def test_exception_shib_login(self): """ Tests that we get the error page when there is no REMOTE_USER or Shib-Identity-Provider in request.META """ no_remote_user_request = self.request_factory.get('/shib-login') no_remote_user_request.META.update({'Shib-Identity-Provider': IDP}) no_remote_user_response = shib_login(no_remote_user_request) self.assertEqual(no_remote_user_response.status_code, 403) self.assertIn("identity server did not return your ID information", no_remote_user_response.content) no_idp_request = self.request_factory.get('/shib-login') no_idp_request.META.update({'REMOTE_USER': REMOTE_USER}) no_idp_response = shib_login(no_idp_request) self.assertEqual(no_idp_response.status_code, 403) self.assertIn("identity server did not return your ID information", no_idp_response.content)
def _base_test_extauth_auto_activate_user_with_flag(self, log_user_string="*****@*****.**"): """ Tests that FEATURES['BYPASS_ACTIVATION_EMAIL_FOR_EXTAUTH'] means extauth automatically linked users, activates them, and logs them in """ inactive_user = UserFactory.create(email='*****@*****.**') inactive_user.is_active = False inactive_user.save() request = self.request_factory.get('/shib-login') request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({ 'Shib-Identity-Provider': 'https://idp.stanford.edu/', 'REMOTE_USER': '******', 'mail': '*****@*****.**' }) request.user = AnonymousUser() with patch('external_auth.views.AUDIT_LOG') as mock_audit_log: response = shib_login(request) audit_log_calls = mock_audit_log.method_calls # reload user from db, since the view function works via db side-effects inactive_user = User.objects.get(id=inactive_user.id) self.assertIsNotNone(ExternalAuthMap.objects.get(user=inactive_user)) self.assertTrue(inactive_user.is_active) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, inactive_user) self.assertEqual(response['Location'], '/dashboard') # verify logging: self.assertEquals(len(audit_log_calls), 3) self._assert_shib_login_is_logged(audit_log_calls[0], log_user_string) method_name, args, _kwargs = audit_log_calls[2] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 1) self.assertIn(u'Login success', args[0]) self.assertIn(log_user_string, args[0])
def test_shib_login(self): """ Tests that: * shib credentials that match an existing ExternalAuthMap with a linked user logs the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user without an existing ExternalAuthMap links the two and log the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user that already has an ExternalAuthMap causes an error (403) * shib credentials that do not match an existing ExternalAuthMap causes the registration form to appear """ user_w_map = UserFactory.create(email='*****@*****.**') extauth = ExternalAuthMap( external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=user_w_map) user_wo_map = UserFactory.create(email='*****@*****.**') user_w_map.save() user_wo_map.save() extauth.save() idps = ['https://idp.stanford.edu/', 'https://someother.idp.com/'] remote_users = [ '*****@*****.**', '*****@*****.**', 'testuser2@someother_idp.com' ] for idp in idps: for remote_user in remote_users: request = self.request_factory.get('/shib-login') request.session = import_module( settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({ 'Shib-Identity-Provider': idp, 'REMOTE_USER': remote_user, 'mail': remote_user }) request.user = AnonymousUser() response = shib_login(request) if idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_w_map) self.assertEqual(response['Location'], '/') elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsNotNone( ExternalAuthMap.objects.get(user=user_wo_map)) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_wo_map) self.assertEqual(response['Location'], '/') elif idp == "https://someother.idp.com/" and remote_user in \ ['*****@*****.**', '*****@*****.**']: self.assertEqual(response.status_code, 403) self.assertIn( "You have already created an account using an external login", response.content) else: self.assertEqual(response.status_code, 200) self.assertContains(response, "<title>Register for")
