def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username="******") request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = "POST" request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request1.user = john_doe request2.POST["username"] = "******" request2.POST["api_key"] = "invalid key" request3.method = "POST" request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request3.user = john_doe request3.POST["username"] = "******" request3.POST["api_key"] = "invalid key" # session auth should pass if since john_doe is logged in self.assertEqual(session_auth.is_authenticated(request1), True) # api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid self.assertEqual(request3.user.username, "johndoe") self.assertEqual(auth.is_authenticated(request3), True) self.assertEqual(request3.user.username, "johndoe")
def test_multiauth_apikey_and_basic_auth__basic_returns_authenticate(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() self.assertEqual( auth.is_authenticated(request)['WWW-Authenticate'], 'Basic Realm="django-tastypie"' )
def test_multiauth_apikey_and_basic_auth__api_key_works_in_header(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = 'ApiKey %s:%s' % (john_doe.username, john_doe.api_key.key,) self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_query(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username='******') request.GET['username'] = john_doe.username request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__basic_auth_works(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username='******') john_doe.set_password('pass') john_doe.save() request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass'.encode('utf-8')).decode('utf-8') self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__api_key_works_in_header__space_in_username(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username="******") john_doe.username = "******" john_doe.save() request.META["HTTP_AUTHORIZATION"] = "ApiKey %s:%s" % (john_doe.username, john_doe.api_key.key) self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_multiauth_apikey_and_basic_auth__basic_auth_works(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username="******") john_doe.set_password("pass") john_doe.save() request.META["HTTP_AUTHORIZATION"] = "Basic %s" % base64.b64encode("johndoe:pass".encode("utf-8")).decode( "utf-8" ) self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username='******') request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = 'POST' request1.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request1.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request1.user = john_doe request2.POST['username'] = '******' request2.POST['api_key'] = 'invalid key' request3.method = 'POST' request3.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request3.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request3.user = john_doe request3.POST['username'] = '******' request3.POST['api_key'] = 'invalid key' #session auth should pass if since john_doe is logged in self.assertTrue(session_auth.is_authenticated(request1)) #api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) #multi auth shouldn't change users if api key auth fails #multi auth passes since session auth is valid self.assertEqual(request3.user.username, 'johndoe') self.assertTrue(auth.is_authenticated(request3)) self.assertEqual(request3.user.username, 'johndoe')
def test_apikey_and_basic_auth(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() john_doe = User.objects.get(username='******') # No API Key or HTTP Basic auth details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Basic Auth still returns appropriately. self.assertEqual(auth.is_authenticated(request)['WWW-Authenticate'], 'Basic Realm="django-tastypie"') # API Key Auth works. request = HttpRequest() request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'johndoe') # Basic Auth works. request = HttpRequest() john_doe = User.objects.get(username='******') john_doe.set_password('pass') john_doe.save() request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass'.encode('utf-8')).decode('utf-8') self.assertEqual(auth.is_authenticated(request), True)
class Meta: object_class = models.Piece always_return_data = True authorization = AnyoneCanViewAuthorization() authentication = MultiAuthentication(AppApiKeyAuthentication(), CookieBasicAuthentication())
class Meta(CommonMetaApi): filtering = CommonMetaApi.filtering filtering.update({'doc_type': ALL}) queryset = Document.objects.distinct().order_by('-date') resource_name = 'documents' authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta(CommonMetaApi): queryset = ResourceBase.objects.filter(featured=True).order_by('-date') resource_name = 'featured' authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
def test_apikey_and_authentication(self): auth = MultiAuthentication(ApiKeyAuthentication(), Authentication()) request = HttpRequest() john_doe = User.objects.get(username='******') # No username/api_key details should pass. self.assertEqual(auth.is_authenticated(request), True) # The identifier should be the basic auth stock. self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # Wrong username details. request = HttpRequest() request.GET['username'] = '******' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # No api_key. request = HttpRequest() request.GET['username'] = '******' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # Wrong user/api_key. request = HttpRequest() request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') request = HttpRequest() request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
class Meta: queryset = User.objects.all() resource_name = 'user' authorization = DjangoAuthorization() authentication = MultiAuthentication(ApiKeyAuthentication(), SessionAuthentication())
class Meta: queryset = Application.objects.all() resource_name = 'applications' authorization = Authorization() authentication = MultiAuthentication(ApiKeyAuthentication(), SessionAuthentication())
class Meta: queryset = Log.objects.all() allowed_methods = ['get'] authentication = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) authorization = Authorization()
class Meta: queryset = Unit.objects.all().select_related('area','penetration','array') resource_name = 'unit' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset = Condition.objects.all() resource_name = 'condition' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset = Experiment.objects.all().select_related('collator') resource_name = 'experiment' authorization = DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset=Array.objects.all().select_related('subject') resource_name = 'array' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset=Nomenclature.objects.all().prefetch_related('species') resource_name='nomenclature' authorization=DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: allowed_methods = ['post'] authentication = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) authorization = Authorization()
