def test_it_proxies_to_principals_for_user( self, principals_for_user, factories, auth_client ): user = factories.User() util.principals_for_auth_client_user(user, auth_client) principals_for_user.assert_called_once_with(user)
def test_it_returns_combined_principals(self, factories, auth_client): user = factories.User(authority=auth_client.authority) group = factories.Group() user.groups.append(group) principals = util.principals_for_auth_client_user(user, auth_client) assert 'group:{pubid}'.format(pubid=group.pubid) in principals assert 'client:{client_id}@{authority}'.format(client_id=auth_client.id, authority=auth_client.authority) in principals assert 'authority:{authority}'.format(authority=auth_client.authority) assert role.AuthClient in principals
def test_it_returns_combined_principals(self, factories, auth_client): user = factories.User(authority=auth_client.authority) group = factories.Group() user.groups.append(group) principals = util.principals_for_auth_client_user(user, auth_client) assert "group:{pubid}".format(pubid=group.pubid) in principals assert ( "client:{client_id}@{authority}".format( client_id=auth_client.id, authority=auth_client.authority ) in principals ) assert "authority:{authority}".format(authority=auth_client.authority) assert role.AuthClient in principals
def check(username, password, request): """ Return list of appropriate principals or None if authentication is unsuccessful. Validate the basic auth credentials from the request by matching them to an auth_client record in the DB. If an HTTP ``X-Forwarded-User`` header is present in the request, this represents the intent to authenticate "on behalf of" a user within the auth_client's authority. If this header is present, the user indicated by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and be within the auth_client's authority, or authentication will fail. :param username: username parsed out of Authorization header (Basic) :param password: password parsed out of Authorization header (Basic) :returns: additional principals for the auth_client or None :rtype: list or None """ client_id = username client_secret = password # validate that the credentials in BasicAuth header # match an AuthClient record in the db client = util.verify_auth_client(client_id, client_secret, request.db) if client is None: return None forwarded_userid = AuthClientPolicy._forwarded_userid(request) if ( forwarded_userid is None ): # No forwarded user; set principals for basic auth_client return util.principals_for_auth_client(client) user_service = request.find_service(name="user") try: user = user_service.fetch(forwarded_userid) except ValueError: # raised if userid is invalid format return None # invalid user, so we are failing here if user and user.authority == client.authority: return util.principals_for_auth_client_user(user, client) return None
def test_it_proxies_to_principals_for_auth_client(self, principals_for_auth_client, factories, auth_client): util.principals_for_auth_client_user(factories.User(), auth_client) principals_for_auth_client.assert_called_once_with(auth_client)
def test_it_adds_the_authclientuser_role(self, factories, auth_client): user = factories.User(authority=auth_client.authority) principals = util.principals_for_auth_client_user(user, auth_client) assert role.AuthClientUser in principals
def test_it_adds_the_userid_principal(self, factories, auth_client): user = factories.User(authority=auth_client.authority) principals = util.principals_for_auth_client_user(user, auth_client) assert user.userid in principals
def test_it_proxies_to_principals_for_auth_client( self, principals_for_auth_client, factories, auth_client ): util.principals_for_auth_client_user(factories.User(), auth_client) principals_for_auth_client.assert_called_once_with(auth_client)