def test_callback_galaxy_user_not_created_when_custos_authnz_token_exists(self):
self.trans.set_cookie(value=self.test_state, name=custos_authnz.STATE_COOKIE_NAME)
self.trans.set_cookie(value=self.test_nonce, name=custos_authnz.NONCE_COOKIE_NAME)
old_access_token = "old-access-token"
old_id_token = "old-id-token"
old_refresh_token = "old-refresh-token"
old_expiration_time = datetime.now() - timedelta(days=1)
old_refresh_expiration_time = datetime.now() - timedelta(hours=3)
existing_custos_authnz_token = CustosAuthnzToken(
user=User(email=self.test_email, username=self.test_username),
external_user_id=self.test_user_id,
provider=self.custos_authnz.config['provider'],
access_token=old_access_token,
id_token=old_id_token,
refresh_token=old_refresh_token,
expiration_time=old_expiration_time,
refresh_expiration_time=old_refresh_expiration_time,
)
self.trans.sa_session._query.custos_authnz_token = existing_custos_authnz_token
self.assertIsNotNone(
self.trans.sa_session.query(CustosAuthnzToken)
.filter_by(external_user_id=self.test_user_id,
provider=self.custos_authnz.config['provider'])
.one_or_none()
),
self.assertEqual(0, len(self.trans.sa_session.items))
login_redirect_url, user = self.custos_authnz.callback(
state_token="xxx",
authz_code=self.test_code, trans=self.trans,
login_redirect_url="http://localhost:8000/")
self.assertTrue(self._fetch_token_called)
self.assertTrue(self._get_userinfo_called)
# Make sure query was called with correct parameters
self.assertEqual(self.test_user_id, self.trans.sa_session._query.external_user_id)
self.assertEqual(self.custos_authnz.config['provider'], self.trans.sa_session._query.provider)
self.assertEqual(1, len(self.trans.sa_session.items), "Session has updated CustosAuthnzToken")
session_custos_authnz_token = self.trans.sa_session.items[0]
self.assertIsInstance(session_custos_authnz_token, CustosAuthnzToken)
self.assertIs(existing_custos_authnz_token, session_custos_authnz_token, "existing CustosAuthnzToken should be updated")
# Verify both that existing CustosAuthnzToken has the correct values and different values than before
self.assertEqual(self.test_access_token, session_custos_authnz_token.access_token)
self.assertNotEqual(old_access_token, session_custos_authnz_token.access_token)
self.assertEqual(self.test_id_token, session_custos_authnz_token.id_token)
self.assertNotEqual(old_id_token, session_custos_authnz_token.id_token)
self.assertEqual(self.test_refresh_token, session_custos_authnz_token.refresh_token)
self.assertNotEqual(old_refresh_token, session_custos_authnz_token.refresh_token)
expected_expiration_time = datetime.now() + timedelta(seconds=self.test_expires_in)
expiration_timedelta = expected_expiration_time - session_custos_authnz_token.expiration_time
self.assertTrue(expiration_timedelta.total_seconds() < 1)
self.assertNotEqual(old_expiration_time, session_custos_authnz_token.expiration_time)
expected_refresh_expiration_time = datetime.now() + timedelta(seconds=self.test_refresh_expires_in)
refresh_expiration_timedelta = expected_refresh_expiration_time - session_custos_authnz_token.refresh_expiration_time
self.assertTrue(refresh_expiration_timedelta.total_seconds() < 1)
self.assertNotEqual(old_refresh_expiration_time, session_custos_authnz_token.refresh_expiration_time)
self.assertTrue(self.trans.sa_session.flush_called)
def test_disconnect_when_no_associated_provider(self):
self.trans.user = User()
success, message, redirect_uri = self.custos_authnz.disconnect(
"Custos", self.trans, "/")
self.assertEqual(0, len(self.trans.sa_session.deleted))
self.assertFalse(self.trans.sa_session.flush_called)
self.assertFalse(success)
self.assertNotEqual("", message)
self.assertIsNone(redirect_uri)
def test_callback_verify_with_state_cookie(self):
"""Verify that state from cookie is passed to OAuth2Session constructor."""
