def test_check_active_true(self):
auth = ApiKeyAuthentication()
request = HttpRequest()
bob_doe = User.objects.get(username='******')
create_api_key(User, instance=bob_doe, created=True)
request.META[
'HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), False)
def test_is_authenticated_get_params(self):
auth = ApiKeyAuthentication()
request = HttpRequest()
# Simulate sending the signal.
john_doe = User.objects.get(username='******')
create_api_key(User, instance=john_doe, created=True)
# No username/api_key details should fail.
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong username details.
request.GET['username'] = '******'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# No api_key.
request.GET['username'] = '******'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong user/api_key.
request.GET['username'] = '******'
request.GET['api_key'] = 'foo'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Correct user/api_key.
john_doe = User.objects.get(username='******')
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'johndoe')
def test_multiauth_apikey_and_basic_auth__no_details_fails(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
def test_multiauth_apikey_and_basic_auth__basic_returns_authenticate(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
self.assertEqual(
auth.is_authenticated(request)['WWW-Authenticate'],
'Basic Realm="boxme-api"')
def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username='******')
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = 'POST'
request1.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request1.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request1.user = john_doe
request2.POST['username'] = '******'
request2.POST['api_key'] = 'invalid key'
request3.method = 'POST'
request3.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request3.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request3.user = john_doe
request3.POST['username'] = '******'
request3.POST['api_key'] = 'invalid key'
# session auth should pass if since john_doe is logged in
self.assertEqual(session_auth.is_authenticated(request1), True)
# api key auth should fail because of invalid api key
self.assertEqual(
isinstance(api_key_auth.is_authenticated(request2),
HttpUnauthorized), True)
# multi auth shouldn't change users if api key auth fails
# multi auth passes since session auth is valid
self.assertEqual(request3.user.username, 'johndoe')
self.assertEqual(auth.is_authenticated(request3), True)
self.assertEqual(request3.user.username, 'johndoe')
def test_multiauth_apikey_and_basic_auth__api_key_works_in_query(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
request.GET['username'] = john_doe.username
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_is_authenticated_header(self):
auth = ApiKeyAuthentication()
request = HttpRequest()
# Simulate sending the signal.
john_doe = User.objects.get(username='******')
create_api_key(User, instance=john_doe, created=True)
# No username/api_key details should fail.
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong username details.
request.META['HTTP_AUTHORIZATION'] = 'foo'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# No api_key.
request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Wrong user/api_key.
request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel:pass'
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
# Correct user/api_key.
john_doe = User.objects.get(username='******')
request.META[
'HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
# Capitalization shouldn't matter.
john_doe = User.objects.get(username='******')
request.META[
'HTTP_AUTHORIZATION'] = 'aPiKeY johndoe:%s' % john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
# No api_key.
john_doe = User.objects.get(username='******')
api_key = john_doe.api_key
api_key.delete()
request.META['HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % api_key.key
self.assertEqual(
isinstance(auth.is_authenticated(request), HttpUnauthorized), True)
def test_multiauth_apikey_and_basic_auth__basic_auth_works(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
john_doe.set_password('pass')
john_doe.save()
request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode(
'johndoe:pass'.encode('utf-8')).decode('utf-8')
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_header(self):
auth = MultiAuthentication(BasicAuthentication(),
ApiKeyAuthentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
request.META['HTTP_AUTHORIZATION'] = 'ApiKey %s:%s' % (
john_doe.username,
john_doe.api_key.key,
)
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_apikey_and_authentication(self):
auth = MultiAuthentication(ApiKeyAuthentication(), Authentication())
request = HttpRequest()
john_doe = User.objects.get(username='******')
# No username/api_key details should pass.
self.assertEqual(auth.is_authenticated(request), True)
# The identifier should be the basic auth stock.
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong username details.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# No api_key.
request = HttpRequest()
request.GET['username'] = '******'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
# Wrong user/api_key.
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = 'foo'
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), 'noaddr_nohost')
request = HttpRequest()
request.GET['username'] = '******'
request.GET['api_key'] = john_doe.api_key.key
self.assertEqual(auth.is_authenticated(request), True)
self.assertEqual(auth.get_identifier(request), john_doe.username)