def test_apikey_and_authentication_enforce_user(self):
        session_auth = SessionAuthentication()
        api_key_auth = ApiKeyAuthentication()
        auth = MultiAuthentication(api_key_auth, session_auth)
        john_doe = User.objects.get(username="******")
        request1 = HttpRequest()
        request2 = HttpRequest()
        request3 = HttpRequest()

        request1.method = "POST"
        request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
        request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
        request1.user = john_doe

        request2.POST["username"] = "******"
        request2.POST["api_key"] = "invalid key"

        request3.method = "POST"
        request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
        request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
        request3.user = john_doe
        request3.POST["username"] = "******"
        request3.POST["api_key"] = "invalid key"

        # session auth should pass if since john_doe is logged in
        self.assertEqual(session_auth.is_authenticated(request1), True)
        # api key auth should fail because of invalid api key
        self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)

        # multi auth shouldn't change users if api key auth fails
        # multi auth passes since session auth is valid
        self.assertEqual(request3.user.username, "johndoe")
        self.assertEqual(auth.is_authenticated(request3), True)
        self.assertEqual(request3.user.username, "johndoe")
Esempio n. 2
0
    def test_is_authenticated(self):
        auth = SessionAuthentication()
        request = HttpRequest()
        request.method = 'POST'
        request.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }

        # No CSRF token.
        request.META = {}
        self.assertFalse(auth.is_authenticated(request))

        # Invalid CSRF token.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abc123'
        }
        self.assertFalse(auth.is_authenticated(request))

        # Not logged in.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request.user = AnonymousUser()
        self.assertFalse(auth.is_authenticated(request))

        # Logged in.
        request.user = User.objects.get(username='******')
        self.assertTrue(auth.is_authenticated(request))

        # Logged in (with GET & no token).
        request.method = 'GET'
        request.META = {}
        request.user = User.objects.get(username='******')
        self.assertTrue(auth.is_authenticated(request))

        # Secure & wrong referrer.
        class SecureRequest(HttpRequest):
            def _get_scheme(self):
                return 'https'

        request = SecureRequest()
        request.method = 'POST'
        request.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request.META['HTTP_HOST'] = 'example.com'
        request.META['HTTP_REFERER'] = ''
        request.user = User.objects.get(username='******')
        self.assertFalse(auth.is_authenticated(request))

        # Secure & correct referrer.
        request.META['HTTP_REFERER'] = 'https://example.com/'
        self.assertTrue(auth.is_authenticated(request))
Esempio n. 3
0
    def test_is_authenticated(self):
        auth = SessionAuthentication()
        request = HttpRequest()
        request.method = 'POST'
        request.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }

        # No CSRF token.
        request.META = {}
        self.assertFalse(auth.is_authenticated(request))

        # Invalid CSRF token.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abc123'
        }
        self.assertFalse(auth.is_authenticated(request))

        # Not logged in.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request.user = AnonymousUser()
        self.assertFalse(auth.is_authenticated(request))

        # Logged in.
        request.user = User.objects.get(username='******')
        self.assertTrue(auth.is_authenticated(request))

        # Logged in (with GET & no token).
        request.method = 'GET'
        request.META = {}
        request.user = User.objects.get(username='******')
        self.assertTrue(auth.is_authenticated(request))

        # Secure & wrong referrer.
        class SecureRequest(HttpRequest):
            def _get_scheme(self):
                return 'https'

        request = SecureRequest()
        request.method = 'POST'
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request.META['HTTP_HOST'] = 'example.com'
        request.META['HTTP_REFERER'] = ''
        request.user = User.objects.get(username='******')
        self.assertFalse(auth.is_authenticated(request))

        # Secure & correct referrer.
        request.META['HTTP_REFERER'] = 'https://example.com/'
        self.assertTrue(auth.is_authenticated(request))
Esempio n. 4
0
    def test_apikey_and_authentication_enforce_user(self):
        session_auth = SessionAuthentication()
        api_key_auth = ApiKeyAuthentication()
        auth = MultiAuthentication(api_key_auth, session_auth)
        john_doe = User.objects.get(username='******')
        request1 = HttpRequest()
        request2 = HttpRequest()
        request3 = HttpRequest()

        request1.method = 'POST'
        request1.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request1.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request1.user = john_doe

        request2.POST['username'] = '******'
        request2.POST['api_key'] = 'invalid key'

        request3.method = 'POST'
        request3.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request3.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request3.user = john_doe
        request3.POST['username'] = '******'
        request3.POST['api_key'] = 'invalid key'

