def test_access_controller(self): logging.debug('') logging.debug('test_access_controller') # Credential-to-role mapping. owner = get_credentials() controller = AccessController() self.assertEqual(controller.get_role(None), '') self.assertEqual(controller.get_role(owner), 'owner') user = Credentials() user.user = '******' self.assertEqual(controller.get_role(user), 'user') assert_raises(self, 'controller.get_role(object())', globals(), locals(), TypeError, 'credentials is not a Credentials object') # Proxy role-to-credential mapping. obj = Object() assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)', globals(), locals(), RoleError, 'No RBAC for method') self.assertEqual(controller.get_proxy_credentials(obj.single_role, user), user) self.assertEqual(controller.get_proxy_credentials(obj.proxy_role, user), owner) assert_raises(self, 'controller.get_proxy_credentials(obj.proxy_other, user)', globals(), locals(), RoleError, 'No credentials for proxy role other') assert_raises(self, "controller.set_proxy_credentials('other', object())", globals(), locals(), TypeError, 'credentials is not a Credentials object') other = Credentials() other.user = '******' controller.set_proxy_credentials('other', other) self.assertEqual(controller.get_proxy_credentials(obj.proxy_other, user), other) # Attribute access. controller.check_access('user', '__getattr__', obj, 'dummy') controller.check_access('owner', '__setattr__', obj, 'dummy') assert_raises(self, "controller.check_access('user', '__delattr__', obj, 'dummy')", globals(), locals(), RoleError, "No __delattr__ access to 'dummy' by role 'user'") assert_raises(self, "controller.check_access('', '__getattr__', obj, 'dummy')", globals(), locals(), RoleError, 'No access by null role') # Attribute proxying. proxy_value = ProxyRequired() self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy') self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy', False) self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.class_proxy_required(ProxyRequired) self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
def post(self): server_creds = Credentials() print 'server creds:\n', server_creds # single user... only allow same user@host as the server to log in allowed_users = {server_creds.user: server_creds.public_key} encoded = self.get_argument('encoded') client_creds = Credentials.verify(encoded, allowed_users) print 'client creds:\n', client_creds if client_creds: self.set_secure_cookie('user', client_creds.user) self.redirect('/')
def test_3_access(self): logging.debug('') logging.debug('test_access') # This 'spook' creation is only for testing. # Normally the protector would run with regular credentials # in effect at the proprietary site. user = '******'+socket.gethostname() key_pair = get_key_pair(user) data = '\n'.join([user, '0', key_pair.publickey().exportKey()]) hash = hashlib.sha256(data).digest() signature = key_pair.sign(hash, get_random_bytes) spook = Credentials((data, signature, None)) credentials = get_credentials() allowed_users = {credentials.user: credentials.public_key, spook.user: spook.public_key} factory = self.start_factory(allowed_users=allowed_users) # Create model and run it. saved = get_credentials() set_credentials(spook) box = factory.create(_MODULE+'.ProtectedBox', allowed_users=allowed_users) set_credentials(saved) model = set_as_top(Model(box)) model.run() # Check results. for width in range(1, 2): for height in range(1, 3): for depth in range(1, 4): case = model.driver.recorders[0].cases.pop(0) self.assertEqual(case.outputs[0][2], width*height*depth)
def test_access_controller(self): logging.debug('') logging.debug('test_access_controller') # Credential-to-role mapping. owner = get_credentials() controller = AccessController() self.assertEqual(controller.get_role(None), '') self.assertEqual(controller.get_role(owner), 'owner') user = Credentials() user.user = '******' self.assertEqual(controller.get_role(user), 'user') assert_raises(self, 'controller.get_role(object())', globals(), locals(), TypeError, 'credentials is not a Credentials object') # Proxy role-to-credential mapping. obj = Object() assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)', globals(), locals(), RoleError, 'No RBAC for method') self.assertEqual( controller.get_proxy_credentials(obj.single_role, user), user) self.assertEqual( controller.get_proxy_credentials(obj.proxy_role, user), owner) assert_raises( self, 'controller.get_proxy_credentials(obj.proxy_other, user)', globals(), locals(), RoleError, 'No credentials for proxy role other') assert_raises(self, "controller.set_proxy_credentials('other', object())", globals(), locals(), TypeError, 'credentials is not a Credentials object') other = Credentials() other.user = '******' controller.set_proxy_credentials('other', other) self.assertEqual( controller.get_proxy_credentials(obj.proxy_other, user), other) # Attribute access. controller.check_access('user', '__getattr__', obj, 'dummy') controller.check_access('owner', '__setattr__', obj, 'dummy') assert_raises( self, "controller.check_access('user', '__delattr__', obj, 'dummy')", globals(), locals(), RoleError, "No __delattr__ access to 'dummy' by role 'user'") assert_raises( self, "controller.check_access('', '__getattr__', obj, 'dummy')", globals(), locals(), RoleError, 'No access by null role') # Attribute proxying. proxy_value = ProxyRequired() self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy') self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy', False) self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.class_proxy_required(ProxyRequired) self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
