コード例 #1
0
def test_flash_dont_escape_html(user_id, request_context):
    now = datetime.now()
    with login.UserSessionContext(user_id):
        on_succeeded_login(user_id, now)  # Create and activate session

        flash(HTML("<script>aaa</script>"))
        assert get_flashed_messages() == [HTML("<script>aaa</script>")]
コード例 #2
0
def test_flash_escape_html_in_str(user_id, module_wide_request_context):
    with login.UserContext(user_id):
        on_succeeded_login(user_id)  # Create and activate session

        flash("<script>aaa</script>")
        assert get_flashed_messages() == [
            HTML("&lt;script&gt;aaa&lt;/script&gt;")
        ]
コード例 #3
0
def test_on_failed_login_count_reset_on_succeeded_login(user_id):
    assert config.lock_on_logon_failures is False
    assert userdb._load_failed_logins(user_id) == 0
    assert userdb._user_locked(user_id) is False

    userdb.on_failed_login(user_id)
    assert userdb._load_failed_logins(user_id) == 1
    assert userdb._user_locked(user_id) is False

    userdb.on_succeeded_login(user_id)
    assert userdb._load_failed_logins(user_id) == 0
    assert userdb._user_locked(user_id) is False
コード例 #4
0
def test_on_failed_login_count_reset_on_succeeded_login(
        user_id: UserId) -> None:
    now = datetime.now()
    assert active_config.lock_on_logon_failures is None
    assert userdb._load_failed_logins(user_id) == 0
    assert not userdb.user_locked(user_id)

    userdb.on_failed_login(user_id, now)
    assert userdb._load_failed_logins(user_id) == 1
    assert not userdb.user_locked(user_id)

    userdb.on_succeeded_login(user_id, now)
    assert userdb._load_failed_logins(user_id) == 0
    assert not userdb.user_locked(user_id)
コード例 #5
0
def _check_auth_http_header() -> Optional[UserId]:
    """When http header auth is enabled, try to read the user_id from the var
    and when there is some available, set the auth cookie (for other addons) and proceed."""
    assert isinstance(config.auth_by_http_header, str)
    user_id = html.request.get_request_header(config.auth_by_http_header)
    if not user_id:
        return None

    user_id = UserId(ensure_str(user_id))
    set_auth_type("http_header")

    if auth_cookie_name() not in html.request.cookies:
        userdb.on_succeeded_login(user_id)

    return user_id
コード例 #6
0
    def _do_login(self) -> None:
        """handle the sent login form"""
        if not html.request.var('_login'):
            return

        try:
            if not config.user_login:
                raise MKUserError(None,
                                  _('Login is not allowed on this site.'))

            username_var = html.request.get_unicode_input('_username', '')
            assert username_var is not None
            username = UserId(username_var.rstrip())
            if not username:
                raise MKUserError('_username', _('No username given.'))

            password = html.request.var('_password', '')
            if not password:
                raise MKUserError('_password', _('No password given.'))

            default_origtarget = config.url_prefix() + "check_mk/"
            origtarget = html.get_url_input("_origtarget", default_origtarget)

            # Disallow redirections to:
            #  - logout.py: Happens after login
            #  - side.py: Happens when invalid login is detected during sidebar refresh
            if "logout.py" in origtarget or 'side.py' in origtarget:
                origtarget = default_origtarget

            result = userdb.check_credentials(username, password)
            if result:
                # use the username provided by the successful login function, this function
                # might have transformed the username provided by the user. e.g. switched
                # from mixed case to lower case.
                username = result

                session_id = userdb.on_succeeded_login(username)

                # The login succeeded! Now:
                # a) Set the auth cookie
                # b) Unset the login vars in further processing
                # c) Redirect to really requested page
                _create_auth_session(username, session_id)

