def test_ip_whitelist_not_used(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
self.assertEqual('user:[email protected]',
self.call('127.0.0.1', '*****@*****.**'))
def test_ip_whitelist_bot(self):
"""Requests from client in bots IP whitelist are authenticated as bot."""
model.bootstrap_ip_whitelist(model.bots_ip_whitelist(),
['192.168.1.100/32'])
self.assertEqual('bot:whitelisted-ip',
self.call('192.168.1.100', None))
self.assertEqual('anonymous:anonymous', self.call('127.0.0.1', None))
def test_ip_whitelist_not_whitelisted(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
with self.assertRaises(api.AuthorizationError):
self.call('127.0.0.1', '*****@*****.**')
def test_ip_whitelist_not_whitelisted(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
with self.assertRaises(api.AuthorizationError):
self.call('127.0.0.1', '*****@*****.**')
def test_ip_whitelist(self):
"""Per-account IP whitelist works."""
ident1 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
ident2 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(ident1, 'whitelist')
class Handler(handler.AuthenticatingHandler):
@api.public
def get(self):
self.response.write('OK')
app = self.make_test_app('/request', Handler)
def call(ident, ip):
api.reset_local_state()
handler.configure([lambda _request: ident])
response = app.get(
'/request', extra_environ={'REMOTE_ADDR': ip}, expect_errors=True)
return response.status_int
# IP is whitelisted.
self.assertEqual(200, call(ident1, '192.168.1.100'))
# IP is NOT whitelisted.
self.assertEqual(403, call(ident1, '127.0.0.1'))
# Whitelist is not used.
self.assertEqual(200, call(ident2, '127.0.0.1'))
def test_ip_whitelist(self):
"""Per-account IP whitelist works."""
ident1 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
ident2 = model.Identity(model.IDENTITY_USER, '*****@*****.**')
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(ident1, 'whitelist')
mocked_ident = [None]
class Handler(handler.AuthenticatingHandler):
@classmethod
def get_auth_methods(cls, conf):
return [lambda _req: mocked_ident[0]]
@api.public
def get(self):
self.response.write('OK')
app = self.make_test_app('/request', Handler)
def call(ident, ip):
api.reset_local_state()
mocked_ident[0] = ident
response = app.get('/request',
extra_environ={'REMOTE_ADDR': ip},
expect_errors=True)
return response.status_int
# IP is whitelisted.
self.assertEqual(200, call(ident1, '192.168.1.100'))
# IP is NOT whitelisted.
self.assertEqual(403, call(ident1, '127.0.0.1'))
# Whitelist is not used.
self.assertEqual(200, call(ident2, '127.0.0.1'))
def test_ip_whitelisted_bot(self):
model.bootstrap_ip_whitelist(model.bots_ip_whitelist(),
['192.168.1.100/32'])
state, _ = self.call('ipv4:192.168.1.100', None)
self.assertEqual(
state,
CapturedState(
current_identity='bot:whitelisted-ip',
is_superuser=False,
peer_identity='bot:whitelisted-ip',
peer_ip=ipaddr.ip_from_string('192.168.1.100'),
delegation_token=None,
))
state, _ = self.call('ipv4:127.0.0.1', None)
self.assertEqual(
state,
CapturedState(
current_identity='anonymous:anonymous',
is_superuser=False,
peer_identity='anonymous:anonymous',
peer_ip=ipaddr.ip_from_string('127.0.0.1'),
delegation_token=None,
))
def test_ip_whitelist_not_used(self):
"""Per-account IP whitelist works."""
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
self.assertEqual(
'user:[email protected]',
self.call('127.0.0.1', '*****@*****.**'))
def test_ip_whitelist_not_whitelisted(self):
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
state, ctx = self.call('ipv4:127.0.0.1', '*****@*****.**')
self.assertIsNone(state)
self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED)
self.assertEqual(ctx.details, 'IP 127.0.0.1 is not whitelisted')
def test_ip_whitelist_whitelisted(self):
model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32'])
model.bootstrap_ip_whitelist_assignment(
model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist')
state, _ = self.call('ipv4:192.168.1.100', '*****@*****.**')
self.assertEqual(state, CapturedState(
current_identity='user:[email protected]',
is_superuser=False,
peer_identity='user:[email protected]',
peer_ip=ipaddr.ip_from_string('192.168.1.100'),
delegation_token=None,
))
def test_ip_whitelist_bot(self):
"""Requests from client in "bots" IP whitelist are authenticated as bot."""
model.bootstrap_ip_whitelist('bots', ['192.168.1.100/32'])
class Handler(handler.AuthenticatingHandler):
@api.public
def get(self):
self.response.write(api.get_current_identity().to_bytes())
app = self.make_test_app('/request', Handler)
def call(ip):
api.reset_local_state()
return app.get('/request', extra_environ={'REMOTE_ADDR': ip}).body
self.assertEqual('bot:whitelisted-ip', call('192.168.1.100'))
self.assertEqual('anonymous:anonymous', call('127.0.0.1'))
def test_ip_whitelist_bot_disabled(self):
"""Same as test_ip_whitelist_bot, but IP whitelist auth is disabled."""
