def test_account_store(self):
cc = CryptContext(schemes=['argon2'])
with session_scope() as session:
mgr = identities.manager_factory.for_session(session)
accnt = mgr.create_account(account_name='accountAbc', account_type=AccountTypes.user, email='someemail')
user1 = mgr.create_user(account_name=accnt['name'], username='******',
password='******')
print('user 1: {}'.format(user1))
user2 = mgr.create_user(account_name=accnt['name'], username='******',
password='******')
print('user 2: {}'.format(user2))
accnt2 = mgr.create_account(account_name='admin1', account_type=AccountTypes.admin, email='someemail',)
user3 = mgr.create_user(account_name=accnt2['name'], username='******', password='******')
print('user 3: {}'.format(user3))
store = basic_accountstore.DbAccountStore()
# Authc stuff
token = UsernamePasswordToken(username='******',
password=user1['credentials'][UserAccessCredentialTypes.password]['value'])
print(token.credentials)
resp = store.get_authc_info(token.identifier)
print(resp)
self.assertTrue(token.credentials == bytes(resp['authc_info']['password']['credential'], 'utf8'))
# Authz stuff
authz_resp = store.get_authz_permissions(token.identifier)
print(authz_resp)
# Standard user
self.assertTrue(DefaultPermission(parts=json.loads(authz_resp[user1['account_name']])[0]).implies(
DefaultPermission(parts={'domain': user1['account_name'], 'action': '*', 'target': '*'})))
self.assertIsNone(authz_resp.get('*'))
self.assertTrue(DefaultPermission(parts=json.loads(authz_resp[user1['account_name']])[0]).implies(
DefaultPermission(parts={'domain': user1['account_name'], 'action': 'listImages', 'target': '*'})))
admin_token = UsernamePasswordToken(username='******',
password=user3['credentials'][UserAccessCredentialTypes.password]['value'])
# Authz stuff
authz_resp = store.get_authz_permissions(admin_token.identifier)
print(authz_resp)
# Admin user
self.assertIsNotNone(authz_resp.get('*'))
self.assertIsNone(authz_resp.get(user3['account_name']))
self.assertTrue(DefaultPermission(parts=json.loads(authz_resp['*'])[0]).implies(DefaultPermission(parts={'domain': '*', 'action': '*', 'target': '*'})))
def authenticate(self, request):
logger.debug('Authenticating with native auth handler')
subject = Yosai.get_current_subject()
if request.authorization:
authc_token = UsernamePasswordToken(
username=request.authorization.username,
password=request.authorization.password,
remember_me=False)
subject.login(authc_token)
user = subject.primary_identifier
# Simple account lookup to ensure the context identity is complete
try:
with session_scope() as db_session:
idp = self._idp_factory.for_session(db_session)
identity, _ = idp.lookup_user(user)
logger.debug('Authc complete')
return identity
except:
logger.exception(
'Error looking up account for authenticated user')
return None
else:
logger.debug('Anon auth complete')
return IdentityContext(username=None,
user_account=None,
user_account_type=None,
user_account_active=None)
def invalid_thedude_username_password_token(yosai, monkeypatch):
yield UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
with Yosai.context(yosai):
new_subject = Yosai.get_current_subject()
da = new_subject.security_manager.authenticator
monkeypatch.setattr(da.authc_settings, 'account_lock_threshold', 3)
da.init_locking()
da.locking_realm.unlock_account('thedude')
def valid_thedude_username_password_token(cache_handler):
keys = cache_handler.keys('*authentication*')
for key in keys:
cache_handler.cache_region.delete(key)
yield UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
for key in keys:
cache_handler.cache_region.delete(key)
def get_authc_token(self, request):
authz_header = request.environ.get('HTTP_AUTHORIZATION')
authc_token = None
if request.authorization:
# HTTP Basic/Digest Auth
authc_token = UsernamePasswordToken(username=request.authorization.username,
password=request.authorization.password, remember_me=False)
elif authz_header:
# check for bearer auth
parts = authz_header.split()
if parts and len(parts) > 1:
auth_type = parts[0].lower()
if auth_type in ['bearer', 'jwt']:
authc_token = JwtToken(parts[1])
return authc_token
def test_authentication_using_accountstore_user_not_found(
default_authenticator):
da = default_authenticator
event_detected = None
def event_listener(username=None):
nonlocal event_detected
