def test_from_settings(self): settings = { "foo": "bar", "ipauth.ipaddrs": "123.123.0.1 124.124.0.1/16", "ipauth.userid": "one", "ipauth.principals": "two three", "otherauth.ipaddrs": "127.0.0.*", "otherauth.userid": "other", "otherauth.proxies": "127.0.0.1 127.0.0.2", } # Try basic instantiation. auth = IPAuthenticationPolicy.from_settings(settings) self.assertTrue(IPAddress("123.123.0.1") in auth.ipaddrs) self.assertEqual(auth.userid, "one") self.assertEqual(auth.principals, ["two", "three"]) self.assertEqual(auth.proxies, IPSet([])) # Try instantiation with custom prefix. auth = IPAuthenticationPolicy.from_settings(settings, prefix="otherauth.") self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs) self.assertEqual(auth.userid, "other") self.assertEqual(auth.principals, []) self.assertTrue(IPAddress("127.0.0.1") in auth.proxies) self.assertTrue(IPAddress("127.0.0.2") in auth.proxies) self.assertFalse(IPAddress("127.0.0.3") in auth.proxies) # Try instantiation with extra keywords auth = IPAuthenticationPolicy.from_settings(settings, prefix="otherauth.", userid="overwritten") self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs) self.assertEqual(auth.userid, "overwritten") self.assertEqual(auth.principals, []) self.assertTrue(IPAddress("127.0.0.1") in auth.proxies) self.assertTrue(IPAddress("127.0.0.2") in auth.proxies) self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
def test_from_settings(self): settings = { "foo": "bar", "ipauth.ipaddrs": "123.123.0.1 124.124.0.1/16", "ipauth.userid": "one", "ipauth.principals": "two three", "otherauth.ipaddrs": "127.0.0.*", "otherauth.userid": "other", "otherauth.proxies": "127.0.0.1 127.0.0.2", } # Try basic instantiation. auth = IPAuthenticationPolicy.from_settings(settings) self.assertTrue(IPAddress("123.123.0.1") in auth.ipaddrs) self.assertEquals(auth.userid, "one") self.assertEquals(auth.principals, ["two", "three"]) self.assertEquals(auth.proxies, IPSet([])) # Try instantiation with custom prefix. auth = IPAuthenticationPolicy.from_settings(settings, prefix="otherauth.") self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs) self.assertEquals(auth.userid, "other") self.assertEquals(auth.principals, []) self.assertTrue(IPAddress("127.0.0.1") in auth.proxies) self.assertTrue(IPAddress("127.0.0.2") in auth.proxies) self.assertFalse(IPAddress("127.0.0.3") in auth.proxies) # Try instantiation with extra keywords auth = IPAuthenticationPolicy.from_settings(settings, prefix="otherauth.", userid="overwritten") self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs) self.assertEquals(auth.userid, "overwritten") self.assertEquals(auth.principals, []) self.assertTrue(IPAddress("127.0.0.1") in auth.proxies) self.assertTrue(IPAddress("127.0.0.2") in auth.proxies) self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
def test_callbacks(self): def get_userid(ipaddr): if str(ipaddr).startswith('192'): return 'LAN-user' if str(ipaddr).startswith('127'): return 'localhost-user' return None def get_principals(userid, ipaddr): principals = { 'LAN-user': ['view'], 'localhost-user': ['view', 'edit'], } return principals.get(userid, []) policy = IPAuthenticationPolicy("all", get_userid=get_userid, get_principals=get_principals) # Addresses outside the range don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.unauthenticated_userid(request), "LAN-user") self.assertEqual(policy.authenticated_userid(request), "LAN-user") self.assertEqual(policy.effective_principals(request), ["LAN-user", Everyone, Authenticated, 'view']) request = DummyRequest(environ={"REMOTE_ADDR": "127.0.0.1"}) self.assertEqual(policy.unauthenticated_userid(request), "localhost-user") self.assertEqual(policy.authenticated_userid(request), "localhost-user") self.assertEqual(policy.effective_principals(request), ["localhost-user", Everyone, Authenticated, 'view', 'edit']) request = DummyRequest(environ={"REMOTE_ADDR": "86.8.8.8"}) self.assertEqual(policy.unauthenticated_userid(request), None) self.assertEqual(policy.authenticated_userid(request), None) self.assertEqual(policy.effective_principals(request), [Everyone])
def test_remote_addr(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user") # Addresses outside the range don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) # Addresses inside the range do authenticate request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") request = DummyRequest(environ={"REMOTE_ADDR": "123.123.1.2"}) self.assertEqual(policy.authenticated_userid(request), "user")
def test_remote_addr(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user") # Addresses outside the range don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEquals(policy.authenticated_userid(request), None) # Addresses inside the range do authenticate request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEquals(policy.authenticated_userid(request), "user") request = DummyRequest(environ={"REMOTE_ADDR": "123.123.1.2"}) self.assertEquals(policy.authenticated_userid(request), "user")
def test_principals(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], principals=["test"]) # Addresses outside the range don't get metadata set request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEquals(policy.effective_principals(request), [Everyone]) # Addresses inside the range do get metadata set request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEquals(policy.effective_principals(request), [Everyone, Authenticated, "test"]) policy.userid = "user" self.assertEquals(policy.effective_principals(request), ["user", Everyone, Authenticated, "test"])
