class SignedCookiesTest(TestCase): def setUp(self): self.middleware = SignedCookiesMiddleware() self.auth_middleware = AuthenticationMiddleware() self.session_middleware = SessionMiddleware() def _process_request(self, request): self.session_middleware.process_request(request) self.auth_middleware.process_request(request) self.middleware.process_request(request) def _process_response(self, request, response): self.middleware.process_response(request, response) self.session_middleware.process_response(request, response) def test_middleware(self): request = HttpRequest() request.COOKIES['key'] = 'foo' self._process_request(request) self.failIf('key' in request.COOKIES) response = HttpResponse() request = HttpRequest() self._process_request(request) response.set_cookie('key', 'foo') self._process_response(request, response) signed_val = response.cookies['key'].value self.failIfEqual(signed_val, 'foo') request.COOKIES['key'] = signed_val self._process_request(request) self.failUnlessEqual(request.COOKIES['key'], 'foo')
class TestShibbolethRemoteUserMiddleware(TestCase): def setUp(self): self.request_factory = RequestFactory() self.smw = SessionMiddleware() self.amw = AuthenticationMiddleware() self.rmw = RemoteUserMiddleware() self.srmw = middleware.ShibbolethRemoteUserMiddleware() def _process_request_through_middleware(self, request): self.smw.process_request(request) self.amw.process_request(request) self.rmw.process_request(request) return self.srmw.process_request(request) def test_no_remote_user(self): test_request = self.request_factory.get('/') self._process_request_through_middleware(test_request) #shouldn't have done anything - just return because no REMOTE_USER self.assertTrue('shib' not in test_request.session) self.assertFalse(test_request.user.is_authenticated()) def test_remote_user_empty(self): test_request = self.request_factory.get('/', REMOTE_USER='') response = self._process_request_through_middleware(test_request) self.assertTrue('shib' not in test_request.session) self.assertFalse(test_request.user.is_authenticated())
def get_request_with_session(path): """Get request with attached session.""" request_factory = RequestFactory() request = request_factory.get(path) session_middleware = SessionMiddleware() session_middleware.process_request(request) authentication_middleware = AuthenticationMiddleware() authentication_middleware.process_request(request) return request
class FacebookAuthenticationMiddlewareTests(TestCase): def setUp(self): self.factory = RequestFactory() self.session_middleware = SessionMiddleware() self.django_auth_middleware = AuthenticationMiddleware() self.auth_middleware = FacebookAuthenticationMiddleware() def request(self, url='/fb'): request = self.factory.get(url) self.session_middleware.process_request(request) self.django_auth_middleware.process_request(request) return request def test_no_session(self): """ If there is no authenticated session, the user attribute should contain an anonymous user. """ request = self.request() self.auth_middleware.process_request(request) eq_(request.user.is_anonymous(), True) def test_no_matching_user(self): """ If an invalid user id is given in the session, the user attribute should contain an anonymous user. """ request = self.request() request.session[SESSION_KEY] = 9999 self.auth_middleware.process_request(request) eq_(request.user.is_anonymous(), True) def test_user_found(self): """ If there is an authenticated session with an existing user, the specified user should be available via the user attribute. """ request = self.request() user = FacebookUserFactory.create() request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) eq_(request.user, user) def test_user_non_fb_app(self): """ If there is an authenticated session with an existing user outside of the app, the specified user should not be a FacebookUser. """ request = self.request(url='/') user = FacebookUserFactory.create() request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) ok_(not request.user == user) eq_(request.user.is_anonymous(), True)
class FBLoginRequiredTests(TestCase): def setUp(self): self.factory = RequestFactory() self.session_middleware = SessionMiddleware() self.auth_middleware = AuthenticationMiddleware() def request(self, url='/'): """ Create a mock request object. """ request = self.factory.get(url) self.session_middleware.process_request(request) self.auth_middleware.process_request(request) return request def test_no_auth(self): """ If the user has not been authed, return a redirect to the home page. """ request = self.request() with self.activate('en-US'): response = view(request) eq_(response.status_code, 302) self.assert_viewname_url(response['Location'], 'base.landing') def test_django_auth(self): """ If the user has authed via normal django mechanisms, return a redirect. """ request = self.request() User.objects.create_user('*****@*****.**', '*****@*****.**', 'asdf1234') user = authenticate(username='******', password='******') django_login(request, user) response = view(request) eq_(response.status_code, 302) @patch.object(FacebookUser.objects, 'update_user_info') def test_facebook_auth(self, update_user_info): """ If the user has authed via the Facebook auth mechanism, execute the view. """ request = self.request() user = FacebookUserFactory() fb_login(request, user) response = view(request) eq_(response, True)
