def test_is_vouched(self, rget, rlogging): def mocked_get(url, **options): if 'tmickel' in url: return Response(NOT_VOUCHED_FOR) if 'peterbe' in url: return Response(VOUCHED_FOR) if 'trouble' in url: return Response('Failed', status_code=500) raise NotImplementedError(url) rget.side_effect = mocked_get ok_(not mozillians.is_vouched('*****@*****.**')) ok_(mozillians.is_vouched('*****@*****.**')) self.assertRaises( mozillians.BadStatusCodeError, mozillians.is_vouched, '*****@*****.**' ) # also check that the API key is scrubbed try: mozillians.is_vouched('*****@*****.**') raise except mozillians.BadStatusCodeError, msg: ok_(settings.MOZILLIANS_API_KEY not in str(msg))
def test_is_vouched(self, rget): def mocked_get(url, **options): if 'tmickel' in url: return Response(NOT_VOUCHED_FOR_USERS) if 'peterbe' in url: return Response(VOUCHED_FOR_USERS) if 'trouble' in url: return Response('Failed', status_code=500) raise NotImplementedError(url) rget.side_effect = mocked_get ok_(not mozillians.is_vouched('*****@*****.**')) ok_(mozillians.is_vouched('*****@*****.**')) self.assertRaises( mozillians.BadStatusCodeError, mozillians.is_vouched, '*****@*****.**' ) # also check that the API key is scrubbed try: mozillians.is_vouched('*****@*****.**') raise except mozillians.BadStatusCodeError as msg: ok_(settings.MOZILLIANS_API_KEY not in str(msg))
def test_is_not_vouched(self, rget, rlogging): def mocked_get(url, **options): if 'tmickel' in url: return Response(NO_VOUCHED_FOR) raise NotImplementedError(url) rget.side_effect = mocked_get ok_(not mozillians.is_vouched('*****@*****.**'))
def test_is_not_vouched(self, rget): def mocked_get(url, **options): if 'tmickel' in url: return Response(NOT_VOUCHED_FOR_USERS) raise NotImplementedError(url) rget.side_effect = mocked_get ok_(not mozillians.is_vouched('*****@*****.**'))
def login_success(self): """the user passed the BrowserID hurdle, but do they have a valid email address or vouched for in Mozillians""" domain = self.user.email.split('@')[-1].lower() try: if domain in settings.ALLOWED_BID: # If you were a contributor before, undo that. # This might be the case when we extend settings.ALLOWED_BID # with new domains and people with those domains logged # in before. try: # This works because of the OneToOneField and # related_name='profile' on the UserProfile class. profile = self.user.profile # if you were a contributor before, undo that now if profile.contributor: profile.contributor = False profile.save() except UserProfile.DoesNotExist: pass elif is_vouched(self.user.email): try: profile = self.user.profile if not profile.contributor: profile.contributor = True profile.save() except UserProfile.DoesNotExist: profile = UserProfile.objects.create( user=self.user, contributor=True ) else: messages.error( self.request, 'Email {0} authenticated but not vouched for' .format(self.user.email) ) return self.login_failure() except BadStatusCodeError: logger.error('Unable to call out to mozillians', exc_info=True) messages.error( self.request, 'Email {0} authenticated but unable to connect to ' 'Mozillians to see if are vouched. ' .format(self.user.email) ) return self.login_failure() return super(CustomBrowserIDVerify, self).login_success()
def filter_users_by_claims(self, claims): users = super( AirmozillaOIDCAuthenticationBackend, self ).filter_users_by_claims(claims) # If this returned a set of users, it means the email already # exists (got in at some point). If so, do nothing but just # return the users. if users: return users # Never heard of this user before! # Because we set settings.OIDC_CREATE_USER it won't immediately # be created. # If we that this user should not be allowed in, return an empty # list or empty queryset. email = claims.get('email') domain = email.split('@')[-1].lower() if domain in settings.ALLOWED_BID: # You've never signed in before but you have an awesome # email domain. user = super( AirmozillaOIDCAuthenticationBackend, self ).create_user(claims) return [user] # A this point, you need to be a vouced mozillian. # And if you are you get a "contributor" profile. if is_vouched(email): user = super( AirmozillaOIDCAuthenticationBackend, self ).create_user(claims) UserProfile.objects.create( user=user, contributor=True ) return [user] return UserModel.objects.none()