def test_noncontiguous_ranges(self): policy = IPAuthenticationPolicy(["123.123.0.0/16", "124.124.1.0/24"], "user") # Addresses outside the range don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) request = DummyRequest(environ={"REMOTE_ADDR": "124.124.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) # Addresses inside the range do authenticate request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") request = DummyRequest(environ={"REMOTE_ADDR": "124.124.1.2"}) self.assertEqual(policy.authenticated_userid(request), "user")
def test_x_forwarded_for(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user", proxies=["124.124.0.0/24"]) # Requests without X-Forwarded-For work as normal request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") # Requests with untrusted X-Forwarded-For don't authenticate request = DummyRequest(environ={ "REMOTE_ADDR": "192.168.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1" }) self.assertEqual(policy.authenticated_userid(request), None) # Requests from single trusted proxy do authenticate request = DummyRequest(environ={ "REMOTE_ADDR": "124.124.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1" }) self.assertEqual(policy.authenticated_userid(request), "user") # Requests from chain of trusted proxies do authenticate request = DummyRequest( environ={ "REMOTE_ADDR": "124.124.0.2", "HTTP_X_FORWARDED_FOR": "123.123.0.1, 124.124.0.1" }) self.assertEqual(policy.authenticated_userid(request), "user") # Requests with untrusted proxy in chain don't authenticate request = DummyRequest( environ={ "REMOTE_ADDR": "124.124.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1, 192.168.0.1" }) self.assertEqual(policy.authenticated_userid(request), None)
def test_x_forwarded_for(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user", proxies=["124.124.0.0/24"]) # Requests without X-Forwarded-For work as normal request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") # Requests with untrusted X-Forwarded-For don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), None) # Requests from single trusted proxy do authenticate request = DummyRequest(environ={"REMOTE_ADDR": "124.124.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") # Requests from chain of trusted proxies do authenticate request = DummyRequest( environ={ "REMOTE_ADDR": "124.124.0.2", "HTTP_X_FORWARDED_FOR": "123.123.0.1, 124.124.0.1"}) self.assertEqual(policy.authenticated_userid(request), "user") # Requests with untrusted proxy in chain don't authenticate request = DummyRequest( environ={ "REMOTE_ADDR": "124.124.0.1", "HTTP_X_FORWARDED_FOR": "123.123.0.1, 192.168.0.1"}) self.assertEqual(policy.authenticated_userid(request), None)
def test_principals(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], principals="test") # Addresses outside the range don't get metadata set request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.effective_principals(request), [Everyone]) # Addresses inside the range do get metadata set request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"}) self.assertEqual(policy.effective_principals(request), [Everyone, "test"]) policy.userid = "user" self.assertEqual(policy.effective_principals(request), ["user", Everyone, Authenticated, "test"])
def test_remember_forget(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user") request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.remember(request, "user"), []) self.assertEqual(policy.forget(request), [])
def test_callbacks(self): def get_userid(ipaddr): if str(ipaddr).startswith('192'): return 'LAN-user' if str(ipaddr).startswith('127'): return 'localhost-user' return None def get_principals(userid, ipaddr): principals = { 'LAN-user': ['view'], 'localhost-user': ['view', 'edit'], } return principals.get(userid, []) policy = IPAuthenticationPolicy("all", get_userid=get_userid, get_principals=get_principals) # Addresses outside the range don't authenticate request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEqual(policy.unauthenticated_userid(request), "LAN-user") self.assertEqual(policy.authenticated_userid(request), "LAN-user") self.assertEqual(policy.effective_principals(request), ["LAN-user", Everyone, Authenticated, 'view']) request = DummyRequest(environ={"REMOTE_ADDR": "127.0.0.1"}) self.assertEqual(policy.unauthenticated_userid(request), "localhost-user") self.assertEqual(policy.authenticated_userid(request), "localhost-user") self.assertEqual( policy.effective_principals(request), ["localhost-user", Everyone, Authenticated, 'view', 'edit']) request = DummyRequest(environ={"REMOTE_ADDR": "86.8.8.8"}) self.assertEqual(policy.unauthenticated_userid(request), None) self.assertEqual(policy.authenticated_userid(request), None) self.assertEqual(policy.effective_principals(request), [Everyone])
def test_remember_forget(self): policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user") request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"}) self.assertEquals(policy.remember(request, "user"), []) self.assertEquals(policy.forget(request), [])