model.bootstrap_ip_whitelist(
model.bots_ip_whitelist(), ['192.168.1.100/32'])
class Handler(handler.AuthenticatingHandler):
use_bots_ip_whitelist = False
@api.public
def get(self):
self.response.write(api.get_current_identity().to_bytes())
app = self.make_test_app('/request', Handler)
def call(ip):
api.reset_local_state()
return app.get('/request', extra_environ={'REMOTE_ADDR': ip}).body
self.assertEqual('anonymous:anonymous', call('192.168.1.100'))
def test_ip_whitelist_bot(self):
"""Requests from client in "bots" IP whitelist are authenticated as bot."""
model.bootstrap_ip_whitelist('bots', ['192.168.1.100/32'])
class Handler(handler.AuthenticatingHandler):
@api.public
def get(self):
self.response.write(api.get_current_identity().to_bytes())
app = self.make_test_app('/request', Handler)
def call(ip):
api.reset_local_state()
return app.get('/request', extra_environ={'REMOTE_ADDR': ip}).body
self.assertEqual('bot:192.168.1.100', call('192.168.1.100'))
self.assertEqual('anonymous:anonymous', call('127.0.0.1'))
def test_bootstrap_ip_whitelist_empty(self):
self.assertIsNone(model.ip_whitelist_key('list').get())
mocked_now = datetime.datetime(2014, 01, 01)
self.mock_now(mocked_now)
ret = model.bootstrap_ip_whitelist('list', [], 'comment')
self.assertTrue(ret)
ent = model.ip_whitelist_key('list').get()
self.assertTrue(ent)
self.assertEqual({
'created_by': model.get_service_self_identity(),
'created_ts': mocked_now,
'description': u'comment',
'modified_by': model.get_service_self_identity(),
'modified_ts': mocked_now,
'subnets': [],
}, ent.to_dict())
def test_bootstrap_ip_whitelist_empty(self):
self.assertIsNone(model.ip_whitelist_key('list').get())
mocked_now = datetime.datetime(2014, 01, 01)
self.mock_now(mocked_now)
ret = model.bootstrap_ip_whitelist('list', [], 'comment')
self.assertTrue(ret)
ent = model.ip_whitelist_key('list').get()
self.assertTrue(ent)
self.assertEqual(
{
'created_by': model.get_service_self_identity(),
'created_ts': mocked_now,
'description': u'comment',
'modified_by': model.get_service_self_identity(),
'modified_ts': mocked_now,
'subnets': [],
}, ent.to_dict())
def test_bootstrap_ip_whitelist(self):
self.assertIsNone(model.ip_whitelist_key('list').get())
mocked_now = datetime.datetime(2014, 01, 01)
self.mock_now(mocked_now)
ret = model.bootstrap_ip_whitelist(
'list', ['192.168.0.0/24', '127.0.0.1/32'], 'comment')
self.assertTrue(ret)
ent = model.ip_whitelist_key('list').get()
self.assertTrue(ent)
self.assertEqual({
'auth_db_rev': 1,
'auth_db_prev_rev': None,
'created_by': model.get_service_self_identity(),
'created_ts': mocked_now,
'description': u'comment',
'modified_by': model.get_service_self_identity(),
'modified_ts': mocked_now,
'subnets': [u'192.168.0.0/24', u'127.0.0.1/32'],
}, ent.to_dict())
def test_bootstrap_ip_whitelist(self):
self.assertIsNone(model.ip_whitelist_key('list').get())
mocked_now = datetime.datetime(2014, 01, 01)
self.mock_now(mocked_now)
ret = model.bootstrap_ip_whitelist(
'list', ['192.168.0.0/24', '127.0.0.1/32'], 'comment')
self.assertTrue(ret)
ent = model.ip_whitelist_key('list').get()
self.assertTrue(ent)
self.assertEqual({
'auth_db_rev': 1,
'auth_db_prev_rev': None,
'created_by': model.get_service_self_identity(),
'created_ts': mocked_now,
'description': u'comment',
'modified_by': model.get_service_self_identity(),
'modified_ts': mocked_now,
'subnets': [u'192.168.0.0/24', u'127.0.0.1/32'],
}, ent.to_dict())
def test_bootstrap_ip_whitelist_bad_subnet(self):
self.assertFalse(model.bootstrap_ip_whitelist('list', ['not a subnet']))
def test_ip_whitelist_bot(self):
"""Requests from client in "bots" IP whitelist are authenticated as bot."""
model.bootstrap_ip_whitelist('bots', ['192.168.1.100/32'])
self.assertEqual('bot:192.168.1.100', self.call('192.168.1.100', None))
self.assertEqual('anonymous:anonymous', self.call('127.0.0.1', None))
def test_bootstrap_ip_whitelist_bad_subnet(self):
self.assertFalse(model.bootstrap_ip_whitelist('list',
['not a subnet']))