def test_rsh(self): logging.debug('') logging.debug('test_rsh') testdir = 'external_rsh' if os.path.exists(testdir): shutil.rmtree(testdir, onerror=onerror) os.mkdir(testdir) os.chdir(testdir) factory = None try: # Try to set command line on remote ExternalCode instance. typname = 'openmdao.lib.components.external_code.ExternalCode' factory = ObjServerFactory(allowed_types=[typname]) exec_comp = factory.create(typname) try: exec_comp.command = ['this-should-fail'] except RemoteError as exc: msg = "RoleError: No __setattr__ access to 'command'" logging.debug('msg: %s', msg) logging.debug('exc: %s', exc) self.assertTrue(msg in str(exc)) else: self.fail('Expected RemoteError') exec_comp.set('command', ['this-should-pass']) # Try to set via remote-looking access. creds = get_credentials() creds.client_creds = Credentials() logging.debug(' using %s', creds) try: exec_comp.set('command', ['this-should-fail']) except RemoteError as exc: fragment = ": 'command' may not be set() remotely" if fragment not in str(exc): self.fail('%s not in %s' % (fragment, exc)) finally: creds.client_creds = None finally: if factory is not None: factory.cleanup() os.chdir('..') if sys.platform == 'win32': time.sleep(2) # Wait for process shutdown. keep_dirs = int(os.environ.get('OPENMDAO_KEEPDIRS', '0')) if not keep_dirs: shutil.rmtree(testdir, onerror=onerror)
def get(self): # single user scenario, auto-login based on username server_creds = Credentials() print "server_creds:\n", server_creds self.set_secure_cookie('user', server_creds.user) self.redirect('/')
def test_credentials(self): logging.debug('') logging.debug('test_credentials') # Basic form. owner = Credentials() if sys.platform == 'win32' and not HAVE_PYWIN32: self.assertEqual('%s' % owner, owner.user+' (transient)') else: self.assertEqual('%s' % owner, owner.user) # Comparison. user = Credentials() self.assertEqual(user, owner) user.user = '******' self.assertNotEqual(user, owner) self.assertNotEqual(user, 'xyzzy') # Thread storage. try: del threading.current_thread().credentials # Ensure empty. except AttributeError: pass self.assertEqual(get_credentials(), owner) # Sign/verify. encoded = owner.encode() Credentials.verify(encoded, allowed_users=None) # 'First sighting'. Credentials.verify(encoded, allowed_users=None) # Cached verification. data, signature, client_creds = encoded encoded = (data[:1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid data') encoded = (data[:-1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') encoded = (data, signature[:-1], client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') newline = data.find('\n') # .user newline = data.find('\n', newline+1) # .transient # Expecting '-' mangled = data[:newline+1] + '*' + data[newline+2:] encoded = (mangled, signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid key') # Detect mismatched key. get_key_pair(owner.user, overwrite_cache=True) spook = Credentials() encoded = spook.encode() assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Public key mismatch') # Check if remote access. self.assertFalse(remote_access())
def test_credentials(self): logging.debug('') logging.debug('test_credentials') # Basic form. owner = Credentials() if sys.platform == 'win32' and not HAVE_PYWIN32: self.assertEqual('%s' % owner, owner.user + ' (transient)') else: self.assertEqual('%s' % owner, owner.user) # Comparison. user = Credentials() self.assertEqual(user, owner) user.user = '******' self.assertNotEqual(user, owner) self.assertNotEqual(user, 'xyzzy') # Thread storage. try: del threading.current_thread().credentials # Ensure empty. except AttributeError: pass self.assertEqual(get_credentials(), owner) # Sign/verify. encoded = owner.encode() Credentials.verify(encoded, allowed_users=None) # 'First sighting'. Credentials.verify(encoded, allowed_users=None) # Cached verification. data, signature, client_creds = encoded encoded = (data[:1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid data') encoded = (data[:-1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') encoded = (data, signature[:-1], client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') newline = data.find('\n') # .user newline = data.find('\n', newline + 1) # .transient # Expecting '-' mangled = data[:newline + 1] + '*' + data[newline + 2:] encoded = (mangled, signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid key') # Detect mismatched key. get_key_pair(owner.user, overwrite_cache=True) spook = Credentials() encoded = spook.encode() assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Public key mismatch') # Check if remote access. self.assertFalse(remote_access())