def test_check_active_false(self):
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
create_api_key(User, instance=bob_doe, created=True)
request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertTrue(auth.is_authenticated(request))
def test_check_active_false(self):
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
create_api_key(User, instance=bob_doe, created=True)
request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertTrue(auth.is_authenticated(request))
def test_check_active_false(self):
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
bob_doe.set_password('pass')
bob_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('bobdoe:pass'.encode('utf-8')).decode('utf-8')
self.assertTrue(auth.is_authenticated(request))
def test_check_active_false(self):
user_class = get_user_model()
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = user_class.objects.get(**{user_class.USERNAME_FIELD: 'bobdoe'})
create_api_key(User, instance=bob_doe, created=True)
request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertTrue(auth.is_authenticated(request))
def test_check_active_false(self):
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
bob_doe.set_password('pass')
bob_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('bobdoe:pass'.encode('utf-8')).decode('utf-8')
self.assertTrue(auth.is_authenticated(request))
def test_check_active_true(self):
auth = BasicAuthentication()
request = HttpRequest()
bob_doe = User.objects.get(username='******')
bob_doe.set_password('pass')
bob_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('bobdoe:pass'.encode('utf-8')).decode('utf-8')
auth_res = auth.is_authenticated(request)
# is_authenticated() returns HttpUnauthorized for inactive users in Django >= 1.10, False for < 1.10
self.assertTrue(auth_res is False or isinstance(auth_res, HttpUnauthorized))
def test_check_active_false(self):
if django.VERSION >= (1, 10):
# Authenticating inactive users via ModelUserBackend not supported for Django >= 1.10"
return
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
create_api_key(User, instance=bob_doe, created=True)
request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertTrue(auth.is_authenticated(request))
def test_check_active_true(self):
auth = BasicAuthentication()
request = HttpRequest()
bob_doe = User.objects.get(username='******')
bob_doe.set_password('pass')
bob_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('bobdoe:pass')
auth_res = auth.is_authenticated(request)
# is_authenticated() returns HttpUnauthorized for inactive users in Django >= 1.10, False for < 1.10
self.assertTrue(auth_res is False or isinstance(auth_res, HttpUnauthorized))
def test_check_active_false(self):
user_class = get_user_model()
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = user_class.objects.get(
**{user_class.USERNAME_FIELD: 'bobdoe'})
create_api_key(User, instance=bob_doe, created=True)
request.META[
'HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertTrue(auth.is_authenticated(request))
def test_check_active_false(self):
if django.VERSION >= (1, 10):
# Authenticating inactive users via ModelUserBackend not supported for Django >= 1.10"
return
auth = BasicAuthentication(require_active=False)
request = HttpRequest()
bob_doe = User.objects.get(username='******')
bob_doe.set_password('pass')
bob_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('bobdoe:pass')
self.assertTrue(auth.is_authenticated(request))
def test_is_authenticated(self):
auth = BasicAuthentication()
request = HttpRequest()
# No HTTP Basic auth details should fail.
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# HttpUnauthorized with auth type and realm
self.assertEqual(
auth.is_authenticated(request)['WWW-Authenticate'],
'Basic Realm="django-tastypie"')
# Wrong basic auth details.
request.META['HTTP_AUTHORIZATION'] = 'abcdefg'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# No password.
request.META['HTTP_AUTHORIZATION'] = base64.b64encode(
'daniel'.encode('utf-8')).decode('utf-8')
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong user/password.
request.META['HTTP_AUTHORIZATION'] = base64.b64encode(
'daniel:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Correct user/password.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode(
'johndoe:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
# Regression: Password with colon.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass:word')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode(
'johndoe:pass:word'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
# Capitalization shouldn't matter.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass:word')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'bAsIc %s' % base64.b64encode(
'johndoe:pass:word'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated(self):
auth = BasicAuthentication()
request = HttpRequest()
# No HTTP Basic auth details should fail.
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# HttpUnauthorized with auth type and realm
self.assertEqual(auth.is_authenticated(request)['WWW-Authenticate'], 'Basic Realm="django-tastypie"')
# Wrong basic auth details.
request.META['HTTP_AUTHORIZATION'] = 'abcdefg'
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# No password.
request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel')
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong user/password.
