def test_bootstrap_ip_whitelist_assignment_modify(self):
self.mock_now(datetime.datetime(2014, 01, 01))
ret = model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'some ip whitelist', 'some comment')
self.assertTrue(ret)
ret = model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'another ip whitelist', 'another comment')
self.assertTrue(ret)
self.assertEqual(
{
'assignments': [
{
'comment': 'another comment',
'created_by': model.get_service_self_identity(),
'created_ts': datetime.datetime(2014, 1, 1),
'identity': model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'ip_whitelist': 'another ip whitelist',
},
],
'auth_db_rev': 2,
'auth_db_prev_rev': 1,
'modified_by': model.get_service_self_identity(),
'modified_ts': datetime.datetime(2014, 1, 1),
}, model.ip_whitelist_assignments_key().get().to_dict())
def test_ip_whitelist_not_used(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
self.assertEqual('user:[email protected]',
self.call('127.0.0.1', '*****@*****.**'))
def test_ip_whitelist(self):
"""Per-account IP whitelist works."""
ident1 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
ident2 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(ident1, 'whitelist')
mocked_ident = [None]
class Handler(handler.AuthenticatingHandler):
@classmethod
def get_auth_methods(cls, conf):
return [lambda _req: mocked_ident[0]]
@api.public
def get(self):
self.response.write('OK')
app = self.make_test_app('/request', Handler)
def call(ident, ip):
api.reset_local_state()
mocked_ident[0] = ident
response = app.get('/request',
extra_environ={'REMOTE_ADDR': ip},
expect_errors=True)
return response.status_int
# IP is whitelisted.
self.assertEqual(200, call(ident1, '192.168.1.100'))
# IP is NOT whitelisted.
self.assertEqual(403, call(ident1, '127.0.0.1'))
# Whitelist is not used.
self.assertEqual(200, call(ident2, '127.0.0.1'))
def test_ip_whitelist_not_whitelisted(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
with self.assertRaises(api.AuthorizationError):
self.call('127.0.0.1', '*****@*****.**')
def test_ip_whitelist_not_whitelisted(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
with self.assertRaises(api.AuthorizationError):
self.call('127.0.0.1', '*****@*****.**')
def test_ip_whitelist(self):
"""Per-account IP whitelist works."""
ident1 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
ident2 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(ident1, 'whitelist')
class Handler(handler.AuthenticatingHandler):
@api.public
def get(self):
self.response.write('OK')
app = self.make_test_app('/request', Handler)
def call(ident, ip):
api.reset_local_state()
handler.configure([lambda _request: ident])
response = app.get(
'/request', extra_environ={'REMOTE_ADDR': ip}, expect_errors=True)
return response.status_int
# IP is whitelisted.
self.assertEqual(200, call(ident1, '192.168.1.100'))
# IP is NOT whitelisted.
self.assertEqual(403, call(ident1, '127.0.0.1'))
# Whitelist is not used.
self.assertEqual(200, call(ident2, '127.0.0.1'))
def test_bootstrap_ip_whitelist_assignment_modify(self):
self.mock_now(datetime.datetime(2014, 01, 01))
ret = model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'some ip whitelist', 'some comment')
self.assertTrue(ret)
ret = model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'another ip whitelist', 'another comment')
self.assertTrue(ret)
self.assertEqual(
{
'assignments': [
{
'comment': 'another comment',
'created_by': model.get_service_self_identity(),
'created_ts': datetime.datetime(2014, 1, 1),
'identity': model.Identity(model.IDENTITY_USER, '*****@*****.**'),
'ip_whitelist': 'another ip whitelist',
},
],
'auth_db_rev': 2,
'auth_db_prev_rev': 1,
'modified_by': model.get_service_self_identity(),
'modified_ts': datetime.datetime(2014, 1, 1),
}, model.ip_whitelist_assignments_key().get().to_dict())
def test_ip_whitelist_not_used(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
self.assertEqual(
'user:[email protected]',
self.call('127.0.0.1', '*****@*****.**'))
def test_ip_whitelist_not_whitelisted(self):
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
state, ctx = self.call('ipv4:127.0.0.1', '*****@*****.**')
self.assertIsNone(state)
self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED)
self.assertEqual(ctx.details, 'IP 127.0.0.1 is not whitelisted')
def test_ip_whitelist_whitelisted(self):
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
state, _ = self.call('ipv4:192.168.1.100', '*****@*****.**')
self.assertEqual(state, CapturedState(
current_identity='user:[email protected]',
is_superuser=False,
peer_identity='user:[email protected]',
peer_ip=ipaddr.ip_from_string('192.168.1.100'),
delegation_token=None,
))