class FBLoginRequiredTests(TestCase): def setUp(self): self.factory = RequestFactory() self.session_middleware = SessionMiddleware() self.auth_middleware = AuthenticationMiddleware() def request(self, url='/'): """ Create a mock request object. """ request = self.factory.get(url) self.session_middleware.process_request(request) self.auth_middleware.process_request(request) return request def test_no_auth(self): """ If the user has not been authed, return a redirect to the home page. """ request = self.request() with self.activate('en-US'): response = view(request) eq_(response.status_code, 302) self.assertRedirectsNoFollow(response, reverse('base.home')) def test_django_auth(self): """ If the user has authed via normal django mechanisms, return a redirect. """ request = self.request() User.objects.create_user('*****@*****.**', '*****@*****.**', 'asdf1234') user = authenticate(username='******', password='******') django_login(request, user) response = view(request) eq_(response.status_code, 302) @patch.object(FacebookUser.objects, 'update_user_info') def test_facebook_auth(self, update_user_info): """ If the user has authed via the Facebook auth mechanism, execute the view. """ request = self.request() user = FacebookUserFactory() fb_login(request, user) response = view(request) eq_(response, True)
def test_anon_token_from_cookie(self): rf = django.test.RequestFactory() rf.cookies['anoncsrf'] = self.token cache.set(PREFIX + self.token, 'woo') request = rf.get('/') request.session = {} r = { 'wsgi.input': django.test.client.FakePayload('') } # Hack to set up request middleware. ClientHandler()(self.rf._base_environ(**r)) auth_mw = AuthenticationMiddleware() auth_mw.process_request(request) self.mw.process_view(request, anonymous_csrf(lambda: None), [], {}) self.assertEqual(request.csrf_token, 'woo')
class ApiOauthMiddleware(object): """Middleware which attempts to use OAuth authentication on API requests and cookie-based authentication on normal requests.""" auth_middleware = None def __init__(self): self.auth_middleware = AuthenticationMiddleware() def process_request(self, request): if not default_is_request_api(request): return self.auth_middleware.process_request(request) return None def process_view(self, request, view_func, view_args, view_kwargs): if default_is_request_api(request): request.__class__.user = LazyAnonUser() resource_name = getattr(request, 'oauth_resource_name', None) if CheckOAuth.is_valid_request(request): try: consumer, token, parameters = CheckOAuth.validate_token(request) except OAuthError, e: return None #!! ??return send_oauth_error(e) if resource_name and token.resource.name != resource_name: return send_oauth_error(OAuthError(_('You are not allowed to access this resource.'))) elif consumer and token: if token.user: request.__class__.user = token.user return None
class TestAuthenticationMiddleware(TestCase): def setUp(self): self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password') self.middleware = AuthenticationMiddleware() self.client.force_login(self.user) self.request = HttpRequest() self.request.session = self.client.session def test_no_password_change_doesnt_invalidate_session(self): self.request.session = self.client.session self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous) def test_changed_password_invalidates_session(self): # After password change, user should be anonymous self.user.set_password('new_password') self.user.save() self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertTrue(self.request.user.is_anonymous) # session should be flushed self.assertIsNone(self.request.session.session_key)
class TestAuthenticationMiddleware(TestCase): def setUp(self): self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password') self.middleware = AuthenticationMiddleware() self.client.force_login(self.user) self.request = HttpRequest() self.request.session = self.client.session def test_no_password_change_doesnt_invalidate_session(self): self.request.session = self.client.session self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) def test_changed_password_invalidates_session(self): # After password change, user should be anonymous self.user.set_password('new_password') self.user.save() self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertTrue(self.request.user.is_anonymous()) # session should be flushed self.assertIsNone(self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase): def setUp(self): self.user_email = '*****@*****.