request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel:pass')
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Correct user/password.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass')
self.assertEqual(auth.is_authenticated(request), True)
# Regression: Password with colon.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass:word')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass:word')
self.assertEqual(auth.is_authenticated(request), True)
def api_user_follow(request):
if request.method == 'POST':
basic_auth = BasicAuthentication()
if basic_auth.is_authenticated(request):
to_user_id = int(request.POST.get("to_user", 0))
try:
to_user = User.objects.get(id=to_user_id)
except User.DoesNotExist:
raise Http404
from_user = request.user
from_user.relationships.add(to_user)
response_data={'status':'success'}
return HttpResponse(simplejson.dumps(response_data), mimetype='application/json')
raise Http404
class Meta:
queryset = Device.objects.all().distinct().order_by('-created_date')
resource_name = 'devices'
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
include_resource_uri = False
allowed_methods = ['get', 'post', 'put']
class Meta:
authorization = Authorization()
authentication = MultiAuthentication(BasicAuthentication(),
SessionAuthentication())
allowed_methods = ['get']
resource_name = 'cypher'
object_class = object
class Meta:
resource_name = 'project'
default_format = 'application/json'
queryset = Project.objects.all()
authentication = BasicAuthentication()
authorization = GuardianAuthorization()
abstract = True
class Meta:
queryset = Medico.objects.all()
resource_name = 'medico'
autentication = BasicAuthentication()
authorization = DjangoAuthorization()
fields = ['cedula', 'nombre']
class Meta:
queryset = Profile.objects.all()
resource_name = 'user'
excludes = ['email', 'password', 'is_superuser']
# Add it here.
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
def test_multiauth_apikey_and_basic_auth__no_details_fails(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
class Meta:
object_class = Member
queryset = Member.objects.all()
resource_name = 'members'
allowed_methods = ['get', 'post', 'put', 'delete']
excludes = ['member_photo']
authentication = BasicAuthentication()
class Meta:
queryset = VersionedApp.objects.all()
resource_name = 'versioned_app'
filtering = {'name': ALL}
authentication = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
authorization = DjangoAuthorization()
class Meta:
queryset = Luggage.objects.all()
allowed_methods = ['get', 'post']
authentication = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
authorization = Authorization()
filtering = {'passenger': ALL}
class Meta:
include_resource_uri = False
authentication = MultiAuthentication(SessionAuthentication(),
BasicAuthentication())
list_allowed_methods = ['get']
detail_allowed_methods = []
resource_name = 'data/balance'
class Meta:
resource_name = 'cdr'
authorization = Authorization()
authentication = BasicAuthentication()
allowed_methods = ['post']
throttle = BaseThrottle(throttle_at=1000,
timeframe=3600) # default 1000 calls / hour
class Meta:
queryset = User.objects.all()
resource_name = 'user'
excludes = ['email', 'password', 'is_active', 'is_staff', 'is_superuser']
allowed_methods = ['get', ]
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
class Meta:
queryset = EmailSubscriber.objects.all()
filtering = {
'email': ALL,
'event': ALL_WITH_RELATIONS,
}
authentication = BasicAuthentication()
class Meta:
queryset = Project.objects.all()
resource_name = 'projects'
list_allowed_methods = ['get', 'post']
detail_allowed_methods = ['get', 'put', 'delete', 'patch']
authorization = DjangoAuthorization()
authentication = BasicAuthentication()
class Meta:
queryset = Node.objects.all()
resource_name = 'node'
allowed_methods = ['get']
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
always_return_data = True
def test_apikey_and_basic_auth(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
# No API Key or HTTP Basic auth details should fail.
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Basic Auth still returns appropriately.
self.assertEqual(
auth.is_authenticated(request)['WWW-Authenticate'],
'Basic Realm="django-tastypie"')
# API Key Auth works.
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'johndoe')
# Basic Auth works.
request = HttpRequest()
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode(
'johndoe:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
class Meta:
queryset = Category.objects.all()
authorization = DjangoAuthorization()
authentication = BasicAuthentication()
allowed_methods = ['get', 'post', 'put', 'delete']
detail_allowed_methods = ['get', 'post', 'put', 'delete']
filtering = {'id': ALL, 'username': ALL_WITH_RELATIONS}
class Meta:
queryset = Book.objects.all()
resource_name = 'book'
filtering = {'title': ALL}
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
always_return_data = True
class Meta:
queryset = User.objects.all()
fields = ["first_name", "last_name", "username",]
allowed_method = ['get']
resource_name = 'login'
authorization = DjangoAuthorization()
authentication = BasicAuthentication()
class Meta:
queryset = User.objects.all()
resource_name = 'users'
allowed_methods = ['get', 'post', 'delete', 'put', 'options']
authorization = Authorization()
authentication = MultiAuthentication(
ApiKeyAuthentication(),
BasicAuthentication(),
)
collection_name = 'users'
detail_uri_name = 'username'
fields = (
'username',
'id',
'full_name',
'first_name',
'last_name',
'third_name',
'position',
'avatar',
'is_staff',
'email',
)
filtering = {
'id': (
'exact',
'ne',
),
}
class Meta:
queryset = User.objects.all()
resource_name = "user"
excludes = ["email", "password", "is_active", "is_staff", "is_superuser"]
allowed_methods = ["get"]
authorization = DjangoAuthorization()
authentication = BasicAuthentication()
class Meta:
queryset = Storage.objects.all()
resource_name = 'storage'
allowed_methods = ['get']
authentication = BasicAuthentication()
detail_uri_name = 'name'
collection_name = 'results'
class Meta:
queryset = Transaction.objects.all()
resource_name = 'transaction'
allowed_methods = ['get', 'post']
authentication = BasicAuthentication()
authorization = DjangoAuthorization()
always_return_data = True
def test_whitelisting(self):
auth = BasicAuthentication(whitelisted_methods=['a_method'])
request = HttpRequest()
# Calling with a whitelisted method_name without credentials should work
self.assertEqual(auth.is_authenticated(request, method_name='a_method'), True)
# Calling any other method should require auth
self.assertEqual(isinstance(auth.is_authenticated(request, method_name='another_method'), HttpUnauthorized), True)
