class SignedCookiesTest(TestCase):
def setUp(self):
self.middleware = SignedCookiesMiddleware()
self.auth_middleware = AuthenticationMiddleware()
self.session_middleware = SessionMiddleware()
def _process_request(self, request):
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
self.middleware.process_request(request)
def _process_response(self, request, response):
self.middleware.process_response(request, response)
self.session_middleware.process_response(request, response)
def test_middleware(self):
request = HttpRequest()
request.COOKIES['key'] = 'foo'
self._process_request(request)
self.failIf('key' in request.COOKIES)
response = HttpResponse()
request = HttpRequest()
self._process_request(request)
response.set_cookie('key', 'foo')
self._process_response(request, response)
signed_val = response.cookies['key'].value
self.failIfEqual(signed_val, 'foo')
request.COOKIES['key'] = signed_val
self._process_request(request)
self.failUnlessEqual(request.COOKIES['key'], 'foo')
class TestShibbolethRemoteUserMiddleware(TestCase):
def setUp(self):
self.request_factory = RequestFactory()
self.smw = SessionMiddleware()
self.amw = AuthenticationMiddleware()
self.rmw = RemoteUserMiddleware()
self.srmw = middleware.ShibbolethRemoteUserMiddleware()
def _process_request_through_middleware(self, request):
self.smw.process_request(request)
self.amw.process_request(request)
self.rmw.process_request(request)
return self.srmw.process_request(request)
def test_no_remote_user(self):
test_request = self.request_factory.get('/')
self._process_request_through_middleware(test_request)
#shouldn't have done anything - just return because no REMOTE_USER
self.assertTrue('shib' not in test_request.session)
self.assertFalse(test_request.user.is_authenticated())
def test_remote_user_empty(self):
test_request = self.request_factory.get('/', REMOTE_USER='')
response = self._process_request_through_middleware(test_request)
self.assertTrue('shib' not in test_request.session)
self.assertFalse(test_request.user.is_authenticated())
def get_request_with_session(path):
"""Get request with attached session."""
request_factory = RequestFactory()
request = request_factory.get(path)
session_middleware = SessionMiddleware()
session_middleware.process_request(request)
authentication_middleware = AuthenticationMiddleware()
authentication_middleware.process_request(request)
return request
class FacebookAuthenticationMiddlewareTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.django_auth_middleware = AuthenticationMiddleware()
self.auth_middleware = FacebookAuthenticationMiddleware()
def request(self, url='/fb'):
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.django_auth_middleware.process_request(request)
return request
def test_no_session(self):
"""
If there is no authenticated session, the user attribute should contain
an anonymous user.
"""
request = self.request()
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
def test_no_matching_user(self):
"""
If an invalid user id is given in the session, the user attribute should
contain an anonymous user.
"""
request = self.request()
request.session[SESSION_KEY] = 9999
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
def test_user_found(self):
"""
If there is an authenticated session with an existing user, the
specified user should be available via the user attribute.
"""
request = self.request()
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
eq_(request.user, user)
def test_user_non_fb_app(self):
"""
If there is an authenticated session with an existing user outside of
the app, the specified user should not be a FacebookUser.
"""
request = self.request(url='/')
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
ok_(not request.user == user)
eq_(request.user.is_anonymous(), True)
class FBLoginRequiredTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.auth_middleware = AuthenticationMiddleware()
def request(self, url='/'):
"""
Create a mock request object.
"""
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
return request
def test_no_auth(self):
"""
If the user has not been authed, return a redirect to the home page.
"""
request = self.request()
with self.activate('en-US'):
response = view(request)
eq_(response.status_code, 302)
self.assert_viewname_url(response['Location'], 'base.landing')
def test_django_auth(self):
"""
If the user has authed via normal django mechanisms, return a redirect.
"""
request = self.request()
User.objects.create_user('*****@*****.**', '*****@*****.**',
'asdf1234')
user = authenticate(username='******', password='******')
django_login(request, user)
response = view(request)
eq_(response.status_code, 302)
@patch.object(FacebookUser.objects, 'update_user_info')
def test_facebook_auth(self, update_user_info):
"""
If the user has authed via the Facebook auth mechanism, execute the
view.