        # session auth should pass if since john_doe is logged in
        self.assertTrue(session_auth.is_authenticated(request1))
        # api key auth should fail because of invalid api key
        self.assertEqual(
            isinstance(api_key_auth.is_authenticated(request2),
                       HttpUnauthorized), True)

        # multi auth shouldn't change users if api key auth fails
        # multi auth passes since session auth is valid
        self.assertEqual(request3.user.username, 'johndoe')
        self.assertTrue(auth.is_authenticated(request3))
        self.assertEqual(request3.user.username, 'johndoe')
    def test_is_authenticated(self):
        auth = SessionAuthentication()
        request = HttpRequest()
        request.method = "POST"
        request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}

        # No CSRF token.
        request.META = {}
        self.assertFalse(auth.is_authenticated(request))

        # Invalid CSRF token.
        request.META = {"HTTP_X_CSRFTOKEN": "abc123"}
        self.assertFalse(auth.is_authenticated(request))

        # Not logged in.
        request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
        request.user = AnonymousUser()
        self.assertFalse(auth.is_authenticated(request))

        # Logged in.
        request.user = User.objects.get(username="******")
        self.assertEqual(auth.is_authenticated(request), True)

        # Logged in (with GET & no token).
        request.method = "GET"
        request.META = {}
        request.user = User.objects.get(username="******")
        self.assertEqual(auth.is_authenticated(request), True)

        # Secure & wrong referrer.
        class SecureRequest(HttpRequest):
            def _get_scheme(self):
                return "https"

        request = SecureRequest()
        request.method = "POST"
        request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
        request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
        request.META["HTTP_HOST"] = "example.com"
        request.META["HTTP_REFERER"] = ""
        request.user = User.objects.get(username="******")
        self.assertFalse(auth.is_authenticated(request))

        # Secure & correct referrer.
        request.META["HTTP_REFERER"] = "https://example.com/"
        self.assertEqual(auth.is_authenticated(request), True)
Esempio n. 6
0
    def is_authenticated(self, request, **kwargs):  # noqa # too complex
        '''
        handles backends explicitly so that it can return False when
        credentials are given but wrong and return Anonymous User when
        credentials are not given or the session has expired (web use).
        '''
        auth_info = request.META.get('HTTP_AUTHORIZATION')

        if 'HTTP_AUTHORIZATION' not in request.META:
            if hasattr(request.user, 'allowed_tokens'):
                tokens = request.user.allowed_tokens
            session_auth = SessionAuthentication()
            check = session_auth.is_authenticated(request, **kwargs)
            if check:
                if isinstance(check, HttpUnauthorized):
                    session_auth_result = False
                else:
                    request._authentication_backend = session_auth
                    session_auth_result = check
            else:
                request.user = AnonymousUser()
                session_auth_result = True
            request.user.allowed_tokens = tokens
            return session_auth_result
        else:
            if auth_info.startswith('Basic'):
                basic_auth = BasicAuthentication()
                check = basic_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return False
                    else:
                        request._authentication_backend = basic_auth
                        return check
            if auth_info.startswith('ApiKey'):
                apikey_auth = ApiKeyAuthentication()
                check = apikey_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return False
                    else:
                        request._authentication_backend = apikey_auth
                        return check
Esempio n. 7
0
    def is_authenticated(self, request, **kwargs):  # noqa # too complex
        '''
        handles backends explicitly so that it can return False when
        credentials are given but wrong and return Anonymous User when
        credentials are not given or the session has expired (web use).
        '''
        auth_info = request.META.get('HTTP_AUTHORIZATION')