def _base_test_extauth_auto_activate_user_with_flag(self, log_user_string="*****@*****.**"): """ Tests that FEATURES['BYPASS_ACTIVATION_EMAIL_FOR_EXTAUTH'] means extauth automatically linked users, activates them, and logs them in """ inactive_user = UserFactory.create(email='*****@*****.**') inactive_user.is_active = False inactive_user.save() request = self.request_factory.get('/shib-login') request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({ 'Shib-Identity-Provider': 'https://idp.stanford.edu/', 'REMOTE_USER': '******', 'mail': '*****@*****.**' }) request.user = AnonymousUser() with patch('external_auth.views.AUDIT_LOG') as mock_audit_log: response = shib_login(request) audit_log_calls = mock_audit_log.method_calls # reload user from db, since the view function works via db side-effects inactive_user = User.objects.get(id=inactive_user.id) self.assertIsNotNone(ExternalAuthMap.objects.get(user=inactive_user)) self.assertTrue(inactive_user.is_active) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, inactive_user) self.assertEqual(response['Location'], '/') # verify logging: self.assertEquals(len(audit_log_calls), 3) self._assert_shib_login_is_logged(audit_log_calls[0], log_user_string) method_name, args, _kwargs = audit_log_calls[2] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 1) self.assertIn(u'Login success', args[0]) self.assertIn(log_user_string, args[0])
def test_exception_shib_login(self): """ Tests that we get the error page when there is no REMOTE_USER or Shib-Identity-Provider in request.META """ no_remote_user_request = self.request_factory.get("/shib-login") no_remote_user_request.META.update({"Shib-Identity-Provider": IDP}) no_remote_user_request.user = AnonymousUser() mako_middleware_process_request(no_remote_user_request) no_remote_user_response = shib_login(no_remote_user_request) self.assertEqual(no_remote_user_response.status_code, 403) self.assertIn("identity server did not return your ID information", no_remote_user_response.content) no_idp_request = self.request_factory.get("/shib-login") no_idp_request.META.update({"REMOTE_USER": REMOTE_USER}) no_idp_response = shib_login(no_idp_request) self.assertEqual(no_idp_response.status_code, 403) self.assertIn("identity server did not return your ID information", no_idp_response.content)
def test_shib_login(self): """ Tests that: * shib credentials that match an existing ExternalAuthMap with a linked user logs the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user without an existing ExternalAuthMap links the two and log the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user that already has an ExternalAuthMap causes an error (403) * shib credentials that do not match an existing ExternalAuthMap causes the registration form to appear """ user_w_map = UserFactory.create(email='*****@*****.**') extauth = ExternalAuthMap(external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=user_w_map) user_wo_map = UserFactory.create(email='*****@*****.**') user_w_map.save() user_wo_map.save() extauth.save() idps = ['https://idp.stanford.edu/', 'https://someother.idp.com/'] remote_users = ['*****@*****.**', '*****@*****.**', 'testuser2@someother_idp.com'] for idp in idps: for remote_user in remote_users: request = self.request_factory.get('/shib-login') request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({'Shib-Identity-Provider': idp, 'REMOTE_USER': remote_user, 'mail': remote_user}) request.user = AnonymousUser() response = shib_login(request) if idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_w_map) self.assertEqual(response['Location'], '/') elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsNotNone(ExternalAuthMap.objects.get(user=user_wo_map)) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_wo_map) self.assertEqual(response['Location'], '/') elif idp == "https://someother.idp.com/" and remote_user in \ ['*****@*****.**', '*****@*****.**']: self.assertEqual(response.status_code, 403) self.assertIn("You have already created an account using an external login", response.content) else: self.assertEqual(response.status_code, 200) self.assertContains(response, "<title>Register for")
def test_shib_login(self): """ Tests that: * shib credentials that match an existing ExternalAuthMap with a linked active user logs the user in * shib credentials that match an existing ExternalAuthMap with a linked inactive user shows error page * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user without an existing ExternalAuthMap links the two and log the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user that already has an ExternalAuthMap causes an error (403) * shib credentials that do not match an existing ExternalAuthMap causes the registration form to appear """ user_w_map = UserFactory.create(email='*****@*****.**') extauth = ExternalAuthMap(external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=user_w_map) user_wo_map = UserFactory.create(email='*****@*****.**') user_w_map.save() user_wo_map.save() extauth.save() inactive_user = UserFactory.create(email='*****@*****.**') inactive_user.is_active = False inactive_extauth = ExternalAuthMap(external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=inactive_user) inactive_user.save() inactive_extauth.save() idps = ['https://idp.stanford.edu/', 'https://someother.idp.com/'] remote_users = ['*****@*****.