def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username="******")
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = "POST"
request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
request1.user = john_doe
request2.POST["username"] = "******"
request2.POST["api_key"] = "invalid key"
request3.method = "POST"
request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
request3.user = john_doe
request3.POST["username"] = "******"
request3.POST["api_key"] = "invalid key"
# session auth should pass if since john_doe is logged in
self.assertEqual(session_auth.is_authenticated(request1), True)
# api key auth should fail because of invalid api key
self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)
# multi auth shouldn't change users if api key auth fails
# multi auth passes since session auth is valid
self.assertEqual(request3.user.username, "johndoe")
self.assertEqual(auth.is_authenticated(request3), True)
self.assertEqual(request3.user.username, "johndoe")
def test_multiauth_apikey_and_basic_auth__basic_returns_authenticate(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
self.assertEqual(
auth.is_authenticated(request)['WWW-Authenticate'],
'Basic Realm="django-tastypie"'
)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_header(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
request.META['HTTP_AUTHORIZATION'] = 'ApiKey %s:%s' % (john_doe.username, john_doe.api_key.key,)
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_query(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
request.GET['username'] = john_doe.username
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__basic_auth_works(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_header__space_in_username(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username="******")
john_doe.username = "******"
john_doe.save()
request.META["HTTP_AUTHORIZATION"] = "ApiKey %s:%s" % (john_doe.username, john_doe.api_key.key)
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__basic_auth_works(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username="******")
john_doe.set_password("pass")
john_doe.save()
request.META["HTTP_AUTHORIZATION"] = "Basic %s" % base64.b64encode("johndoe:pass".encode("utf-8")).decode(
"utf-8"
)
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username='******')
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = 'POST'
request1.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request1.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request1.user = john_doe
request2.POST['username'] = '******'
request2.POST['api_key'] = 'invalid key'
request3.method = 'POST'
request3.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request3.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request3.user = john_doe
request3.POST['username'] = '******'
request3.POST['api_key'] = 'invalid key'
#session auth should pass if since john_doe is logged in
self.assertTrue(session_auth.is_authenticated(request1))
#api key auth should fail because of invalid api key
self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)
#multi auth shouldn't change users if api key auth fails
#multi auth passes since session auth is valid
self.assertEqual(request3.user.username, 'johndoe')
self.assertTrue(auth.is_authenticated(request3))
self.assertEqual(request3.user.username, 'johndoe')
def test_apikey_and_basic_auth(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
# No API Key or HTTP Basic auth details should fail.
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Basic Auth still returns appropriately.
self.assertEqual(auth.is_authenticated(request)['WWW-Authenticate'], 'Basic Realm="django-tastypie"')
# API Key Auth works.
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'johndoe')
# Basic Auth works.
request = HttpRequest()
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
class Meta:
object_class = models.Piece
always_return_data = True
authorization = AnyoneCanViewAuthorization()
authentication = MultiAuthentication(AppApiKeyAuthentication(),
CookieBasicAuthentication())
class Meta(CommonMetaApi):
filtering = CommonMetaApi.filtering
filtering.update({'doc_type': ALL})
queryset = Document.objects.distinct().order_by('-date')
resource_name = 'documents'
authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta(CommonMetaApi):
queryset = ResourceBase.objects.filter(featured=True).order_by('-date')
resource_name = 'featured'
authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
def test_apikey_and_authentication(self):
auth = MultiAuthentication(ApiKeyAuthentication(), Authentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
# No username/api_key details should pass.
self.assertEqual(auth.is_authenticated(request), True)
# The identifier should be the basic auth stock.
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong username details.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# No api_key.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong user/api_key.
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = 'foo'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
class Meta:
queryset = User.objects.all()
resource_name = 'user'
authorization = DjangoAuthorization()
authentication = MultiAuthentication(ApiKeyAuthentication(),
SessionAuthentication())
class Meta:
queryset = Application.objects.all()
resource_name = 'applications'
authorization = Authorization()
authentication = MultiAuthentication(ApiKeyAuthentication(),
SessionAuthentication())
class Meta:
queryset = Log.objects.all()
allowed_methods = ['get']
authentication = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
authorization = Authorization()
class Meta:
queryset = Unit.objects.all().select_related('area','penetration','array')
resource_name = 'unit'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset = Condition.objects.all()
resource_name = 'condition'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset = Experiment.objects.all().select_related('collator')
resource_name = 'experiment'
authorization = DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset=Array.objects.all().select_related('subject')
resource_name = 'array'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset=Nomenclature.objects.all().prefetch_related('species')
resource_name='nomenclature'
authorization=DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
allowed_methods = ['post']
authentication = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
authorization = Authorization()
class Meta:
queryset = ItemTemplate.objects.all()
authorization = ReadOnlyAuthorization()
authentication = MultiAuthentication(SessionAuthentication(),
Authentication(),
ApiKeyAuthentication())
def test_apikey_and_authentication(self):
auth = MultiAuthentication(ApiKeyAuthentication(), Authentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
# No username/api_key details should pass.
self.assertEqual(auth.is_authenticated(request), True)
# The identifier should be the basic auth stock.
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong username details.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# No api_key.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong user/api_key.