"""
request = self.request()
user = FacebookUserFactory()
fb_login(request, user)
response = view(request)
eq_(response, True)
class FBLoginRequiredTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.auth_middleware = AuthenticationMiddleware()
def request(self, url='/'):
"""
Create a mock request object.
"""
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
return request
def test_no_auth(self):
"""
If the user has not been authed, return a redirect to the home page.
"""
request = self.request()
with self.activate('en-US'):
response = view(request)
eq_(response.status_code, 302)
self.assertRedirectsNoFollow(response, reverse('base.home'))
def test_django_auth(self):
"""
If the user has authed via normal django mechanisms, return a redirect.
"""
request = self.request()
User.objects.create_user('*****@*****.**', '*****@*****.**',
'asdf1234')
user = authenticate(username='******', password='******')
django_login(request, user)
response = view(request)
eq_(response.status_code, 302)
@patch.object(FacebookUser.objects, 'update_user_info')
def test_facebook_auth(self, update_user_info):
"""
If the user has authed via the Facebook auth mechanism, execute the
view.
"""
request = self.request()
user = FacebookUserFactory()
fb_login(request, user)
response = view(request)
eq_(response, True)
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(PREFIX + self.token, 'woo')
request = rf.get('/')
request.session = {}
r = {
'wsgi.input': django.test.client.FakePayload('')
}
# Hack to set up request middleware.
ClientHandler()(self.rf._base_environ(**r))
auth_mw = AuthenticationMiddleware()
auth_mw.process_request(request)
self.mw.process_view(request, anonymous_csrf(lambda: None), [], {})
self.assertEqual(request.csrf_token, 'woo')
class ApiOauthMiddleware(object):
"""Middleware which attempts to use OAuth authentication on API
requests and cookie-based authentication on normal requests."""
auth_middleware = None
def __init__(self):
self.auth_middleware = AuthenticationMiddleware()
def process_request(self, request):
if not default_is_request_api(request):
return self.auth_middleware.process_request(request)
return None
def process_view(self, request, view_func, view_args, view_kwargs):
if default_is_request_api(request):
request.__class__.user = LazyAnonUser()
resource_name = getattr(request, 'oauth_resource_name', None)
if CheckOAuth.is_valid_request(request):
try:
consumer, token, parameters = CheckOAuth.validate_token(request)
except OAuthError, e:
return None
#!! ??return send_oauth_error(e)
if resource_name and token.resource.name != resource_name:
return send_oauth_error(OAuthError(_('You are not allowed to access this resource.')))
elif consumer and token:
if token.user:
request.__class__.user = token.user
return None
class TestAuthenticationMiddleware(TestCase):
def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
def test_no_password_change_doesnt_invalidate_session(self):
self.request.session = self.client.session
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous)
def test_changed_password_invalidates_session(self):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous)
# session should be flushed
self.assertIsNone(self.request.session.session_key)
class TestAuthenticationMiddleware(TestCase):
def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
def test_no_password_change_doesnt_invalidate_session(self):
self.request.session = self.client.session
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
def test_changed_password_invalidates_session(self):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertIsNone(self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email, self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(
self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
# Changing a user's password shouldn't invalidate the session if session
# verification isn't activated.
session_key = self.request.session.session_key
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(
MIDDLEWARE_CLASSES=
{
'append': [
'django.contrib.auth.middleware.SessionAuthenticationMiddleware'
]
}):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email,
self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
# Changing a user's password shouldn't invalidate the session if session
# verification isn't activated.
session_key = self.request.session.session_key
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(MIDDLEWARE_CLASSES={'append': ['django.contrib.auth.middleware.SessionAuthenticationMiddleware']}):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_password = "******"
self.user = User.objects.create_user("test_user", "*****@*****.**", self.user_password)
self.middleware = AuthenticationMiddleware()
self.assertTrue(self.client.login(username=self.user.username, password=self.user_password))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
"""
Changing a user's password shouldn't invalidate the session if session
verification isn't activated.