self.trans.set_cookie(value=self.test_state, name=custos_authnz.STATE_COOKIE_NAME)
self.trans.set_cookie(value=self.test_nonce, name=custos_authnz.NONCE_COOKIE_NAME)
old_access_token = "old-access-token"
old_id_token = "old-id-token"
old_refresh_token = "old-refresh-token"
old_expiration_time = datetime.now() - timedelta(days=1)
old_refresh_expiration_time = datetime.now() - timedelta(hours=3)
existing_custos_authnz_token = CustosAuthnzToken(
user=User(email=self.test_email, username=self.test_username),
external_user_id=self.test_user_id,
provider=self.custos_authnz.config['provider'],
access_token=old_access_token,
id_token=old_id_token,
refresh_token=old_refresh_token,
expiration_time=old_expiration_time,
refresh_expiration_time=old_refresh_expiration_time,
)
self.trans.sa_session._query.custos_authnz_token = existing_custos_authnz_token
self.assertIsNotNone(
self.trans.sa_session.query(CustosAuthnzToken)
.filter_by(external_user_id=self.test_user_id,
provider=self.custos_authnz.config['provider'])
.one_or_none()
)
self.trans.sa_session._query.user = User(email=self.test_email, username=self.test_username)
# Mock _create_oauth2_session to make sure it is created with cookie state token
self.mock_create_oauth2_session(self.custos_authnz)
# Intentionally passing a bad state_token to make sure that code under
# test uses the state cookie instead when creating the OAuth2Session
login_redirect_url, user = self.custos_authnz.callback(
state_token="xxx",
authz_code=self.test_code, trans=self.trans,
login_redirect_url="http://localhost:8000/")
self.assertTrue(self._create_oauth2_session_called)
self.assertTrue(self._fetch_token_called)
self.assertTrue(self._get_userinfo_called)
self.assertEqual(login_redirect_url, "http://localhost:8000/")
self.assertIsNotNone(user)
def filter_options(self, options, trans, other_values):
rval = []
filter_value = self.value
try:
filter_value = User.expand_user_properties(trans.user, filter_value)
except Exception:
pass
for fields in options:
if (self.keep and fields[self.column] == filter_value) or (not self.keep and fields[self.column] != filter_value):
rval.append(fields)
return rval
def filter_options(self, options, trans, other_values):
rval = []
filter_value = self.value
try:
filter_value = User.expand_user_properties(trans.user, filter_value)
except Exception:
pass
for fields in options:
if self.keep == (filter_value == fields[self.column]):
rval.append(fields)
return rval
def filter_options(self, options, trans, other_values):
rval = []
filter_value = self.value
try:
filter_value = User.expand_user_properties(trans.user, filter_value)
except Exception:
pass
filter_pattern = re.compile(filter_value)
for fields in options:
if self.keep == (not filter_pattern.match(fields[self.column]) is None):
rval.append(fields)
return rval
def _setup_mapping_and_user():
with TestConfig(DISK_TEST_CONFIG) as (test_config, object_store):
# Start the database and connect the mapping
model = mapping.init("/tmp",
"sqlite:///:memory:",
create_tables=True,
object_store=object_store,
slow_query_log_threshold=SLOW_QUERY_LOG_THRESHOLD,
thread_local_log=THREAD_LOCAL_LOG)
u = User(email="*****@*****.**", password="******")
h1 = History(name="HistoryCopyHistory1", user=u)
model.context.add_all([u, h1])
model.context.flush()
yield test_config, object_store, model, h1
def setUp(self):
self.setup_app()
job = Job()
job.id = 345
job.tool_id = TEST_TOOL_ID
job.user = User()
self.model_objects = {Job: {345: job}}
self.app.model.context = MockContext(self.model_objects)
self.app.toolbox = MockToolbox(MockTool(self))
self.working_directory = os.path.join(self.test_directory, "working")
self.app.object_store = MockObjectStore(self.working_directory)
self.queue = MockJobQueue(self.app)
self.job = job
def test_callback_nonce_validation_with_bad_nonce(self):
self.trans.set_cookie(value=self.test_state, name=custos_authnz.STATE_COOKIE_NAME)
self.trans.set_cookie(value=self.test_nonce, name=custos_authnz.NONCE_COOKIE_NAME)
self.trans.sa_session._query.user = User(email=self.test_email, username=self.test_username)
# Intentionally create a bad nonce
self.test_nonce_hash = self.test_nonce_hash + "Z"
# self.custos_authnz._fetch_token = fetch_token
with self.assertRaises(Exception):
self.custos_authnz.callback(state_token="xxx",
authz_code=self.test_code, trans=self.trans,
login_redirect_url="http://localhost:8000/")
self.assertTrue(self._fetch_token_called)
self.assertFalse(self._get_userinfo_called)
def test_callback_verify_with_state_cookie(self):
"""Verify that state from cookie is passed to OAuth2Session constructor."""
