def test_permits_if_user_has_2fa( self, monkeypatch, owners_require_2fa, pypi_mandates_2fa, two_factor_requirement_enabled, two_factor_mandate_available, two_factor_mandate_enabled, db_request, ): db_request.registry.settings = { "warehouse.two_factor_requirement.enabled": two_factor_requirement_enabled, "warehouse.two_factor_mandate.available": two_factor_mandate_available, "warehouse.two_factor_mandate.enabled": two_factor_mandate_enabled, } user = pretend.stub(has_two_factor=True) db_request.user = user get_current_request = pretend.call_recorder(lambda: db_request) monkeypatch.setattr(security_policy, "get_current_request", get_current_request) permits_result = Allowed("Because") backing_policy = pretend.stub( permits=pretend.call_recorder(lambda *a, **kw: permits_result)) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) context = ProjectFactory.create(owners_require_2fa=owners_require_2fa, pypi_mandates_2fa=pypi_mandates_2fa) result = policy.permits(context, pretend.stub(), pretend.stub()) assert result == permits_result
def test_flashes_if_context_requires_2fa_but_not_enabled( self, monkeypatch, db_request): db_request.registry.settings = { "warehouse.two_factor_mandate.enabled": False, "warehouse.two_factor_mandate.available": True, "warehouse.two_factor_requirement.enabled": True, } db_request.session.flash = pretend.call_recorder(lambda m, queue: None) db_request.user = pretend.stub(has_two_factor=False) get_current_request = pretend.call_recorder(lambda: db_request) monkeypatch.setattr(security_policy, "get_current_request", get_current_request) permits_result = Allowed("Because") backing_policy = pretend.stub( permits=pretend.call_recorder(lambda *a, **kw: permits_result)) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) context = ProjectFactory.create( owners_require_2fa=False, pypi_mandates_2fa=True, ) result = policy.permits(context, pretend.stub(), pretend.stub()) assert result == permits_result assert db_request.session.flash.calls == [ pretend.call( "This project is included in PyPI's two-factor mandate " "for critical projects. In the future, you will be unable to " "perform this action without enabling 2FA for your account", queue="warning", ), ]
def test_principals_allowed_by_permission(self): principals = pretend.stub() backing_policy = pretend.stub(principals_allowed_by_permission=pretend. call_recorder(lambda *a: principals)) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) assert (policy.principals_allowed_by_permission( pretend.stub(), pretend.stub()) is principals)
def test_permits_no_active_request(self, monkeypatch): get_current_request = pretend.call_recorder(lambda: None) monkeypatch.setattr(security_policy, "get_current_request", get_current_request) backing_policy = pretend.stub( permits=pretend.call_recorder(lambda *a, **kw: pretend.stub())) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub()) assert result == WarehouseDenied("") assert result.s == "There was no active request."
def test_permits_if_non_2fa_requireable_context(self, monkeypatch): request = pretend.stub() get_current_request = pretend.call_recorder(lambda: request) monkeypatch.setattr(security_policy, "get_current_request", get_current_request) permits_result = Allowed("Because") backing_policy = pretend.stub( permits=pretend.call_recorder(lambda *a, **kw: permits_result)) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub()) assert result == permits_result
def test_denies_if_2fa_is_required_but_user_doesnt_have_2fa( self, monkeypatch, owners_require_2fa, pypi_mandates_2fa, reason, db_request, ): db_request.registry.settings = { "warehouse.two_factor_requirement.enabled": owners_require_2fa, "warehouse.two_factor_mandate.enabled": pypi_mandates_2fa, } user = pretend.stub(has_two_factor=False) db_request.user = user get_current_request = pretend.call_recorder(lambda: db_request) monkeypatch.setattr(security_policy, "get_current_request", get_current_request) permits_result = Allowed("Because") backing_policy = pretend.stub( permits=pretend.call_recorder(lambda *a, **kw: permits_result)) policy = security_policy.TwoFactorAuthorizationPolicy( policy=backing_policy) context = ProjectFactory.create(owners_require_2fa=owners_require_2fa, pypi_mandates_2fa=pypi_mandates_2fa) result = policy.permits(context, pretend.stub(), pretend.stub()) summary = { "owners_require_2fa": ("This project requires two factor authentication to be enabled " "for all contributors.", ), "pypi_mandates_2fa": ("PyPI requires two factor authentication to be enabled " "for all contributors to this project.", ), }[reason] assert result == WarehouseDenied(summary, reason="two_factor_required")