                # Never use inplace redirect handling anymore as used in the past. This results
                # in some unexpected situations. We simpy use 302 redirects now. So we have a
                # clear situation.
                # userdb.need_to_change_pw returns either False or the reason description why the
                # password needs to be changed
                change_pw_result = userdb.need_to_change_pw(username)
                if change_pw_result:
                    raise HTTPRedirect(
                        'user_change_pw.py?_origtarget=%s&reason=%s' %
                        (html.urlencode(origtarget), change_pw_result))
                raise HTTPRedirect(origtarget)

            userdb.on_failed_login(username)
            raise MKUserError(None, _('Invalid credentials.'))
        except MKUserError as e:
            html.add_user_error(e.varname, e)
コード例 #7
0
def test_flash(user_id):
    # Execute the first request flash some message
    with application_and_request_context(), login.UserSessionContext(user_id):
        session_id = on_succeeded_login(user_id)  # Create and activate session
        assert session is not None

        flash("abc")
        assert session.session_info.flashes == ["abc"]

    # Now create the second request to get the previously flashed message
    with application_and_request_context(), login.UserSessionContext(user_id):
        on_access(user_id, session_id)
        assert session is not None
        assert session.session_info.flashes == ["abc"]

        # Get the flashed messages removes the messages from the session
        # and subsequent calls to get_flashed_messages return the messages
        # over and over.
        assert get_flashed_messages() == [HTML("abc")]
        assert get_flashed_messages() == [HTML("abc")]
        assert session.session_info.flashes == []

    # Now create the third request that should not have access to the flashed messages since the
    # second one consumed them.
    with application_and_request_context(), login.UserSessionContext(user_id):
        on_access(user_id, session_id)
        assert session is not None
        assert session.session_info.flashes == []
        assert get_flashed_messages() == []
コード例 #8
0
def test_on_succeeded_login(user_id: UserId, zero_uuid: None) -> None:
    now = datetime.now()
    assert active_config.single_user_session is None

    # Never logged in before
    assert not userdb._load_session_infos(user_id)
    assert userdb._load_failed_logins(user_id) == 0

    session_id = userdb.on_succeeded_login(user_id, now)
    assert session_id != ""

    # Verify the session was initialized
    session_infos = userdb._load_session_infos(user_id)
    assert session_infos == {
        session_id:
        userdb.SessionInfo(
            session_id=session_id,
            started_at=int(now.timestamp()),
            last_activity=int(now.timestamp()),
            flashes=[],
            csrf_token="00000000-0000-0000-0000-000000000000",
        )
    }

    # Ensure the failed login count is 0
    assert userdb._load_failed_logins(user_id) == 0
コード例 #9
0
def test_access_denied_with_invalidated_session(user_id: UserId) -> None:
    session_id = userdb.on_succeeded_login(user_id)
    assert session_id in userdb._load_session_infos(user_id)

    userdb.on_access(user_id, session_id)

    userdb.on_logout(user_id, session_id)
    assert not userdb._load_session_infos(user_id)

    with pytest.raises(MKAuthException, match="Invalid user session"):
        userdb.on_access(user_id, session_id)
コード例 #10
0
ファイル: login.py プロジェクト: mahdi7839/checkmk
def _check_auth_cookie_for_web_server_auth(user_id: UserId):
    """Session handling also has to be initialized when the authentication is done
    by the web server.

    The authentication is already done on web server level. We accept the provided
    username as authenticated and create our cookie here.
    """
    if auth_cookie_name() not in html.request.cookies:
        session_id = userdb.on_succeeded_login(user_id)
        _create_auth_session(user_id, session_id)
        return

    # Refresh the existing auth cookie and update the session info
    cookie_name = auth_cookie_name()
    try:
        _check_auth_cookie(cookie_name)
    except MKAuthException:
        # Suppress cookie validation errors from other sites cookies
        auth_logger.debug('Exception while checking cookie %s: %s' %
                          (cookie_name, traceback.format_exc()))
    except Exception:
        auth_logger.debug('Exception while checking cookie %s: %s' %
                          (cookie_name, traceback.format_exc()))
コード例 #11
0
def test_on_succeeded_login(user_id):
    assert config.single_user_session is None

