def test_it_queries_for_auth_client_in_db(self, pyramid_request):
pyramid_request.db.query.return_value.get.return_value = None
util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
pyramid_request.db.query.assert_called_once_with(AuthClient)
pyramid_request.db.query.return_value.get.assert_called_once_with("whatever")
def test_it_queries_for_auth_client_in_db(self, pyramid_request):
pyramid_request.db.query.return_value.get.return_value = None
util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
pyramid_request.db.query.assert_called_once_with(AuthClient)
pyramid_request.db.query.return_value.get.assert_called_once_with("whatever")
def test_it_handles_sa_statement_exception_if_client_id_malformed(self, pyramid_request):
pyramid_request.db.query.return_value.get.side_effect = sa.exc.StatementError(
message='You did it wrong',
statement=None,
params=None,
orig=None)
# does not raise
util.verify_auth_client(client_id='malformed', client_secret='random', db_session=pyramid_request.db)
def test_it_uses_key_hashing_on_client_secret_for_message_authentication(
self, pyramid_request, hmac, auth_client
):
pyramid_request.db.query.return_value.get.return_value = auth_client
util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
hmac.compare_digest.assert_called_once_with(auth_client.secret, "random")
def test_it_uses_key_hashing_on_client_secret_for_message_authentication(
self, pyramid_request, hmac, auth_client
):
pyramid_request.db.query.return_value.get.return_value = auth_client
util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
hmac.compare_digest.assert_called_once_with(auth_client.secret, "random")
def test_it_handles_sa_statement_exception_if_client_id_malformed(
self, pyramid_request
):
pyramid_request.db.query.return_value.get.side_effect = sa.exc.StatementError(
message="You did it wrong", statement=None, params=None, orig=None
)
# does not raise
util.verify_auth_client(
client_id="malformed", client_secret="random", db_session=pyramid_request.db
)
def test_it_returns_None_if_no_authclient_record_found_in_db(self, pyramid_request):
pyramid_request.db.query.return_value.get.return_value = None
principals = util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
assert principals is None
def test_it_returns_None_if_hmac_hashing_match_fails_on_client_secret(self, pyramid_request, hmac, auth_client):
pyramid_request.db.query.return_value.get.return_value = auth_client
hmac.compare_digest.return_value = False
principals = util.verify_auth_client(client_id='whatever', client_secret='random', db_session=pyramid_request.db)
assert principals is None
def test_it_returns_None_if_no_authclient_record_found_in_db(self, pyramid_request):
pyramid_request.db.query.return_value.get.return_value = None
principals = util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
assert principals is None
def test_it_returns_None_if_client_secret_is_None(self, pyramid_request, factories):
insecure_auth_client = factories.AuthClient()
pyramid_request.db.query.return_value.get.return_value = insecure_auth_client
principals = util.verify_auth_client(client_id='whatever', client_secret='random', db_session=pyramid_request.db)
assert insecure_auth_client.secret is None
assert principals is None
def test_it_returns_None_if_grant_type_is_not_client_credentials(self, pyramid_request, factories):
auth_code_client = factories.ConfidentialAuthClient(authority='weylandindustries.com',
grant_type=GrantType.authorization_code)
pyramid_request.db.query.return_value.get.return_value = auth_code_client
principals = util.verify_auth_client(client_id='whatever', client_secret='random', db_session=pyramid_request.db)
assert auth_code_client.grant_type == GrantType.authorization_code
assert principals is None
def test_it_returns_None_if_client_id_malformed(self, pyramid_request):
pyramid_request.db.query.return_value.get.side_effect = sa.exc.StatementError(
message="You did it wrong", statement=None, params=None, orig=None)
# does not raise
principals = util.verify_auth_client(client_id="malformed",
client_secret="random",
db_session=pyramid_request.db)
assert principals is None
def test_it_returns_None_if_client_secret_is_None(self, pyramid_request, factories):
insecure_auth_client = factories.AuthClient()
pyramid_request.db.query.return_value.get.return_value = insecure_auth_client
principals = util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
assert insecure_auth_client.secret is None
assert principals is None
def test_it_returns_None_if_hmac_hashing_match_fails_on_client_secret(
self, pyramid_request, hmac, auth_client
):
pyramid_request.db.query.return_value.get.return_value = auth_client
hmac.compare_digest.return_value = False
principals = util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
assert principals is None
def test_it_returns_None_if_grant_type_is_not_client_credentials(
self, pyramid_request, factories
):
auth_code_client = factories.ConfidentialAuthClient(
authority="weylandindustries.com", grant_type=GrantType.authorization_code
)
pyramid_request.db.query.return_value.get.return_value = auth_code_client
principals = util.verify_auth_client(
client_id="whatever", client_secret="random", db_session=pyramid_request.db
)
assert auth_code_client.grant_type == GrantType.authorization_code
assert principals is None
def check(username, password, request):
"""
Return list of appropriate principals or None if authentication is
unsuccessful.
Validate the basic auth credentials from the request by matching them to
an auth_client record in the DB.
If an HTTP ``X-Forwarded-User`` header is present in the request, this
represents the intent to authenticate "on behalf of" a user within
the auth_client's authority. If this header is present, the user indicated
by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and
be within the auth_client's authority, or authentication will fail.
:param username: username parsed out of Authorization header (Basic)
:param password: password parsed out of Authorization header (Basic)
:returns: additional principals for the auth_client or None
:rtype: list or None
"""
client_id = username
client_secret = password
# validate that the credentials in BasicAuth header
# match an AuthClient record in the db
client = util.verify_auth_client(client_id, client_secret, request.db)
if client is None:
return None
forwarded_userid = AuthClientPolicy._forwarded_userid(request)
if (
forwarded_userid is None
): # No forwarded user; set principals for basic auth_client
return util.principals_for_auth_client(client)
user_service = request.find_service(name="user")
try:
user = user_service.fetch(forwarded_userid)
except ValueError: # raised if userid is invalid format
return None # invalid user, so we are failing here
if user and user.authority == client.authority:
return util.principals_for_auth_client_user(user, client)
return None
def check(username, password, request):
"""
Return list of appropriate principals or None if authentication is
unsuccessful.
Validate the basic auth credentials from the request by matching them to
an auth_client record in the DB.
If an HTTP ``X-Forwarded-User`` header is present in the request, this
represents the intent to authenticate "on behalf of" a user within
the auth_client's authority. If this header is present, the user indicated
by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and
be within the auth_client's authority, or authentication will fail.
:param username: username parsed out of Authorization header (Basic)
:param password: password parsed out of Authorization header (Basic)
:returns: additional principals for the auth_client or None
:rtype: list or None
"""
client_id = username
client_secret = password
# validate that the credentials in BasicAuth header
# match an AuthClient record in the db
client = util.verify_auth_client(client_id, client_secret, request.db)
if client is None:
return None
forwarded_userid = AuthClientPolicy._forwarded_userid(request)
if (
forwarded_userid is None
): # No forwarded user; set principals for basic auth_client
return util.principals_for_auth_client(client)
user_service = request.find_service(name="user")
try:
user = user_service.fetch(forwarded_userid)
except ValueError: # raised if userid is invalid format
return None # invalid user, so we are failing here
if user and user.authority == client.authority:
return util.principals_for_auth_client_user(user, client)
return None
