def test_system_user_valid_no_check(self):
client = mock.MagicMock()
self.assertTrue(
validate_user_external_auth(get_worker_user(), client=client))
self.assertTrue(
validate_user_external_auth(get_node_init_user(), client=client))
client.get_groups.assert_not_called()
def test_system_user_valid_no_check(self):
self.assertTrue(
validate_user_external_auth(get_worker_user(),
self.auth_info,
rbac_client=self.client))
self.assertTrue(
validate_user_external_auth(get_node_init_user(),
self.auth_info,
rbac_client=self.client))
self.client.allowed_for_user.assert_not_called()
def test_valid_user_check_has_admin_access(self):
# admin, but no permissions on pools
self.client.allowed_for_user.side_effect = [
{
"admin": [""]
},
{
"view": [],
"view-all": [],
"deploy-machines": [],
"admin-machines": [],
},
]
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client,
)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
self.assertTrue(self.user.is_superuser)
# user details are updated.
username = self.user.username
self.assertEqual(self.user.last_name, "User {}".format(username))
self.assertEqual(self.user.email, "{}@example.com".format(username))
def is_authenticated(self, request):
user = request.user
if user.is_authenticated:
# only authenticate if user is local and external auth is disabled
# or viceversa
return xor(
bool(request.external_auth_info), user.userprofile.is_local)
# The following is much the same as is_authenticated from Piston's
# OAuthAuthentication, with the difference that an OAuth request that
# does not validate is rejected instead of being silently downgraded.
if self.is_valid_request(request):
try:
consumer, token, parameters = self.validate_token(request)
except OAuthError as error:
raise OAuthUnauthorized(error)
if consumer and token:
user = token.user
is_local_user = (
user.username in SYSTEM_USERS or user.userprofile.is_local)
if request.external_auth_info:
if is_local_user:
return False
if not validate_user_external_auth(user):
return False
elif not is_local_user:
return False
request.user = user
request.consumer = consumer
request.throttle_extra = token.consumer.id
return True
return False
def test_failed_user_details_check(self):
self.client.allowed_for_user.side_effect = [
{
"admin": []
},
{
"view": ["pool1", "pool2"],
"view-all": [],
"deploy-machines": [],
"admin-machines": [],
},
]
self.client.get_user_details.side_effect = APIError(500, "fail!")
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client,
)
self.assertFalse(valid)
# user is checked again, last check time is updated
self.client.get_user_details.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is still enabled
self.assertTrue(self.user.is_active)
def test_valid_inactive_user_is_active(self):
self.user.is_active = False
self.client.get_groups.return_value = ['group1', 'group2']
valid = validate_user_external_auth(self.user,
now=lambda: self.now,
client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
def test_user_not_in_admin_group(self):
self.client.get_groups.return_value = ['group1', 'group2']
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
candid_client=self.client)
self.assertTrue(valid)
self.assertFalse(self.user.is_superuser)
def test_valid_inactive_user_is_active(self):
self.user.is_active = False
self.client.allowed_for_user.side_effect = [[], ['pool1', 'pool2']]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
def test_user_in_admin_group(self):
self.client.get_groups.return_value = ["group1", "group2", "admins"]
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
candid_client=self.client,
)
self.assertTrue(valid)
self.assertTrue(self.user.is_superuser)
def test_valid_user_check_has_admin_access(self):
# not an admin, but has permission on pools
self.client.allowed_for_user.side_effect = [[''], []]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
self.assertTrue(self.user.is_superuser)
def test_interval_not_expired(self):
last_check = self.now - timedelta(minutes=10)
self.user.userprofile.auth_last_check = last_check
self.user.userprofile.save()
valid = validate_user_external_auth(self.user,
now=lambda: self.now,
client=self.client)
self.assertTrue(valid)
# user is not checked again, last check time is not updated
self.client.get_groups.assert_not_called()
self.assertEqual(self.user.userprofile.auth_last_check, last_check)
def test_valid_inactive_user_is_active(self):
self.user.is_active = False
self.client.get_groups.return_value = ["group1", "group2"]
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
candid_client=self.client,
)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
def test_invalid_user_check(self):
self.client.get_groups.side_effect = APIError(404, 'user not found')
valid = validate_user_external_auth(self.user,
now=lambda: self.now,
client=self.client)
self.assertFalse(valid)
# user is checked again, last check time is updated
self.client.get_groups.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is disabled
self.assertFalse(self.user.is_active)
def test_failed_permissions_check(self):
self.client.allowed_for_user.side_effect = APIError(500, 'fail!')
