コード例 #1
0
    def test_access_controller(self):
        logging.debug('')
        logging.debug('test_access_controller')

        # Credential-to-role mapping.
        owner = get_credentials()
        controller = AccessController()
        self.assertEqual(controller.get_role(None), '')
        self.assertEqual(controller.get_role(owner), 'owner')
        user = Credentials()
        user.user = '[email protected]'
        self.assertEqual(controller.get_role(user), 'user')
        assert_raises(self, 'controller.get_role(object())', globals(), locals(),
                      TypeError, 'credentials is not a Credentials object')

        # Proxy role-to-credential mapping.
        obj = Object()
        assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)',
                      globals(), locals(), RoleError, 'No RBAC for method')
        self.assertEqual(controller.get_proxy_credentials(obj.single_role, user),
                         user)
        self.assertEqual(controller.get_proxy_credentials(obj.proxy_role, user),
                         owner)
        assert_raises(self,
                      'controller.get_proxy_credentials(obj.proxy_other, user)',
                      globals(), locals(), RoleError,
                      'No credentials for proxy role other')
        assert_raises(self, "controller.set_proxy_credentials('other', object())",
                      globals(), locals(), TypeError,
                      'credentials is not a Credentials object')
        other = Credentials()
        other.user = '[email protected]'
        controller.set_proxy_credentials('other', other)
        self.assertEqual(controller.get_proxy_credentials(obj.proxy_other, user),
                         other)

        # Attribute access.
        controller.check_access('user', '__getattr__', obj, 'dummy')
        controller.check_access('owner', '__setattr__', obj, 'dummy')
        assert_raises(self,
                      "controller.check_access('user', '__delattr__', obj, 'dummy')",
                      globals(), locals(), RoleError,
                      "No __delattr__ access to 'dummy' by role 'user'")
        assert_raises(self,
                      "controller.check_access('', '__getattr__', obj, 'dummy')",
                      globals(), locals(), RoleError, 'No access by null role')

        # Attribute proxying.
        proxy_value = ProxyRequired()
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy')
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.attr_proxy_required(obj, 'dummy', False)
        self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value))
        controller.class_proxy_required(ProxyRequired)
        self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
コード例 #2
0
    def post(self):
        server_creds = Credentials()
        print 'server creds:\n', server_creds

        # single user... only allow same [email protected] as the server to log in
        allowed_users = {server_creds.user: server_creds.public_key}
        encoded = self.get_argument('encoded')
        client_creds = Credentials.verify(encoded, allowed_users)
        print 'client creds:\n', client_creds

        if client_creds:
            self.set_secure_cookie('user', client_creds.user)
        self.redirect('/')
コード例 #3
0
    def test_credentials(self):
        logging.debug('')
        logging.debug('test_credentials')

        # Basic form.
        owner = Credentials()
        if sys.platform == 'win32' and not HAVE_PYWIN32:
            self.assertEqual('%s' % owner, owner.user+' (transient)')
        else:
            self.assertEqual('%s' % owner, owner.user)

        # Comparison.
        user = Credentials()
        self.assertEqual(user, owner)
        user.user = '[email protected]'
        self.assertNotEqual(user, owner)
        self.assertNotEqual(user, 'xyzzy')

        # Thread storage.
        try:
            del threading.current_thread().credentials  # Ensure empty.
        except AttributeError:
            pass
        self.assertEqual(get_credentials(), owner)

        # Sign/verify.
        encoded = owner.encode()
        Credentials.verify(encoded, allowed_users=None)  # 'First sighting'.
        Credentials.verify(encoded, allowed_users=None)  # Cached verification.
        data, signature, client_creds = encoded

        encoded = (data[:1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid data')

        encoded = (data[:-1], signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid signature')

        encoded = (data, signature[:-1], client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid signature')

        newline = data.find('\n')  # .user
        newline = data.find('\n', newline+1)  # .transient
        # Expecting '-'
        mangled = data[:newline+1] + '*' + data[newline+2:]
        encoded = (mangled, signature, client_creds)
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError, 'Invalid key')

        # Detect mismatched key.
        get_key_pair(owner.user, overwrite_cache=True)
        spook = Credentials()
        encoded = spook.encode()
        assert_raises(self, 'Credentials.verify(encoded, None)',
                      globals(), locals(), CredentialsError,
                      'Public key mismatch')

        # Check if remote access.
        self.assertFalse(remote_access())