def test_obeys_token_in_cookie(self): user = data_setup.create_user() cookie = self.acquire_cookie(user) with app.test_request_context(headers={'Cookie': cookie}): identity.check_authentication() self.assertEqual(identity.current.user, user) self.assertIsNone(identity.current.proxied_by_user)
def test_obeys_token_with_proxied_auth(self): user = data_setup.create_user() proxy = data_setup.create_user() cookie = self.acquire_cookie(user, proxy) with app.test_request_context(headers={'Cookie': cookie}): identity.check_authentication() self.assertEqual(identity.current.user, user) self.assertEqual(identity.current.proxied_by_user, proxy)
def test_authentication_is_ignored_if_user_is_disabled(self): user = data_setup.create_user() cookie = self.acquire_cookie(user) environ = {'REMOTE_USER': user.user_name} user.disabled = True with app.test_request_context(environ_overrides=environ, headers={'Cookie': cookie}): identity.check_authentication() self.assertIsNone(identity.current.user) self.assertIsNone(identity.current.proxied_by_user)
def test_obeys_REMOTE_USER(self): # REMOTE_USER will be set if Apache is configured to do external # authentication and the authentication was successful for this # request. user = data_setup.create_user() environ = {'REMOTE_USER': user.user_name} with app.test_request_context(environ_overrides=environ): identity.check_authentication() self.assertEqual(identity.current.user, user) self.assertIsNone(identity.current.proxied_by_user)
def test_token_is_ignored_if_proxy_does_not_exist(self): # As above, this should never actually happen. user = data_setup.create_user() proxy = data_setup.create_user() cookie = self.acquire_cookie(user, proxy) session.delete(proxy) session.flush() with app.test_request_context(headers={'Cookie': cookie}): identity.check_authentication() self.assertIsNone(identity.current.user) self.assertIsNone(identity.current.proxied_by_user)
def test_token_is_ignored_if_user_does_not_exist(self): # This should be impossible since we don't allow deleting User objects. # But let's test it for completeness' sake. user = data_setup.create_user() cookie = self.acquire_cookie(user) session.delete(user) session.flush() with app.test_request_context(headers={'Cookie': cookie}): identity.check_authentication() self.assertIsNone(identity.current.user) self.assertIsNone(identity.current.proxied_by_user)
def test_REMOTE_USER_takes_precedence_over_cookie(self): # This could happen if the user somehow reauthenticates to Apache as # a different user but an existing session cookie is left behind # because they didn't log out of Beaker. old_user = data_setup.create_user() new_user = data_setup.create_user() cookie = self.acquire_cookie(old_user) environ = {'REMOTE_USER': new_user.user_name} with app.test_request_context(environ_overrides=environ, headers={'Cookie': cookie}): identity.check_authentication() self.assertEqual(identity.current.user, new_user)
def test_user_is_created_if_REMOTE_USER_vars_are_populated(self): new_username = '******' new_user_display_name = 'Mark Watney' new_user_email = '*****@*****.**' environ = { 'REMOTE_USER': new_username, 'REMOTE_USER_FULLNAME': new_user_display_name, 'REMOTE_USER_EMAIL': new_user_email, } with app.test_request_context(environ_overrides=environ): identity.check_authentication() new_user = User.query.filter_by(user_name=new_username).one() self.assertEqual(identity.current.user, new_user) self.assertIsNone(identity.current.proxied_by_user)
def acquire_cookie(self, user, proxied_by_user=None): # Fake prior successful authentication in order to get a valid cookie. with app.test_request_context(): identity.set_authentication(user, proxied_by_user) return '%s=%s' % (identity._token_cookie_name, identity._generate_token())
def test_REMOTE_USER_is_ignored_if_user_does_not_exist(self): environ = {'REMOTE_USER': '******'} with app.test_request_context(environ_overrides=environ): identity.check_authentication() self.assertIsNone(identity.current.user) self.assertIsNone(identity.current.proxied_by_user)