# Correct user/password.
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass')
self.assertEqual(auth.is_authenticated(request, method_name="another_method"), True)
self.assertEqual(auth.is_authenticated(request, method_name="a_method"), True)
def test_is_authenticated(self):
auth = BasicAuthentication()
request = HttpRequest()
# No HTTP Basic auth details should fail.
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# HttpUnauthorized with auth type and realm
self.assertEqual(auth.is_authenticated(request)["WWW-Authenticate"], 'Basic Realm="django-tastypie"')
# Wrong basic auth details.
request.META["HTTP_AUTHORIZATION"] = "abcdefg"
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# No password.
request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel")
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong user/password.
request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel:pass")
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Correct user/password.
john_doe = User.objects.get(username="******")
john_doe.set_password("pass")
john_doe.save()
request.META["HTTP_AUTHORIZATION"] = "Basic %s" % base64.b64encode("johndoe:pass")
self.assertEqual(auth.is_authenticated(request), True)
def api_upload_photo(request):
if request.method == 'POST':
basic_auth = BasicAuthentication()
if basic_auth.is_authenticated(request):
photo = Photo(user=request.user, title=request.POST.get('title', None), file=request.FILES['file'])
photo.save()
at_users = request.POST.get('atusers', '').split(',')
for user_id in at_users:
try:
to_user = User.objects.get(id=int(user_id))
message = Message(from_user=request.user, to_user=to_user, description=get_photo_info(photo)).save()
except Exception:
pass
# TODO the api resource_uri need to dynamic
response_data={"resource_uri": "/api/v1/photo/%d/" % (photo.id) , "file_url": photo.file.url}
return HttpResponse(simplejson.dumps(response_data), mimetype='application/json')
raise Http404
def is_authenticated(self, request, **kwargs): # noqa # too complex
'''
handles backends explicitly so that it can return False when
credentials are given but wrong and return Anonymous User when
credentials are not given or the session has expired (web use).
'''
auth_info = request.META.get('HTTP_AUTHORIZATION')
if 'HTTP_AUTHORIZATION' not in request.META:
if hasattr(request.user, 'allowed_tokens'):
tokens = request.user.allowed_tokens
session_auth = SessionAuthentication()
check = session_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
session_auth_result = False
else:
request._authentication_backend = session_auth
session_auth_result = check
else:
request.user = AnonymousUser()
session_auth_result = True
request.user.allowed_tokens = tokens
return session_auth_result
else:
if auth_info.startswith('Basic'):
basic_auth = BasicAuthentication()
check = basic_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = basic_auth
return check
if auth_info.startswith('ApiKey'):
apikey_auth = ApiKeyAuthentication()
check = apikey_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = apikey_auth
return check
def is_authenticated(self, request, **kwargs):
'''
handles backends explicitly so that it can return False when
credentials are given but wrong and return Anonymous User when
credentials are not given or the session has expired (web use).
'''
auth_info = request.META.get('HTTP_AUTHORIZATION')
if 'HTTP_AUTHORIZATION' not in request.META:
session_auth = SessionAuthentication()
check = session_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = session_auth
return(check)
else:
request.user = AnonymousUser()
return(True)
else:
if auth_info.startswith('Basic'):
basic_auth = BasicAuthentication()
check = basic_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = basic_auth
return(check)
if auth_info.startswith('ApiKey'):
apikey_auth = ApiKeyAuthentication()
check = apikey_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = apikey_auth
return(check)
class Authentication(ApiKeyAuthentication):
def __init__(self):
self.api_key_auth = ApiKeyAuthentication()
self.basic_auth = BasicAuthentication(backend=ApiKeyBackend())
def is_authenticated(self, request, **kwargs):
if request.user.is_authenticated():
return True
ret = self.basic_auth.is_authenticated(request, **kwargs)
if isinstance(ret, HttpUnauthorized):
ret2 = self.api_key_auth.is_authenticated(request, **kwargs)
if not isinstance(ret2, HttpUnauthorized):
return ret2
return ret
def get_identifier(self, request):
if request.user.is_authenticated():
return request.user.username
ret = self.basic_auth.get_identifier(request)
if isinstance(ret, HttpUnauthorized):
ret2 = self.api_key_auth.get_identifier(request)
if not isinstance(ret2, HttpUnauthorized):
return ret2
return ret
def __init__(self):
self.api_key_auth = ApiKeyAuthentication()
self.basic_auth = BasicAuthentication(backend=ApiKeyBackend())
