
request.user = AnonymousUser()
return self._error('headers')
except:
log.error(u'Error getting OAuth headers', exc_info=True)
request.user = AnonymousUser()
return self._error('headers')
ACLMiddleware().process_request(request)
# We've just become authenticated, time to run the pinning middleware
# again.
#
# TODO: I'd like to see the OAuth authentication move to middleware.
request.API = True # We can be pretty sure we are in the API.
APIPinningMiddleware().process_request(request)
# Do not allow access without agreeing to the dev agreement.
if not request.amo_user.read_dev_agreement:
log.info(u'Attempt to use API without dev agreement: %s' %
request.amo_user.pk)
return self._error('terms')
# But you cannot have one of these roles.
denied_groups = set(['Admins'])
roles = set(request.amo_user.groups.values_list('name', flat=True))
if roles and roles.intersection(denied_groups):
log.info(u'Attempt to use API with denied role, user: %s' %
request.amo_user.pk)
return self._error('roles')
return True
def is_authenticated(self, request, **kwargs):
header = request.META.get('HTTP_AUTHORIZATION', '').split(None, 1)
if header and header[0].lower() == 'mkt-shared-secret':
auth = header[1]
else:
auth = request.GET.get('_user')
if not auth:
log.info('API request made without shared-secret auth token')
return False
try:
email, hm, unique_id = str(auth).split(',')
consumer_id = hashlib.sha1(email + settings.SECRET_KEY).hexdigest()
matches = hmac.new(unique_id + settings.SECRET_KEY, consumer_id,
hashlib.sha512).hexdigest() == hm
if matches:
try:
request.amo_user = UserProfile.objects.select_related(
'user').get(email=email)
request.user = request.amo_user.user
except UserProfile.DoesNotExist:
log.info('Auth token matches absent user (%s)' % email)
return False
# Persist the user's language.
if (getattr(request, 'amo_user', None)
and getattr(request, 'LANG', None)
and request.amo_user.lang != request.LANG):
request.amo_user.lang = request.LANG
request.amo_user.save()
ACLMiddleware().process_request(request)
request.API = True # We can be pretty sure we are in the API.
APIPinningMiddleware().process_request(request)
else:
log.info('Shared-secret auth token does not match')
return False
log.info('Successful SharedSecret with user: %s' % request.user.pk)
return matches
except Exception, e:
log.info('Bad shared-secret auth data: %s (%s)', auth, e)
return False
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.key = 'api-pinning:42'
class TestPinningMiddleware(amo.tests.TestCase):
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.key = 'api-pinning:42'
def attach_user(self, anon=True):
self.req.amo_user = mock.Mock(id=42, is_anonymous=lambda: anon)
def test_pinned_request_method(self):
self.attach_user(anon=False)
for method in ['DELETE', 'PATCH', 'POST', 'PUT']:
self.req.method = method
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
for method in ['GET', 'HEAD', 'OPTIONS', 'POOP']:
self.req.method = method
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_pinned_cached(self):
cache.set(self.key, 1, 5)
self.attach_user(anon=False)
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
cache.delete(self.key)
def test_not_pinned(self):
self.attach_user(anon=True)
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_process_response_anon(self):
self.attach_user(anon=True)
self.req.method = 'POST'
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def test_process_response(self):
self.attach_user(anon=False)
for method in ['DELETE', 'PATCH', 'POST', 'PUT']:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(cache.get(self.key))
cache.delete(self.key)
for method in ['GET', 'HEAD', 'OPTIONS', 'POOP']:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def pinned_header(self):
self.attach_user(anon=True)
return self.pin.process_response(self.req,
HttpResponse())['API-Pinned']
@mock.patch('mkt.api.middleware.this_thread_is_pinned')
def test_pinned_header_true(self, mock_pinned):
mock_pinned.return_value = True
eq_(self.pinned_header(), 'True')
@mock.patch('mkt.api.middleware.this_thread_is_pinned')
def test_pinned_header_false(self, mock_pinned):
mock_pinned.return_value = False
eq_(self.pinned_header(), 'False')
def is_authenticated(self, request, **kwargs):
if not settings.SITE_URL:
raise ValueError('SITE_URL is not specified')
auth_header_value = request.META.get('HTTP_AUTHORIZATION')
if (not auth_header_value
and 'oauth_token' not in request.META['QUERY_STRING']):
self.user = AnonymousUser()
log.error('No header')
return self._error('headers')
auth_header = {'Authorization': auth_header_value}
method = getattr(request, 'signed_method', request.method)
oauth = OAuthServer()
if ('oauth_token' in request.META['QUERY_STRING']
or 'oauth_token' in auth_header_value):
# This is 3-legged OAuth.
log.info('Trying 3 legged OAuth')
try:
valid, oauth_request = oauth.verify_request(
request.build_absolute_uri(),
method,
headers=auth_header,
require_resource_owner=True)
except ValueError:
log.error('ValueError on verifying_request', exc_info=True)
return False
if not valid:
log.error(u'Cannot find APIAccess token with that key: %s' %
oauth.attempted_key)
return self._error('headers')
uid = Token.objects.filter(
token_type=ACCESS_TOKEN,
key=oauth_request.resource_owner_key).values_list('user_id',
flat=True)[0]
request.amo_user = UserProfile.objects.select_related('user').get(
pk=uid)
request.user = request.amo_user.user
else:
# This is 2-legged OAuth.
log.info('Trying 2 legged OAuth')
try:
valid, oauth_request = oauth.verify_request(
request.build_absolute_uri(),
method,
headers=auth_header,
require_resource_owner=False)
except ValueError:
log.error('ValueError on verifying_request', exc_info=True)
return False
if not valid:
log.error(u'Cannot find APIAccess token with that key: %s' %
oauth.attempted_key)
return self._error('headers')
uid = Access.objects.filter(
key=oauth_request.client_key).values_list('user_id',
flat=True)[0]
request.amo_user = UserProfile.objects.select_related('user').get(
pk=uid)
request.user = request.amo_user.user
ACLMiddleware().process_request(request)
# We've just become authenticated, time to run the pinning middleware
# again.
#
# TODO: I'd like to see the OAuth authentication move to middleware.
request.API = True # We can be pretty sure we are in the API.
APIPinningMiddleware().process_request(request)
# Persist the user's language.
if (getattr(request, 'amo_user', None)
and getattr(request, 'LANG', None)
and request.amo_user.lang != request.LANG):
request.amo_user.lang = request.LANG
request.amo_user.save()
# But you cannot have one of these roles.
denied_groups = set(['Admins'])
roles = set(request.amo_user.groups.values_list('name', flat=True))
if roles and roles.intersection(denied_groups):
log.info(u'Attempt to use API with denied role, user: %s' %
request.amo_user.pk)
return self._error('roles')
log.info('Successful OAuth with user: %s' % request.user)
return True
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.req.amo_user = mock.Mock()
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.req.amo_user = mock.Mock()
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get("/")
self.req.API = True
self.key = "api-pinning:42"
class TestPinningMiddleware(amo.tests.TestCase):
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get("/")
self.req.API = True
self.key = "api-pinning:42"
def attach_user(self, anon=True):
self.req.amo_user = mock.Mock(id=42, is_anonymous=lambda: anon)
def test_pinned_request_method(self):
self.attach_user(anon=False)
for method in ["DELETE", "PATCH", "POST", "PUT"]:
self.req.method = method
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
for method in ["GET", "HEAD", "OPTIONS", "POOP"]:
self.req.method = method
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_pinned_cached(self):
cache.set(self.key, 1, 5)
self.attach_user(anon=False)
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
cache.delete(self.key)
def test_not_pinned(self):
self.attach_user(anon=True)
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_process_response_anon(self):
self.attach_user(anon=True)
self.req.method = "POST"
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def test_process_response(self):
self.attach_user(anon=False)
for method in ["DELETE", "PATCH", "POST", "PUT"]:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(cache.get(self.key))
cache.delete(self.key)
for method in ["GET", "HEAD", "OPTIONS", "POOP"]:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def pinned_header(self):
self.attach_user(anon=True)
return self.pin.process_response(self.req, HttpResponse())["API-Pinned"]
@mock.patch("mkt.api.middleware.this_thread_is_pinned")
def test_pinned_header_true(self, mock_pinned):
mock_pinned.return_value = True
eq_(self.pinned_header(), "True")
@mock.patch("mkt.api.middleware.this_thread_is_pinned")
def test_pinned_header_false(self, mock_pinned):
mock_pinned.return_value = False
eq_(self.pinned_header(), "False")
class TestPinningMiddleware(amo.tests.TestCase):
def setUp(self):
self.pin = APIPinningMiddleware()
self.req = RequestFactory().get('/')
self.req.API = True
self.key = 'api-pinning:42'
def attach_user(self, anon=True):
self.req.user = mock.Mock(id=42, is_anonymous=lambda: anon)
def test_pinned_request_method(self):
self.attach_user(anon=False)
for method in ['DELETE', 'PATCH', 'POST', 'PUT']:
self.req.method = method
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
for method in ['GET', 'HEAD', 'OPTIONS', 'POOP']:
self.req.method = method
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_pinned_cached(self):
cache.set(self.key, 1, 5)
self.attach_user(anon=False)
self.pin.process_request(self.req)
ok_(this_thread_is_pinned())
cache.delete(self.key)
def test_not_pinned(self):
self.attach_user(anon=True)
self.pin.process_request(self.req)
ok_(not this_thread_is_pinned())
def test_process_response_anon(self):
self.attach_user(anon=True)
self.req.method = 'POST'
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def test_process_response(self):
self.attach_user(anon=False)
for method in ['DELETE', 'PATCH', 'POST', 'PUT']:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(cache.get(self.key))
cache.delete(self.key)
for method in ['GET', 'HEAD', 'OPTIONS', 'POOP']:
self.req.method = method
self.pin.process_response(self.req, HttpResponse())
ok_(not cache.get(self.key))
def pinned_header(self):
self.attach_user(anon=True)
return self.pin.process_response(self.req, HttpResponse())['API-Pinned']
@mock.patch('mkt.api.middleware.this_thread_is_pinned')
def test_pinned_header_true(self, mock_pinned):
mock_pinned.return_value = True
eq_(self.pinned_header(), 'True')
@mock.patch('mkt.api.middleware.this_thread_is_pinned')
def test_pinned_header_false(self, mock_pinned):
mock_pinned.return_value = False
eq_(self.pinned_header(), 'False')