self.trans.set_cookie(value=self.test_state, name=custos_authnz.STATE_COOKIE_NAME)
self.trans.set_cookie(value=self.test_nonce, name=custos_authnz.NONCE_COOKIE_NAME)
self.trans.sa_session._query.user = User(email=self.test_email, username=self.test_username)
# Mock _create_oauth2_session to make sure it is created with cookie state token
self.mock_create_oauth2_session(self.custos_authnz)
# Intentionally passing a bad state_token to make sure that code under
# test uses the state cookie instead when creating the OAuth2Session
login_redirect_url, user = self.custos_authnz.callback(
state_token="xxx",
authz_code=self.test_code, trans=self.trans,
login_redirect_url="http://localhost:8000/")
self.assertTrue(self._create_oauth2_session_called)
self.assertTrue(self._fetch_token_called)
self.assertTrue(self._get_userinfo_called)
self.assertEqual(login_redirect_url, "http://localhost:8000/")
self.assertIsNotNone(user)
def test_disconnect_when_more_than_one_associated_token_for_provider(self):
self.trans.user = User(email=self.test_email,
username=self.test_username)
custos_authnz_token1 = CustosAuthnzToken(
user=self.trans.user,
external_user_id=self.test_user_id + "1",
provider=self.custos_authnz.config['provider'],
access_token=self.test_access_token,
id_token=self.test_id_token,
refresh_token=self.test_refresh_token,
expiration_time=datetime.now() +
timedelta(seconds=self.test_refresh_expires_in),
refresh_expiration_time=datetime.now() +
timedelta(seconds=self.test_refresh_expires_in),
)
custos_authnz_token2 = CustosAuthnzToken(
user=self.trans.user,
external_user_id=self.test_user_id + "2",
provider=self.custos_authnz.config['provider'],
access_token=self.test_access_token,
id_token=self.test_id_token,
refresh_token=self.test_refresh_token,
expiration_time=datetime.now() +
timedelta(seconds=self.test_refresh_expires_in),
refresh_expiration_time=datetime.now() +
timedelta(seconds=self.test_refresh_expires_in),
)
self.trans.user.custos_auth = [
custos_authnz_token1, custos_authnz_token2
]
success, message, redirect_uri = self.custos_authnz.disconnect(
"Custos", self.trans, "/")
self.assertEqual(0, len(self.trans.sa_session.deleted))
self.assertFalse(self.trans.sa_session.flush_called)
self.assertFalse(success)
self.assertNotEqual("", message)
self.assertIsNone(redirect_uri)
def test_localdb():
user = User(email='testmail', username='******')
user.set_password_cleartext('test123')
t = LocalDB()
reject = t.authenticate_user(user, 'wrong',
{'redact_username_in_logs': False})
accept = t.authenticate_user(user, 'test123',
{'redact_username_in_logs': False})
assert reject is False
assert accept is True
# Password must conform to policy (length etc)
try:
user.set_password_cleartext('test')
except Exception:
pass
else:
raise Exception("Password policy validation failed")
def test_disconnect(self):
custos_authnz_token = CustosAuthnzToken(
user=User(email=self.test_email, username=self.test_username),
external_user_id=self.test_user_id,
provider=self.custos_authnz.config['provider'],
access_token=self.test_access_token,
id_token=self.test_id_token,
refresh_token=self.test_refresh_token,
expiration_time=datetime.now() + timedelta(seconds=self.test_refresh_expires_in),
refresh_expiration_time=datetime.now() + timedelta(seconds=self.test_refresh_expires_in),
)
self.trans.user = custos_authnz_token.user
self.trans.user.custos_auth = [custos_authnz_token]
success, message, redirect_uri = self.custos_authnz.disconnect("Custos", self.trans, "/")
self.assertEqual(1, len(self.trans.sa_session.deleted))
deleted_token = self.trans.sa_session.deleted[0]
self.assertIs(custos_authnz_token, deleted_token)
self.assertTrue(self.trans.sa_session.flush_called)
self.assertTrue(success)
self.assertEqual("", message)
self.assertEqual("/", redirect_uri)
def _create_user(self, sa_session, username, email):
user = User(email=email, username=username)
user.set_random_password()
sa_session.add(user)
sa_session.flush()
return user