**' self.user_password = '******' self.user = get_user_model().objects.create_user( self.user_email, self.user_password) self.middleware_auth = AuthenticationMiddleware() self.middleware_session_auth = SessionAuthenticationMiddleware() self.assertTrue( self.client.login( username=self.user_email, password=self.user_password, )) self.request = HttpRequest() self.request.session = self.client.session def test_changed_password_doesnt_invalidate_session(self): # Changing a user's password shouldn't invalidate the session if session # verification isn't activated. session_key = self.request.session.session_key self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) # After password change, user should remain logged in. self.user.set_password('new_password') self.user.save() self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) self.assertEqual(session_key, self.request.session.session_key) def test_changed_password_invalidates_session_with_middleware(self): session_key = self.request.session.session_key with self.modify_settings( MIDDLEWARE_CLASSES= { 'append': [ 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' ] }): # After password change, user should be anonymous self.user.set_password('new_password') self.user.save() self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertTrue(self.request.user.is_anonymous()) # session should be flushed self.assertNotEqual(session_key, self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase): def setUp(self): self.user_email = '*****@*****.**' self.user_password = '******' self.user = get_user_model().objects.create_user( self.user_email, self.user_password) self.middleware_auth = AuthenticationMiddleware() self.middleware_session_auth = SessionAuthenticationMiddleware() self.assertTrue(self.client.login( username=self.user_email, password=self.user_password, )) self.request = HttpRequest() self.request.session = self.client.session def test_changed_password_doesnt_invalidate_session(self): # Changing a user's password shouldn't invalidate the session if session # verification isn't activated. session_key = self.request.session.session_key self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) # After password change, user should remain logged in. self.user.set_password('new_password') self.user.save() self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) self.assertEqual(session_key, self.request.session.session_key) def test_changed_password_invalidates_session_with_middleware(self): session_key = self.request.session.session_key with self.modify_settings(MIDDLEWARE_CLASSES={'append': ['django.contrib.auth.middleware.SessionAuthenticationMiddleware']}): # After password change, user should be anonymous self.user.set_password('new_password') self.user.save() self.middleware_auth.process_request(self.request) self.middleware_session_auth.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertTrue(self.request.user.is_anonymous()) # session should be flushed self.assertNotEqual(session_key, self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase): def setUp(self): self.user_password = "******" self.user = User.objects.create_user("test_user", "*****@*****.**", self.user_password) self.middleware = AuthenticationMiddleware() self.assertTrue(self.client.login(username=self.user.username, password=self.user_password)) self.request = HttpRequest() self.request.session = self.client.session def test_changed_password_doesnt_invalidate_session(self): """ Changing a user's password shouldn't invalidate the session if session verification isn't activated. """ session_key = self.request.session.session_key self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) # After password change, user should remain logged in. self.user.set_password("new_password") self.user.save() self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertFalse(self.request.user.is_anonymous()) self.assertEqual(session_key, self.request.session.session_key) def test_changed_password_invalidates_session_with_middleware(self): session_key = self.request.session.session_key with self.modify_settings( MIDDLEWARE_CLASSES={"append": ["django.contrib.auth.middleware.SessionAuthenticationMiddleware"]} ): # After password change, user should be anonymous self.user.set_password("new_password") self.user.save() self.middleware.process_request(self.request) self.assertIsNotNone(self.request.user) self.assertTrue(self.request.user.is_anonymous()) # session should be flushed self.assertNotEqual(session_key, self.request.session.session_key)
def setUp(self): self.request = RequestFactory().request() session_middleware = SessionMiddleware() session_middleware.process_request(self.request) auth_middleware = AuthenticationMiddleware() auth_middleware.process_request(self.request)