class Meta: queryset = ItemTemplate.objects.all() authorization = ReadOnlyAuthorization() authentication = MultiAuthentication(SessionAuthentication(), Authentication(), ApiKeyAuthentication())
def test_apikey_and_authentication(self): auth = MultiAuthentication(ApiKeyAuthentication(), Authentication()) request = HttpRequest() john_doe = User.objects.get(username='******') # No username/api_key details should pass. self.assertEqual(auth.is_authenticated(request), True) # The identifier should be the basic auth stock. self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # Wrong username details. request = HttpRequest() request.GET['username'] = '******' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # No api_key. request = HttpRequest() request.GET['username'] = '******' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') # Wrong user/api_key. request = HttpRequest() request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'noaddr_nohost') request = HttpRequest() request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'johndoe')
class Meta: queryset = GraspPerformanceCondition.objects.all().select_related('experiment').prefetch_related('recording_trials') resource_name = 'grasp_performance_condition' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
def is_authenticated(self, request, **kwargs): if request.method == 'GET': return True multi_auth = MultiAuthentication(SessionAuthentication(), BasicAuthentication()) return multi_auth.is_authenticated(request, **kwargs)
class Meta: queryset = GraspObservationCondition.objects.all().select_related('experiment','demonstrator_species').prefetch_related('recording_trials') resource_name = 'grasp_observation_condition' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset = CustomUser.objects.all().select_related('api_key') authentication = MultiAuthentication(EmailAuthentication(), ApiKeyAuthentication()) authorization = Authorization() exclude = ['password']
class Meta: queryset=UnitClassification.objects.all().prefetch_related('units') resource_name='unit_classification' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
if not self.check_active(user): return False request.user = user return True def _unauthorized(self, request): if request.META.get('HTTP_X_REQUESTED_FROM') == 'WebUI': return HttpUnauthorized() else: return super(FreeBasicAuthentication, self)._unauthorized() APIAuthentication = MultiAuthentication( DjangoAuthentication(), FreeBasicAuthentication(), ) class APIAuthorization(Authorization): pass class DojoPaginator(Paginator): def __init__(self, request, *args, **kwargs): super(DojoPaginator, self).__init__(request.GET, *args, **kwargs) r = request.META.get("HTTP_RANGE", None) if r: r = r.split('=', 1)[1].split('-') self.offset = int(r[0])
def test_apikey_and_authentication(self): auth = MultiAuthentication(ApiKeyAuthentication(), Authentication()) request = HttpRequest() john_doe = User.objects.get(username="******") # No username/api_key details should pass. self.assertEqual(auth.is_authenticated(request), True) # The identifier should be the basic auth stock. self.assertEqual(auth.get_identifier(request), "noaddr_nohost") # Wrong username details. request = HttpRequest() request.GET["username"] = "******" self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), "noaddr_nohost") # No api_key. request = HttpRequest() request.GET["username"] = "******" self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), "noaddr_nohost") # Wrong user/api_key. request = HttpRequest() request.GET["username"] = "******" request.GET["api_key"] = "foo" self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), "noaddr_nohost") request = HttpRequest() request.GET["username"] = "******" request.GET["api_key"] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.username)
def default_authentication(): """ Ensures that authentication can easily be changed on a sitewide level. """ return MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication())
class Meta: queryset=ClassificationAnalysis.objects.all().prefetch_related('analysis_factors') resource_name='classification_analysis' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta(CommonMetaApi): queryset = Map.objects.distinct().order_by('-date') resource_name = 'maps' authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta: queryset=ClassificationAnalysisResultsLevelMapping.objects.all() resource_name='classification_analysis_results_level_mapping' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta(CommonMetaApi): queryset = ResourceBase.objects.polymorphic_queryset() \ .distinct().order_by('-date') resource_name = 'base' excludes = ['csw_anytext', 'metadata_xml'] authentication = MultiAuthentication(SessionAuthentication(), GeonodeApiKeyAuthentication())
class Meta: queryset=TimeWindowConditionSettings.objects.all() resource_name='time_window_condition_settings' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: object_class = models.GlobalPermission allowed_methods = ('get', 'post', 'put', 'patch', 'delete') authorization = StaffAuthorization() authentication = MultiAuthentication(AppApiKeyAuthentication(), CookieBasicAuthentication())
class Meta: queryset=ClusterAnalysisSettings.objects.all() resource_name='cluster_analysis_settings' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
from tastypie.throttle import CacheDBThrottle from tastypie.authorization import DjangoAuthorization from tastypie.authentication import (SessionAuthentication, MultiAuthentication, ApiKeyAuthentication) from app.models import Billing from app.exceptions import CustomBadRequest from workspace.models import (Organisation, Workspace, Invitation) try: import json except Exception: import simplejson as json Authentication = MultiAuthentication( ApiKeyAuthentication(), SessionAuthentication(), ) class Resource(ModelResource): """docstring for Resource""" class Meta: always_return_data = True allowed_methods = ['get', 'post', 'put', 'patch', 'options', 'head'] authentication = Authentication authorization = DjangoAuthorization() validation = Validation() collection_name = 'data' cache = SimpleCache(timeout=10)
class Meta: queryset=UnitAnalysisResults.objects.all().select_related('unit') resource_name='unit_analysis_results' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
class Meta: queryset=FactorLevel.objects.all() resource_name='factor_level' authorization= DjangoAuthorization() authentication = MultiAuthentication(SessionAuthentication(), ApiKeyAuthentication()) cache = SimpleCache(timeout=10)
def test_multiauth_apikey_and_basic_auth__no_details_fails(self): auth = MultiAuthentication(BasicAuthentication(), ApiKeyAuthentication()) request = HttpRequest() self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True)