    # Never logged in before
    assert not userdb._load_session_infos(user_id)
    assert userdb._load_failed_logins(user_id) == 0

    session_id = userdb.on_succeeded_login(user_id)
    assert session_id != ""

    # Verify the session was initialized
    session_infos = userdb._load_session_infos(user_id)
    assert session_infos == {
        session_id:
        userdb.SessionInfo(
            session_id=session_id,
            started_at=int(time.time()),
            last_activity=int(time.time()),
        )
    }

    # Ensure the failed login count is 0
    assert userdb._load_failed_logins(user_id) == 0
コード例 #12
0
def test_flash(user_id):
    environ = create_environ()
    # Execute the first request flash some message
    with AppContext(DummyApplication(environ, None)), \
            RequestContext(htmllib.html(http.Request(environ))) as request, \
            login.UserContext(user_id):
        session_id = on_succeeded_login(user_id)  # Create and activate session
        assert request.session is not None

        flash("abc")
        assert session.session_info.flashes == ["abc"]

    # Now create the second request to get the previously flashed message
    with AppContext(DummyApplication(environ, None)), \
            RequestContext(htmllib.html(http.Request(environ))), \
            login.UserContext(user_id):
        on_access(user_id, session_id)
        assert request.session is not None
        assert session.session_info.flashes == ["abc"]

        # Get the flashed messages removes the messages from the session
        # and subsequent calls to get_flashed_messages return the messages
        # over and over.
        assert get_flashed_messages() == [HTML("abc")]
        assert get_flashed_messages() == [HTML("abc")]
        assert session.session_info.flashes == []

    # Now create the third request that should not have access to the flashed messages since the
    # second one consumed them.
    with AppContext(DummyApplication(environ, None)), \
            RequestContext(htmllib.html(http.Request(environ))), \
            login.UserContext(user_id):
        on_access(user_id, session_id)
        assert request.session is not None
        assert session.session_info.flashes == []
        assert get_flashed_messages() == []
コード例 #13
0
def test_on_succeeded_login_already_existing_session(user_id: UserId) -> None:
    now = datetime.now()
    make_valid_session(user_id, now)
    with pytest.raises(MKUserError, match="Another session"):
        assert userdb.on_succeeded_login(user_id, now)
コード例 #14
0
def do_login():
    # handle the sent login form
    if html.request.var('_login'):
        try:
            username = html.get_unicode_input('_username', '').rstrip()
            if username == '':
                raise MKUserError('_username', _('No username given.'))

            password = html.request.var('_password', '')
            if password == '':
                raise MKUserError('_password', _('No password given.'))

            default_origtarget = config.url_prefix() + "check_mk/"
            origtarget = html.get_url_input("_origtarget", default_origtarget)

            # Disallow redirections to:
            #  - logout.py: Happens after login
            #  - side.py: Happens when invalid login is detected during sidebar refresh
            if "logout.py" in origtarget or 'side.py' in origtarget:
                origtarget = default_origtarget

            # None        -> User unknown, means continue with other connectors
            # '<user_id>' -> success
            # False       -> failed
            result = userdb.hook_login(username, password)
            if result:
                # use the username provided by the successful login function, this function
                # might have transformed the username provided by the user. e.g. switched
                # from mixed case to lower case.
                username = result

                # When single user session mode is enabled, check that there is not another
                # active session
                userdb.ensure_user_can_init_session(username)

                # reset failed login counts
                userdb.on_succeeded_login(username)

                # The login succeeded! Now:
                # a) Set the auth cookie
                # b) Unset the login vars in further processing
                # c) Redirect to really requested page
                create_auth_session(username)