event_detected = username
event_bus.register(event_listener, 'AUTHENTICATION.FAILED')
dumb_token = UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
with pytest.raises(AuthenticationException):
da.authenticate_account(dumb_token)
assert (event_detected == dumb_token.username)
def test_single_factor_authc_userpass_using_accountstore_user_not_found(
default_authenticator, event_bus):
da = default_authenticator
event_detected = None
def event_listener(identifier=None, topic=EVENT_TOPIC):
nonlocal event_detected
event_detected = identifier
event_bus.subscribe(event_listener, 'AUTHENTICATION.ACCOUNT_NOT_FOUND')
dumb_token = UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
with pytest.raises(AuthenticationException):
da.authenticate_account(None, dumb_token)
assert (event_detected == dumb_token.identifier)
def invalid_walter_username_password_token(cache_handler, yosai, monkeypatch):
keys = cache_handler.keys('*authentication*')
for key in keys:
cache_handler.cache_region.delete(key)
with Yosai.context(yosai):
new_subject = Yosai.get_current_subject()
da = new_subject.security_manager.authenticator
monkeypatch.setattr(da.authc_settings, 'account_lock_threshold', 3)
da.init_locking()
da.locking_realm.unlock_account('walter')
yield UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
keys = cache_handler.keys('*authentication*')
for key in keys:
cache_handler.cache_region.delete(key)
with Yosai.context(yosai):
new_subject = Yosai.get_current_subject()
da = new_subject.security_manager.authenticator
monkeypatch.setattr(da.authc_settings, 'account_lock_threshold', 3)
da.init_locking()
da.locking_realm.unlock_account('walter')
def username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def jackie_username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def walter_username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def jackie_username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def invalid_username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def valid_username_password_token():
return UsernamePasswordToken(username='******',
password='******',
remember_me=False,
host='127.0.0.1')
def test_account_store(self):
cc = CryptContext(schemes=["argon2"])
with session_scope() as session:
mgr = identities.manager_factory.for_session(session)
accnt = mgr.create_account(
account_name="accountAbc",
account_type=AccountTypes.user,
email="someemail",
)
user1 = mgr.create_user(account_name=accnt["name"],
username="******",
password="******")
print("user 1: {}".format(user1))
user2 = mgr.create_user(account_name=accnt["name"],
username="******",
password="******")
print("user 2: {}".format(user2))
accnt2 = mgr.create_account(
account_name="admin1",
account_type=AccountTypes.admin,
email="someemail",
)
user3 = mgr.create_user(account_name=accnt2["name"],
username="******",
password="******")
print("user 3: {}".format(user3))
store = basic_accountstore.DbAccountStore()
# Authc stuff
token = UsernamePasswordToken(
username="******",
password=user1["credentials"][UserAccessCredentialTypes.password]
["value"],
)
print(token.credentials)
resp = store.get_authc_info(token.identifier)
print(resp)
self.assertTrue(token.credentials == bytes(
resp["authc_info"]["password"]["credential"], "utf8"))
# Authz stuff
authz_resp = store.get_authz_permissions(token.identifier)
print(authz_resp)
# Standard user
self.assertTrue(
DefaultPermission(parts=json.loads(authz_resp[
user1["account_name"]])[0]).implies(
DefaultPermission(
parts={
"domain": user1["account_name"],
"action": "*",
"target": "*",
})))
self.assertIsNone(authz_resp.get("*"))
self.assertTrue(
DefaultPermission(parts=json.loads(authz_resp[
user1["account_name"]])[0]).implies(
DefaultPermission(
parts={
"domain": user1["account_name"],
"action": "listImages",
"target": "*",
})))
admin_token = UsernamePasswordToken(
username="******",
password=user3["credentials"][UserAccessCredentialTypes.password]
["value"],
)
# Authz stuff
authz_resp = store.get_authz_permissions(admin_token.identifier)
print(authz_resp)
# Admin user
self.assertIsNotNone(authz_resp.get("*"))
self.assertIsNone(authz_resp.get(user3["account_name"]))
self.assertTrue(
DefaultPermission(parts=json.loads(authz_resp["*"])[0]).implies(
DefaultPermission(parts={
"domain": "*",
"action": "*",
"target": "*"
})))