def test_single_session_per_whistleblower(self): """ Asserts that the first_id is dropped from Sessions and requests using that session id are rejected """ yield self.perform_full_submission_actions() handler = self.request({'receipt': self.lastReceipt}) handler.request.client_using_tor = True response = yield handler.post() first_id = response['session_id'] wbtip_handler = self.request(headers={'x-session': first_id}, handler_cls=WBTipInstance) yield wbtip_handler.get() response = yield handler.post() second_id = response['session_id'] wbtip_handler = self.request(headers={'x-session': first_id}, handler_cls=WBTipInstance) yield self.assertRaises(errors.NotAuthenticated, wbtip_handler.get) self.assertTrue(Sessions.get(first_id) is None) valid_session = Sessions.get(second_id) self.assertTrue(valid_session is not None) self.assertEqual(valid_session.user_role, 'whistleblower') wbtip_handler = self.request(headers={'x-session': second_id}, handler_cls=WBTipInstance) yield wbtip_handler.get()
def test_single_session_per_whistleblower(self): """ Asserts that the first_id is dropped from Sessions and requests using that session id are rejected """ yield self.perform_full_submission_actions() handler = self.request({ 'receipt': self.dummySubmission['receipt'] }) handler.request.client_using_tor = True response = yield handler.post() first_id = response['session_id'] wbtip_handler = self.request(headers={'x-session': first_id}, handler_cls=WBTipInstance) yield wbtip_handler.get() response = yield handler.post() second_id = response['session_id'] wbtip_handler = self.request(headers={'x-session': first_id}, handler_cls=WBTipInstance) yield self.assertRaises(errors.NotAuthenticated, wbtip_handler.get) self.assertTrue(Sessions.get(first_id) is None) valid_session = Sessions.get(second_id) self.assertTrue(valid_session is not None) self.assertEqual(valid_session.user_role, 'whistleblower') wbtip_handler = self.request(headers={'x-session': second_id}, handler_cls=WBTipInstance) yield wbtip_handler.get()
def test_single_session_per_user(self): handler = self.request({ 'tid': 1, 'username': '******', 'password': helpers.VALID_PASSWORD1 }) r1 = yield handler.post() r2 = yield handler.post() self.assertTrue(Sessions.get(r1['session_id']) is None) self.assertTrue(Sessions.get(r2['session_id']) is not None)
def test_single_session_per_user(self): handler = self.request({ 'tid': 1, 'username': '******', 'password': helpers.VALID_PASSWORD1, 'authcode': '' }) r1 = yield handler.post() r2 = yield handler.post() self.assertTrue(Sessions.get(r1['session_id']) is None) self.assertTrue(Sessions.get(r2['session_id']) is not None)
def post(self): request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc) tid = int(request['tid']) if tid == 0: tid = self.request.tid delay = random_login_delay() if delay: yield deferred_sleep(delay) session = Sessions.get(request['token']) if session is None or session.tid != tid: Settings.failed_login_attempts += 1 raise errors.InvalidAuthentication connection_check(self.request.client_ip, tid, session.user_role, self.request.client_using_tor) session = Sessions.regenerate(session.id) log.debug("Login: Success (%s)" % session.user_role) if tid != self.request.tid: returnValue({ 'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id) }) returnValue(session.serialize())
def post(self): request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc) tid = int(request['tid']) if tid == 0: tid = self.request.tid delay = random_login_delay() if delay: yield deferred_sleep(delay) session = Sessions.get(request['token']) if session is None or session.tid != tid: Settings.failed_login_attempts += 1 raise errors.InvalidAuthentication connection_check(self.request.client_ip, tid, session.user_role, self.request.client_using_tor) session = Sessions.regenerate(session.id) log.debug("Login: Success (%s)" % session.user_role) if tid != self.request.tid: returnValue({ 'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id) }) returnValue(session.serialize())
def get_current_user(self): # Check for the session header session_id = self.request.headers.get(b'x-session') if session_id is None: return session = Sessions.get(session_id.decode()) if session is not None and session.tid == self.request.tid: self.request.current_user = session if self.request.current_user.user_role != 'whistleblower' and \ self.state.tenant_cache[1].get('log_accesses_of_internal_users', False): self.request.log_ip_and_ua = True return session
def post(self): request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc) yield login_delay(self.request.tid) self.state.tokens.use(request['token']) session = Sessions.get(request['authtoken']) if session is None or session.tid != self.request.tid: login_failure(self.request.tid, 0) connection_check(self.request.tid, self.request.client_ip, session.user_role, self.request.client_using_tor) session = Sessions.regenerate(session.id) returnValue(session.serialize())
def get_current_user(self): api_session = self.get_api_session() if api_session is not None: return api_session # Check for the session header session_id = self.request.headers.get(b'x-session') if session_id is None: return # Check that that provided session exists and is legit # We need to convert here to text_type as sessions generate a # random string in text form. It seems sessions assume that it will # be a string while twisted returns headers in bytes session = Sessions.get(text_type(session_id, 'utf-8')) if session is not None and session.tid == self.request.tid: return session
def get_current_user(self): api_session = self.get_api_session() if api_session is not None: return api_session # Check for the session header session_id = self.request.headers.get(b'x-session') if session_id is None: return session = Sessions.get(text_type(session_id, 'utf-8')) if session is not None and session.tid == self.request.tid: self.request.current_user = session if self.request.current_user.user_role != 'whistleblower' and \ self.state.tenant_cache[1].get(u'log_accesses_of_internal_users', False): self.request.log_ip_and_ua = True return session