"""
session_key = self.request.session.session_key
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password("new_password")
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(
MIDDLEWARE_CLASSES={"append": ["django.contrib.auth.middleware.SessionAuthenticationMiddleware"]}
):
# After password change, user should be anonymous
self.user.set_password("new_password")
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
def setUp(self):
self.request = RequestFactory().request()
session_middleware = SessionMiddleware()
session_middleware.process_request(self.request)
auth_middleware = AuthenticationMiddleware()
auth_middleware.process_request(self.request)
class FacebookAuthenticationMiddlewareTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.django_auth_middleware = AuthenticationMiddleware()
self.auth_middleware = FacebookAuthenticationMiddleware()
def request(self, url='/fb', locale='en-US'):
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.django_auth_middleware.process_request(request)
request.META['HTTP_ACCEPT_LANGUAGE'] = locale
return request
@patch('affiliates.facebook.middleware.activate_locale')
def test_no_session(self, activate_locale):
"""
If there is no authenticated session, the user attribute should contain
an anonymous user.
"""
request = self.request()
with patch('affiliates.facebook.middleware.Prefixer') as Prefixer:
Prefixer.return_value.get_language.return_value = 'en-US'
self.auth_middleware.process_request(request)
Prefixer.assert_called_with(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'en-US')
@patch('affiliates.facebook.middleware.activate_locale')
def test_no_matching_user(self, activate_locale):
"""
If an invalid user id is given in the session, the user attribute should
contain an anonymous user.
"""
request = self.request()
request.session[SESSION_KEY] = 9999
with patch('affiliates.facebook.middleware.Prefixer') as Prefixer:
Prefixer.return_value.get_language.return_value = 'es'
self.auth_middleware.process_request(request)
Prefixer.assert_called_with(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'es')
@patch('affiliates.facebook.middleware.activate_locale')
def test_user_found(self, activate_locale):
"""
If there is an authenticated session with an existing user, the
specified user should be available via the user attribute.
"""
request = self.request()
user = FacebookUserFactory.create(locale='fr')
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
eq_(request.user, user)
# Check that the locale from the user object was activated.
activate_locale.assert_called_once_with(ANY, 'fr')
@patch('affiliates.facebook.middleware.activate_locale')
def test_user_non_fb_app(self, activate_locale):
"""
If there is an authenticated session with an existing user outside of
the app, the specified user should not be a FacebookUser.
"""
request = self.request(url='/', locale='pt-BR')
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
ok_(not request.user == user)
eq_(request.user.is_anonymous(), True)
# Check that the FB locale stuff was never called.
eq_(activate_locale.called, False)
class FacebookAuthenticationMiddlewareTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.django_auth_middleware = AuthenticationMiddleware()
self.auth_middleware = FacebookAuthenticationMiddleware()
def request(self, url='/fb', locale='en-US'):
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.django_auth_middleware.process_request(request)
request.META['HTTP_ACCEPT_LANGUAGE'] = locale
return request
@patch('facebook.middleware.activate_locale')
def test_no_session(self, activate_locale):
"""
If there is no authenticated session, the user attribute should contain
an anonymous user.
"""
request = self.request()
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'en-US')
@patch('facebook.middleware.activate_locale')
def test_no_matching_user(self, activate_locale):
"""
If an invalid user id is given in the session, the user attribute should
contain an anonymous user.
"""
request = self.request(locale='es')
request.session[SESSION_KEY] = 9999
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'es')
@patch('facebook.middleware.activate_locale')
def test_user_found(self, activate_locale):
"""
If there is an authenticated session with an existing user, the
specified user should be available via the user attribute.
"""
request = self.request()
user = FacebookUserFactory.create(locale='fr')
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
eq_(request.user, user)
# Check that the locale from the user object was activated.
activate_locale.assert_called_once_with(ANY, 'fr')
@patch('facebook.middleware.activate_locale')
def test_user_non_fb_app(self, activate_locale):
"""
If there is an authenticated session with an existing user outside of
the app, the specified user should not be a FacebookUser.
"""
request = self.request(url='/', locale='pt-BR')
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
ok_(not request.user == user)
eq_(request.user.is_anonymous(), True)
# Check that the FB locale stuff was never called.
eq_(activate_locale.called, False)