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertFalse(valid)
# user is checked again, last check time is updated
self.client.allowed_for_user.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is still enabled
self.assertTrue(self.user.is_active)
def test_valid_user_no_permission(self):
# user has no permission on resources
self.client.allowed_for_user.return_value = []
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertFalse(valid)
self.client.allowed_for_user.assert_called()
# user is disabled
self.assertFalse(self.user.is_active)
self.assertFalse(self.user.is_superuser)
def test_valid_user_check(self):
# user exists, so group info is returned
self.client.get_groups.return_value = ['group1', 'group2']
valid = validate_user_external_auth(self.user,
now=lambda: self.now,
client=self.client)
self.assertTrue(valid)
# user is checked again, last check time is updated
self.client.get_groups.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is still enabled
self.assertTrue(self.user.is_active)
def test_valid_inactive_user_is_active(self):
self.user.is_active = False
self.client.allowed_for_user.side_effect = [{
'admin': [],
}, {
'view': ['pool1', 'pool2'],
'view-all': [],
'deploy-machines': [],
'admin-machines': [],
}]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
def test_valid_user_check_admin(self):
# user exists, so group info is returned
self.client.get_groups.return_value = ["group1", "group2", "admins"]
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
candid_client=self.client,
)
self.assertTrue(valid)
# user is checked again, last check time is updated
self.client.get_groups.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is still enabled
self.assertTrue(self.user.is_active)
self.assertTrue(self.user.is_superuser)
def test_valid_user_check_has_admin_access(self):
# admin, but no permissions on pools
self.client.allowed_for_user.side_effect = [{
'admin': [''],
}, {
'view': [],
'view-all': [],
'deploy-machines': [],
'admin-machines': [],
}]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
self.assertTrue(self.user.is_superuser)
def test_valid_user_check(self):
# user exists, so group info is returned
self.client.get_groups.return_value = ['group1', 'group2']
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
candid_client=self.client)
self.assertTrue(valid)
# user is checked again, last check time is updated
self.client.get_groups.assert_called()
self.assertEqual(self.user.userprofile.auth_last_check, self.now)
# user is still enabled
self.assertTrue(self.user.is_active)
self.assertFalse(self.user.is_superuser)
# user details are updated.
username = self.user.username
self.assertEqual(self.user.last_name, 'User {}'.format(username))
self.assertEqual(self.user.email, '{}@example.com'.format(username))
def test_valid_user_no_permission(self):
# user has no permission on resources
self.client.allowed_for_user.side_effect = [{
'admin': [],
}, {
'view': [],
'view-all': [],
'deploy-machines': [],
'admin-machines': [],
}]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertFalse(valid)
self.client.allowed_for_user.assert_called()
# user is disabled
self.assertFalse(self.user.is_active)
self.assertFalse(self.user.is_superuser)
def test_valid_inactive_user_is_active(self):
self.user.is_active = False
self.client.allowed_for_user.side_effect = [
{"admin": []},
{
"view": ["pool1", "pool2"],
"view-all": [],
"deploy-machines": [],
"admin-machines": [],
},
]
valid = validate_user_external_auth(
self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client,
)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
def test_valid_user_check_has_admin_access(self):
# admin, but no permissions on pools
self.client.allowed_for_user.side_effect = [{
'admin': [''],
}, {
'view': [],
'view-all': [],
'deploy-machines': [],
'admin-machines': [],
}]
valid = validate_user_external_auth(self.user,
self.auth_info,
now=lambda: self.now,
rbac_client=self.client)
self.assertTrue(valid)
self.assertTrue(self.user.is_active)
self.assertTrue(self.user.is_superuser)
# user details are updated.
username = self.user.username
self.assertEqual(self.user.last_name, 'User {}'.format(username))
self.assertEqual(self.user.email, '{}@example.com'.format(username))
def is_authenticated(self, request):
if request.user.is_authenticated:
return request.user
# The following is much the same as is_authenticated from Piston's
# OAuthAuthentication, with the difference that an OAuth request that
# does not validate is rejected instead of being silently downgraded.
if self.is_valid_request(request):
try:
consumer, token, parameters = self.validate_token(request)
except OAuthError as error:
raise OAuthUnauthorized(error)
if consumer and token:
if request.external_auth_info:
if not validate_user_external_auth(token.user):
return False
request.user = token.user
request.consumer = consumer
request.throttle_extra = token.consumer.id
return True
return False
