async def validate(self, token): """Return the user from the token.""" if token.get('type') != 'bearer': return None if '.' not in token.get('token', ''): # quick way to check if actually might be jwt return None try: try: validated_jwt = jwt.decode( token['token'], app_settings['jwt']['secret'], algorithms=[app_settings['jwt']['algorithm']]) except jwt.exceptions.ExpiredSignatureError: logger.warn("Token Expired") raise HTTPUnauthorized() except jwt.InvalidIssuedAtError: logger.warn("Back to the future") validated_jwt = jwt.decode( token['token'], app_settings['jwt']['secret'], algorithms=[app_settings['jwt']['algorithm']], options=NON_IAT_VERIFY) user = GuillotinaUser(self.request) user.name = validated_jwt['fullname'] user.id = validated_jwt['sub'] return user except jwt.exceptions.DecodeError: pass return None
def login_user(request, user_data): request.security = Interaction(request) participation = GuillotinaParticipation(request) participation.interaction = None if 'id' in user_data: user = GuillotinaUser(request) user.id = user_data['id'] user._groups = user_data.get('groups', []) user._roles = user_data.get('roles', []) user.data = user_data.get('data', {}) participation.principal = user request._cache_user = user request.security.add(participation) request.security.invalidate_cache() request._cache_groups = {} if user_data.get('Authorization'): request.headers['Authorization'] = user_data['Authorization']
async def test_allowsingle2(container_requester): async with container_requester as requester: response, status = await requester('POST', '/db/guillotina/', data=json.dumps({ '@type': 'Folder', 'id': 'testing' })) assert status == 201 response, status = await requester('POST', '/db/guillotina/testing/', data=json.dumps({ '@type': 'Item', 'id': 'test1' })) assert status == 201 response, status = await requester('POST', '/db/guillotina/testing/', data=json.dumps({ '@type': 'Item', 'id': 'test2' })) assert status == 201 response, status = await requester('POST', '/db/guillotina/@sharing', data=json.dumps({ 'prinperm': [{ 'principal': 'group1', 'permission': 'guillotina.AccessContent', 'setting': 'AllowSingle' }] })) assert status == 200 response, status = await requester('POST', '/db/guillotina/testing/@sharing', data=json.dumps({ 'prinperm': [{ 'principal': 'group2', 'permission': 'guillotina.AccessContent', 'setting': 'Allow' }, { 'principal': 'group1', 'permission': 'guillotina.ViewContent', 'setting': 'AllowSingle' }] })) assert status == 200 response, status = await requester( 'POST', '/db/guillotina/testing/test1/@sharing', data=json.dumps({ 'prinperm': [{ 'principal': 'group3', 'permission': 'guillotina.ViewContent', 'setting': 'Allow' }] })) assert status == 200 response, status = await requester( 'POST', '/db/guillotina/testing/test2/@sharing', data=json.dumps({ 'prinrole': [{ 'principal': 'group2', 'role': 'guillotina.Reader', 'setting': 'Allow' }], 'roleperm': [{ 'role': 'guillotina.Reader', 'permission': 'guillotina.ViewContent', 'setting': 'Allow' }] })) assert status == 200 request = utils.get_mocked_request(requester.db) container = await utils.get_container(requester, request) content = await container.async_get('testing') user = GuillotinaUser(request) user.id = 'user1' user._groups = ['group2', 'group1'] utils.login(request, user) assert request.security.check_permission('guillotina.AccessContent', request.container) assert request.security.check_permission('guillotina.AccessContent', content) user = GuillotinaUser(request) user.id = 'user2' user._groups = ['group1'] utils.login(request, user) assert request.security.check_permission('guillotina.AccessContent', request.container) assert not request.security.check_permission( 'guillotina.AccessContent', content) user = GuillotinaUser(request) user.id = 'user3' user._groups = ['group1', 'group2', 'group3'] utils.login(request, user) test1 = await content.async_get('test1') test2 = await content.async_get('test2') assert request.security.check_permission('guillotina.ViewContent', test1) assert request.security.check_permission('guillotina.ViewContent', test2)
async def test_inherit(container_requester): async with container_requester as requester: response, status = await requester('POST', '/db/guillotina/', data=json.dumps({ '@type': 'Item', 'id': 'testing' })) assert status == 201 response, status = await requester('POST', '/db/guillotina/@sharing', data=json.dumps({ 'prinrole': [{ 'principal': 'user1', 'role': 'guillotina.Reader', 'setting': 'Allow' }] })) assert status == 200 response, status = await requester('POST', '/db/guillotina/testing/@sharing', data=json.dumps({ 'perminhe': [{ 'permission': 'guillotina.ViewContent', 'setting': 'Deny' }] })) assert status == 200 response, status = await requester( 'GET', '/db/guillotina/testing/@all_permissions') assert status == 200 request = utils.get_mocked_request(requester.db) container = await utils.get_container(requester, request) content = await container.async_get('testing') user = GuillotinaUser(request) user.id = 'user1' utils.login(request, user) assert request.security.check_permission('guillotina.ViewContent', request.container) assert not request.security.check_permission('guillotina.ViewContent', content) response, status = await requester('GET', '/db/guillotina/testing') assert status == 401 response, status = await requester('POST', '/db/guillotina/testing/@sharing', data=json.dumps({ 'roleperm': [{ 'permission': 'guillotina.ViewContent', 'role': 'guillotina.Manager', 'setting': 'Allow' }] })) assert status == 200 response, status = await requester('GET', '/db/guillotina/testing') assert status == 200