**', '*****@*****.**', 'testuser2@someother_idp.com', '*****@*****.**'] for idp in idps: for remote_user in remote_users: request = self.request_factory.get('/shib-login') request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({'Shib-Identity-Provider': idp, 'REMOTE_USER': remote_user, 'mail': remote_user}) request.user = AnonymousUser() mako_middleware_process_request(request) with patch('external_auth.views.AUDIT_LOG') as mock_audit_log: response = shib_login(request) audit_log_calls = mock_audit_log.method_calls if idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_w_map) self.assertEqual(response['Location'], '/dashboard') # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 1) self.assertIn(u'Login success', args[0]) self.assertIn(remote_user, args[0]) elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertEqual(response.status_code, 403) self.assertIn("Account not yet activated: please look for link in your email", response.content) # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'warning') self.assertEquals(len(args), 1) self.assertIn(u'is not active after external login', args[0]) # self.assertEquals(remote_user, args[1]) elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsNotNone(ExternalAuthMap.objects.get(user=user_wo_map)) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_wo_map) self.assertEqual(response['Location'], '/dashboard') # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 1) self.assertIn(u'Login success', args[0]) self.assertIn(remote_user, args[0]) elif idp == "https://someother.idp.com/" and remote_user in \ ['*****@*****.**', '*****@*****.**', '*****@*****.**']: self.assertEqual(response.status_code, 403) self.assertIn("You have already created an account using an external login", response.content) # no audit logging calls self.assertEquals(len(audit_log_calls), 0) else: self.assertEqual(response.status_code, 200) self.assertContains(response, ("Preferences for {platform_name}" .format(platform_name=settings.PLATFORM_NAME))) # no audit logging calls self.assertEquals(len(audit_log_calls), 0)
def test_shib_login(self): """ Tests that: * shib credentials that match an existing ExternalAuthMap with a linked active user logs the user in * shib credentials that match an existing ExternalAuthMap with a linked inactive user shows error page * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user without an existing ExternalAuthMap links the two and log the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user that already has an ExternalAuthMap causes an error (403) * shib credentials that do not match an existing ExternalAuthMap causes the registration form to appear """ user_w_map = UserFactory.create(email='*****@*****.**') extauth = ExternalAuthMap( external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=user_w_map) user_wo_map = UserFactory.create(email='*****@*****.**') user_w_map.save() user_wo_map.save() extauth.save() inactive_user = UserFactory.create(email='*****@*****.**') inactive_user.is_active = False inactive_extauth = ExternalAuthMap( external_id='*****@*****.**', external_email='', external_domain='shib:https://idp.stanford.edu/', external_credentials="", user=inactive_user) inactive_user.save() inactive_extauth.save() idps = ['https://idp.stanford.edu/', 'https://someother.idp.com/'] remote_users = [ '*****@*****.**', '*****@*****.**', 'testuser2@someother_idp.com', '*****@*****.**' ] for idp in idps: for remote_user in remote_users: request = self.request_factory.get('/shib-login') request.session = import_module( settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({ 'Shib-Identity-Provider': idp, 'REMOTE_USER': remote_user, 'mail': remote_user }) request.user = AnonymousUser() with patch('external_auth.views.AUDIT_LOG') as mock_audit_log: response = shib_login(request) audit_log_calls = mock_audit_log.method_calls if idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_w_map) self.assertEqual(response['Location'], '/') # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 3) self.assertIn(u'Login success', args[0]) self.assertEquals(remote_user, args[2]) elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertEqual(response.status_code, 403) self.assertIn( "Account not yet activated: please look for link in your email", response.content) # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'warning') self.assertEquals(len(args), 2) self.assertIn(u'is not active after external login', args[0]) # self.assertEquals(remote_user, args[1]) elif idp == "https://idp.stanford.edu/" and remote_user == '*****@*****.