def login_success(self): """the user passed the BrowserID hurdle, but do they have a valid email address or vouched for in Mozillians""" domain = self.user.email.split('@')[-1] try: if domain in settings.ALLOWED_BID: # awesome! pass elif is_vouched(self.user.email): try: profile = self.user.get_profile() if not profile.contributor: profile.contributor = True profile.save() except UserProfile.DoesNotExist: profile = UserProfile.objects.create( user=self.user, contributor=True ) else: messages.error( self.request, 'Email {0} authenticated but not vouched for' .format(self.user.email) ) return super(CustomBrowserIDVerify, self).login_failure() except BadStatusCodeError: logger.error('Unable to call out to mozillians', exc_info=True) messages.error( self.request, 'Email {0} authenticated but unable to connect to ' 'Mozillians to see if are vouched. ' .format(self.user.email) ) return super(CustomBrowserIDVerify, self).login_failure() return super(CustomBrowserIDVerify, self).login_success()
def get_user(user_info): email = user_info['email'] domain = email.split('@')[-1].lower() _allowed_bid = False _is_vouched = False if domain in settings.ALLOWED_BID: # This variable matters later when we have the user _allowed_bid = True elif is_vouched(email): # This variable matters later when we have the user _is_vouched = True else: return created = False try: user = User.objects.get(email=email) except User.DoesNotExist: try: user = User.objects.get(email__iexact=email) except User.DoesNotExist: try: user = UserEmailAlias.objects.get(email__iexact=email).user except UserEmailAlias.DoesNotExist: # We have to create the user user = User.objects.create( email=email, username=default_username(email), ) created = True if not created: # If the found user is inactive, and the user's alias points # to another use, return that one instead. if not user.is_active: try: user = UserEmailAlias.objects.get( email__iexact=user.email ).user except UserEmailAlias.DoesNotExist: # At least we tried pass if user_info.get('given_name'): if user_info['given_name'] != user.first_name: user.first_name = user_info['given_name'] user.save() if user_info.get('family_name'): if user_info['family_name'] != user.first_name: user.last_name = user_info['family_name'] user.save() if _allowed_bid and not created: # If you were a contributor before, undo that. # This might be the case when we extend settings.ALLOWED_BID # with new domains and people with those domains logged # in before. try: # if you were a contributor before, undo that now if user.profile.contributor: user.profile.contributor = False user.profile.save() except UserProfile.DoesNotExist: pass elif _is_vouched: # If you existed before and is now not in ALLOWED_BID # really make sure you have a UserProfile with # .contributor set to True try: if not user.profile.contributor: user.profile.contributor = True user.profile.save() except UserProfile.DoesNotExist: UserProfile.objects.create( user=user, contributor=True ) return user
def get_user(user_info): email = user_info['email'] domain = email.split('@')[-1].lower() _allowed_bid = False _is_vouched = False if domain in settings.ALLOWED_BID: # This variable matters later when we have the user _allowed_bid = True elif is_vouched(email): # This variable matters later when we have the user _is_vouched = True else: return created = False try: user = User.objects.get(email=email) except User.DoesNotExist: try: user = User.objects.get(email__iexact=email) except User.DoesNotExist: try: user = UserEmailAlias.objects.get(email__iexact=email).user except UserEmailAlias.DoesNotExist: # We have to create the user user = User.objects.create( email=email, username=default_username(email), ) created = True if not created: # If the found user is inactive, and the user's alias points # to another use, return that one instead. if not user.is_active: try: user = UserEmailAlias.objects.get( email__iexact=user.email).user except UserEmailAlias.DoesNotExist: # At least we tried pass if user_info.get('given_name'): if user_info['given_name'] != user.first_name: user.first_name = user_info['given_name'] user.save() if user_info.get('family_name'): if user_info['family_name'] != user.first_name: user.last_name = user_info['family_name'] user.save() if _allowed_bid and not created: # If you were a contributor before, undo that. # This might be the case when we extend settings.ALLOWED_BID # with new domains and people with those domains logged # in before. try: # if you were a contributor before, undo that now if user.profile.contributor: user.profile.contributor = False user.profile.save() except UserProfile.DoesNotExist: pass elif _is_vouched: # If you existed before and is now not in ALLOWED_BID # really make sure you have a UserProfile with # .contributor set to True try: if not user.profile.contributor: user.profile.contributor = True user.profile.save() except UserProfile.DoesNotExist: UserProfile.objects.create(user=user, contributor=True) return user