                # Never use inplace redirect handling anymore as used in the past. This results
                # in some unexpected situations. We simpy use 302 redirects now. So we have a
                # clear situation.
                # userdb.need_to_change_pw returns either False or the reason description why the
                # password needs to be changed
                result = userdb.need_to_change_pw(username)
                if result:
                    raise HTTPRedirect('user_change_pw.py?_origtarget=%s&reason=%s' %
                                       (html.urlencode(origtarget), result))
                else:
                    raise HTTPRedirect(origtarget)
            else:
                userdb.on_failed_login(username)
                raise MKUserError(None, _('Invalid credentials.'))
        except MKUserError as e:
            html.add_user_error(e.varname, e)
            return "%s" % e
コード例 #15
0
def test_on_succeeded_login_already_existing_session(
        user_id: UserId, session_valid: str) -> None:
    with pytest.raises(MKUserError, match="Another session"):
        assert userdb.on_succeeded_login(user_id)
コード例 #16
0
def test_on_logout_invalidate_session(user_id: UserId) -> None:
    session_id = userdb.on_succeeded_login(user_id)
    assert session_id in userdb._load_session_infos(user_id)

    userdb.on_logout(user_id, session_id)
    assert not userdb._load_session_infos(user_id)
コード例 #17
0
def test_on_logout_no_session(user_id: UserId) -> None:
    assert userdb.on_succeeded_login(user_id)
    assert userdb._load_session_infos(user_id)

    userdb.on_logout(user_id, session_id="")
    assert userdb._load_session_infos(user_id)
コード例 #18
0
    def _do_login(self) -> None:
        """handle the sent login form"""
        if not request.var("_login"):
            return

        try:
            if not active_config.user_login:
                raise MKUserError(None,
                                  _("Login is not allowed on this site."))

            username_var = request.get_str_input("_username", "")
            assert username_var is not None
            username = UserId(username_var.rstrip())
            if not username:
                raise MKUserError("_username", _("Missing username"))

            password = request.var("_password", "")
            if not password:
                raise MKUserError("_password", _("Missing password"))

            default_origtarget = url_prefix() + "check_mk/"
            origtarget = request.get_url_input("_origtarget",
                                               default_origtarget)

            # Disallow redirections to:
            #  - logout.py: Happens after login
            #  - side.py: Happens when invalid login is detected during sidebar refresh
            if "logout.py" in origtarget or "side.py" in origtarget:
                origtarget = default_origtarget

            result = userdb.check_credentials(username, password)
            if result:
                # use the username provided by the successful login function, this function
                # might have transformed the username provided by the user. e.g. switched
                # from mixed case to lower case.
                username = result

                session_id = userdb.on_succeeded_login(username)

                # The login succeeded! Now:
                # a) Set the auth cookie
                # b) Unset the login vars in further processing
                # c) Redirect to really requested page
                _create_auth_session(username, session_id)

                # Never use inplace redirect handling anymore as used in the past. This results
                # in some unexpected situations. We simpy use 302 redirects now. So we have a
                # clear situation.
                # userdb.need_to_change_pw returns either False or the reason description why the
                # password needs to be changed
                change_pw_result = userdb.need_to_change_pw(username)
                if change_pw_result:
                    raise HTTPRedirect(
                        "user_change_pw.py?_origtarget=%s&reason=%s" %
                        (urlencode(origtarget), change_pw_result))

                if userdb.is_two_factor_login_enabled(username):
                    raise HTTPRedirect(
                        "user_login_two_factor.py?_origtarget=%s" %
                        urlencode(makeuri(request, [])))

                raise HTTPRedirect(origtarget)

            userdb.on_failed_login(username)
            raise MKUserError(None, _("Invalid login"))
        except MKUserError as e:
            user_errors.add(e)
コード例 #19
0
def test_flash_dont_escape_html(user_id, module_wide_request_context):
    with login.UserSessionContext(user_id):
        on_succeeded_login(user_id)  # Create and activate session

        flash(HTML("<script>aaa</script>"))
        assert get_flashed_messages() == [HTML("<script>aaa</script>")]