**': self.assertIsNotNone( ExternalAuthMap.objects.get(user=user_wo_map)) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_wo_map) self.assertEqual(response['Location'], '/') # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, 'info') self.assertEquals(len(args), 3) self.assertIn(u'Login success', args[0]) self.assertEquals(remote_user, args[2]) elif idp == "https://someother.idp.com/" and remote_user in \ ['*****@*****.**', '*****@*****.**', '*****@*****.**']: self.assertEqual(response.status_code, 403) self.assertIn( "You have already created an account using an external login", response.content) # no audit logging calls self.assertEquals(len(audit_log_calls), 0) else: self.assertEqual(response.status_code, 200) self.assertContains( response, ("<title>Preferences for {platform_name}</title>". format(platform_name=settings.PLATFORM_NAME))) # no audit logging calls self.assertEquals(len(audit_log_calls), 0)
def test_shib_login(self): """ Tests that: * shib credentials that match an existing ExternalAuthMap with a linked active user logs the user in * shib credentials that match an existing ExternalAuthMap with a linked inactive user shows error page * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user without an existing ExternalAuthMap links the two and log the user in * shib credentials that match an existing ExternalAuthMap without a linked user and also match the email of an existing user that already has an ExternalAuthMap causes an error (403) * shib credentials that do not match an existing ExternalAuthMap causes the registration form to appear """ user_w_map = UserFactory.create(email="*****@*****.**") extauth = ExternalAuthMap( external_id="*****@*****.**", external_email="", external_domain="shib:https://idp.stanford.edu/", external_credentials="", user=user_w_map, ) user_wo_map = UserFactory.create(email="*****@*****.**") user_w_map.save() user_wo_map.save() extauth.save() inactive_user = UserFactory.create(email="*****@*****.**") inactive_user.is_active = False inactive_extauth = ExternalAuthMap( external_id="*****@*****.**", external_email="", external_domain="shib:https://idp.stanford.edu/", external_credentials="", user=inactive_user, ) inactive_user.save() inactive_extauth.save() idps = ["https://idp.stanford.edu/", "https://someother.idp.com/"] remote_users = [ "*****@*****.**", "*****@*****.**", "testuser2@someother_idp.com", "*****@*****.**", ] for idp in idps: for remote_user in remote_users: request = self.request_factory.get("/shib-login") request.session = import_module(settings.SESSION_ENGINE).SessionStore() # empty session request.META.update({"Shib-Identity-Provider": idp, "REMOTE_USER": remote_user, "mail": remote_user}) request.user = AnonymousUser() with patch("external_auth.views.AUDIT_LOG") as mock_audit_log: response = shib_login(request) audit_log_calls = mock_audit_log.method_calls if idp == "https://idp.stanford.edu/" and remote_user == "*****@*****.**": self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_w_map) self.assertEqual(response["Location"], "/") # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, "info") self.assertEquals(len(args), 3) self.assertIn(u"Login success", args[0]) self.assertEquals(remote_user, args[2]) elif idp == "https://idp.stanford.edu/" and remote_user == "*****@*****.**": self.assertEqual(response.status_code, 403) self.assertIn("Account not yet activated: please look for link in your email", response.content) # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, "warning") self.assertEquals(len(args), 2) self.assertIn(u"is not active after external login", args[0]) # self.assertEquals(remote_user, args[1]) elif idp == "https://idp.stanford.edu/" and remote_user == "*****@*****.**": self.assertIsNotNone(ExternalAuthMap.objects.get(user=user_wo_map)) self.assertIsInstance(response, HttpResponseRedirect) self.assertEqual(request.user, user_wo_map) self.assertEqual(response["Location"], "/") # verify logging: self.assertEquals(len(audit_log_calls), 2) self._assert_shib_login_is_logged(audit_log_calls[0], remote_user) method_name, args, _kwargs = audit_log_calls[1] self.assertEquals(method_name, "info") self.assertEquals(len(args), 3) self.assertIn(u"Login success", args[0]) self.assertEquals(remote_user, args[2]) elif idp == "https://someother.idp.com/" and remote_user in [ "*****@*****.**", "*****@*****.**", "*****@*****.**", ]: self.assertEqual(response.status_code, 403) self.assertIn("You have already created an account using an external login", response.content) # no audit logging calls self.assertEquals(len(audit_log_calls), 0) else: self.assertEqual(response.status_code, 200) self.assertContains( response, ("<title>Preferences for {platform_name}</title>".format(platform_name=settings.PLATFORM_NAME)), ) # no audit logging calls self.assertEquals(len(audit_log_calls), 0)