class FacebookAuthenticationMiddlewareTests(TestCase): def setUp(self): self.factory = RequestFactory() self.session_middleware = SessionMiddleware() self.django_auth_middleware = AuthenticationMiddleware() self.auth_middleware = FacebookAuthenticationMiddleware() def request(self, url='/fb', locale='en-US'): request = self.factory.get(url) self.session_middleware.process_request(request) self.django_auth_middleware.process_request(request) request.META['HTTP_ACCEPT_LANGUAGE'] = locale return request @patch('affiliates.facebook.middleware.activate_locale') def test_no_session(self, activate_locale): """ If there is no authenticated session, the user attribute should contain an anonymous user. """ request = self.request() with patch('affiliates.facebook.middleware.Prefixer') as Prefixer: Prefixer.return_value.get_language.return_value = 'en-US' self.auth_middleware.process_request(request) Prefixer.assert_called_with(request) eq_(request.user.is_anonymous(), True) # Check that the locale from the request was activated. activate_locale.assert_called_once_with(ANY, 'en-US') @patch('affiliates.facebook.middleware.activate_locale') def test_no_matching_user(self, activate_locale): """ If an invalid user id is given in the session, the user attribute should contain an anonymous user. """ request = self.request() request.session[SESSION_KEY] = 9999 with patch('affiliates.facebook.middleware.Prefixer') as Prefixer: Prefixer.return_value.get_language.return_value = 'es' self.auth_middleware.process_request(request) Prefixer.assert_called_with(request) eq_(request.user.is_anonymous(), True) # Check that the locale from the request was activated. activate_locale.assert_called_once_with(ANY, 'es') @patch('affiliates.facebook.middleware.activate_locale') def test_user_found(self, activate_locale): """ If there is an authenticated session with an existing user, the specified user should be available via the user attribute. """ request = self.request() user = FacebookUserFactory.create(locale='fr') request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) eq_(request.user, user) # Check that the locale from the user object was activated. activate_locale.assert_called_once_with(ANY, 'fr') @patch('affiliates.facebook.middleware.activate_locale') def test_user_non_fb_app(self, activate_locale): """ If there is an authenticated session with an existing user outside of the app, the specified user should not be a FacebookUser. """ request = self.request(url='/', locale='pt-BR') user = FacebookUserFactory.create() request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) ok_(not request.user == user) eq_(request.user.is_anonymous(), True) # Check that the FB locale stuff was never called. eq_(activate_locale.called, False)
class FacebookAuthenticationMiddlewareTests(TestCase): def setUp(self): self.factory = RequestFactory() self.session_middleware = SessionMiddleware() self.django_auth_middleware = AuthenticationMiddleware() self.auth_middleware = FacebookAuthenticationMiddleware() def request(self, url='/fb', locale='en-US'): request = self.factory.get(url) self.session_middleware.process_request(request) self.django_auth_middleware.process_request(request) request.META['HTTP_ACCEPT_LANGUAGE'] = locale return request @patch('facebook.middleware.activate_locale') def test_no_session(self, activate_locale): """ If there is no authenticated session, the user attribute should contain an anonymous user. """ request = self.request() self.auth_middleware.process_request(request) eq_(request.user.is_anonymous(), True) # Check that the locale from the request was activated. activate_locale.assert_called_once_with(ANY, 'en-US') @patch('facebook.middleware.activate_locale') def test_no_matching_user(self, activate_locale): """ If an invalid user id is given in the session, the user attribute should contain an anonymous user. """ request = self.request(locale='es') request.session[SESSION_KEY] = 9999 self.auth_middleware.process_request(request) eq_(request.user.is_anonymous(), True) # Check that the locale from the request was activated. activate_locale.assert_called_once_with(ANY, 'es') @patch('facebook.middleware.activate_locale') def test_user_found(self, activate_locale): """ If there is an authenticated session with an existing user, the specified user should be available via the user attribute. """ request = self.request() user = FacebookUserFactory.create(locale='fr') request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) eq_(request.user, user) # Check that the locale from the user object was activated. activate_locale.assert_called_once_with(ANY, 'fr') @patch('facebook.middleware.activate_locale') def test_user_non_fb_app(self, activate_locale): """ If there is an authenticated session with an existing user outside of the app, the specified user should not be a FacebookUser. """ request = self.request(url='/', locale='pt-BR') user = FacebookUserFactory.create() request.session[SESSION_KEY] = user.id self.auth_middleware.process_request(request) ok_(not request.user == user) eq_(request.user.is_anonymous(), True) # Check that the FB locale stuff was never called. eq_(activate_locale.called, False)