        if 'HTTP_AUTHORIZATION' not in request.META:
            if hasattr(request.user, 'allowed_tokens'):
                tokens = request.user.allowed_tokens
            session_auth = SessionAuthentication()
            check = session_auth.is_authenticated(request, **kwargs)
            if check:
                if isinstance(check, HttpUnauthorized):
                    session_auth_result = False
                else:
                    request._authentication_backend = session_auth
                    session_auth_result = check
            else:
                request.user = AnonymousUser()
                session_auth_result = True
            request.user.allowed_tokens = tokens
            return session_auth_result
        else:
            if auth_info.startswith('Basic'):
                basic_auth = BasicAuthentication()
                check = basic_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return False
                    else:
                        request._authentication_backend = basic_auth
                        return check
            if auth_info.startswith('ApiKey'):
                apikey_auth = ApiKeyAuthentication()
                check = apikey_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return False
                    else:
                        request._authentication_backend = apikey_auth
                        return check
    def test_apikey_and_authentication_enforce_user(self):
        session_auth = SessionAuthentication()
        api_key_auth = ApiKeyAuthentication()
        auth = MultiAuthentication(api_key_auth, session_auth)
        john_doe = User.objects.get(username='******')
        request1 = HttpRequest()
        request2 = HttpRequest()
        request3 = HttpRequest()

        request1.method = 'POST'
        request1.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request1.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request1.user = john_doe

        request2.POST['username'] = '******'
        request2.POST['api_key'] = 'invalid key'

        request3.method = 'POST'
        request3.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request3.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }
        request3.user = john_doe
        request3.POST['username'] = '******'
        request3.POST['api_key'] = 'invalid key'

        #session auth should pass if since john_doe is logged in
        self.assertTrue(session_auth.is_authenticated(request1))
        #api key auth should fail because of invalid api key
        self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)

        #multi auth shouldn't change users if api key auth fails
        #multi auth passes since session auth is valid
        self.assertEqual(request3.user.username, 'johndoe')
        self.assertTrue(auth.is_authenticated(request3))
        self.assertEqual(request3.user.username, 'johndoe')
Esempio n. 9
0
    def is_authenticated(self, request, **kwargs):
        '''
        handles backends explicitly so that it can return False when
        credentials are given but wrong and return Anonymous User when
        credentials are not given or the session has expired (web use).
        '''
        auth_info = request.META.get('HTTP_AUTHORIZATION')

        if 'HTTP_AUTHORIZATION' not in request.META:
            session_auth = SessionAuthentication()
            check = session_auth.is_authenticated(request, **kwargs)
            if check:
                if isinstance(check, HttpUnauthorized):
                    return(False)
                else:
                    request._authentication_backend = session_auth
                    return(check)
            else:
                request.user = AnonymousUser()
                return(True)
        else:
            if auth_info.startswith('Basic'):
                basic_auth = BasicAuthentication()
                check = basic_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return(False)
                    else:
                        request._authentication_backend = basic_auth
                        return(check)
            if auth_info.startswith('ApiKey'):
                apikey_auth = ApiKeyAuthentication()
                check = apikey_auth.is_authenticated(request, **kwargs)
                if check:
                    if isinstance(check, HttpUnauthorized):
                        return(False)
                    else:
                        request._authentication_backend = apikey_auth
                        return(check)
Esempio n. 10
0
    def test_is_authenticated(self):
        auth = SessionAuthentication()
        request = HttpRequest()
        request.COOKIES = {
            settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
        }

        # No CSRF token.
        request.META = {}
        self.assertFalse(auth.is_authenticated(request))

        # Invalid CSRF token.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abc123'
        }
        self.assertFalse(auth.is_authenticated(request))

        # Not logged in.
        request.META = {
            'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
        }
        request.user = AnonymousUser()
        self.assertFalse(auth.is_authenticated(request))

        # Logged in.
        request.user = User.objects.get(username='******')
        self.assertTrue(auth.is_authenticated(request))

        # Secure & wrong referrer.
        os.environ["HTTPS"] = "on"
        request.META['HTTP_HOST'] = 'example.com'
        request.META['HTTP_REFERER'] = ''
        self.assertFalse(auth.is_authenticated(request))

        # Secure & correct referrer.
        request.META['HTTP_REFERER'] = 'https://example.com/'
        self.assertTrue(auth.is_authenticated(request))

        os.environ["HTTPS"] = "off"