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = 'foo'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'johndoe')
class Meta:
queryset = GraspPerformanceCondition.objects.all().select_related('experiment').prefetch_related('recording_trials')
resource_name = 'grasp_performance_condition'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
def is_authenticated(self, request, **kwargs):
if request.method == 'GET':
return True
multi_auth = MultiAuthentication(SessionAuthentication(),
BasicAuthentication())
return multi_auth.is_authenticated(request, **kwargs)
class Meta:
queryset = GraspObservationCondition.objects.all().select_related('experiment','demonstrator_species').prefetch_related('recording_trials')
resource_name = 'grasp_observation_condition'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset = CustomUser.objects.all().select_related('api_key')
authentication = MultiAuthentication(EmailAuthentication(), ApiKeyAuthentication())
authorization = Authorization()
exclude = ['password']
class Meta:
queryset=UnitClassification.objects.all().prefetch_related('units')
resource_name='unit_classification'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
if not self.check_active(user):
return False
request.user = user
return True
def _unauthorized(self, request):
if request.META.get('HTTP_X_REQUESTED_FROM') == 'WebUI':
return HttpUnauthorized()
else:
return super(FreeBasicAuthentication, self)._unauthorized()
APIAuthentication = MultiAuthentication(
DjangoAuthentication(),
FreeBasicAuthentication(),
)
class APIAuthorization(Authorization):
pass
class DojoPaginator(Paginator):
def __init__(self, request, *args, **kwargs):
super(DojoPaginator, self).__init__(request.GET, *args, **kwargs)
r = request.META.get("HTTP_RANGE", None)
if r:
r = r.split('=', 1)[1].split('-')
self.offset = int(r[0])
def test_apikey_and_authentication(self):
auth = MultiAuthentication(ApiKeyAuthentication(), Authentication())
request = HttpRequest()
john_doe = User.objects.get(username="******")
# No username/api_key details should pass.
self.assertEqual(auth.is_authenticated(request), True)
# The identifier should be the basic auth stock.
self.assertEqual(auth.get_identifier(request), "noaddr_nohost")
# Wrong username details.
request = HttpRequest()
request.GET["username"] = "******"
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), "noaddr_nohost")
# No api_key.
request = HttpRequest()
request.GET["username"] = "******"
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), "noaddr_nohost")
# Wrong user/api_key.
request = HttpRequest()
request.GET["username"] = "******"
request.GET["api_key"] = "foo"
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), "noaddr_nohost")
request = HttpRequest()
request.GET["username"] = "******"
request.GET["api_key"] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def default_authentication():
"""
Ensures that authentication can easily be changed on a sitewide level.
"""
return MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
class Meta:
queryset=ClassificationAnalysis.objects.all().prefetch_related('analysis_factors')
resource_name='classification_analysis'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta(CommonMetaApi):
queryset = Map.objects.distinct().order_by('-date')
resource_name = 'maps'
authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta:
queryset=ClassificationAnalysisResultsLevelMapping.objects.all()
resource_name='classification_analysis_results_level_mapping'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta(CommonMetaApi):
queryset = ResourceBase.objects.polymorphic_queryset() \
.distinct().order_by('-date')
resource_name = 'base'
excludes = ['csw_anytext', 'metadata_xml']
authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta:
queryset=TimeWindowConditionSettings.objects.all()
resource_name='time_window_condition_settings'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
object_class = models.GlobalPermission
allowed_methods = ('get', 'post', 'put', 'patch', 'delete')
authorization = StaffAuthorization()
authentication = MultiAuthentication(AppApiKeyAuthentication(),
CookieBasicAuthentication())
class Meta:
queryset=ClusterAnalysisSettings.objects.all()
resource_name='cluster_analysis_settings'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
from tastypie.throttle import CacheDBThrottle
from tastypie.authorization import DjangoAuthorization
from tastypie.authentication import (SessionAuthentication,
MultiAuthentication, ApiKeyAuthentication)
from app.models import Billing
from app.exceptions import CustomBadRequest
from workspace.models import (Organisation, Workspace, Invitation)
try:
import json
except Exception:
import simplejson as json
Authentication = MultiAuthentication(
ApiKeyAuthentication(),
SessionAuthentication(),
)
class Resource(ModelResource):
"""docstring for Resource"""
class Meta:
always_return_data = True
allowed_methods = ['get', 'post', 'put', 'patch', 'options', 'head']
authentication = Authentication
authorization = DjangoAuthorization()
validation = Validation()
collection_name = 'data'
cache = SimpleCache(timeout=10)
class Meta:
queryset=UnitAnalysisResults.objects.all().select_related('unit')
resource_name='unit_analysis_results'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
class Meta:
queryset=FactorLevel.objects.all()
resource_name='factor_level'
authorization= DjangoAuthorization()
authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
cache = SimpleCache(timeout=10)
def test_multiauth_apikey_and_basic_auth__no_details_fails(self):
auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication())
request = HttpRequest()
self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
