def _test_generate_user_certificate(self): # Setup admin_user = self.user_manager.create_user('test-admin') principal.set_principal(admin_user) # pretend the user is logged in # Test cert = self.user_manager.generate_user_certificate() # Verify self.assertTrue(cert is not None) certificate = manager_factory.certificate_manager(content=cert) cn = certificate.subject()['CN'] username, id = self.cert_generation_manager.decode_admin_user(cn) self.assertEqual(username, admin_user['login']) self.assertEqual(id, admin_user['id'])
def test_generate_user_certificate(self): # Setup user_manager = UserManager() # TODO: Fix this when UserManager can create users admin_user = user_manager.create_user('test-admin') principal.set_principal(admin_user) # pretend the user is logged in # Test cert = self.manager.generate_user_certificate() # Verify self.assertTrue(cert is not None) certificate = Certificate(content=cert) cn = certificate.subject()['CN'] username, id = cert_generator.decode_admin_user(cn) self.assertEqual(username, admin_user['login']) self.assertEqual(id, admin_user['id'])
def _auth_decorator(self, *args, **kwargs): # XXX jesus h christ: is this some god awful shit # please, please refactor this into ... something ... anything! user = None is_consumer = False permissions = {'/v2/consumers/' : [0, 1]} # first, try username:password authentication username, password = http.username_password() if username is not None: user = check_username_password(username, password) if user is None: return self.unauthorized(user_pass_fail_msg) # second, try certificate authentication if user is None: cert_pem = http.ssl_client_cert() if cert_pem is not None: # first, check user certificate user = check_user_cert(cert_pem) if user is None: # second, check consumer certificate # This is temporary solution to solve authorization failure for consumers # because of no associated users. We would likely be going with a similar approach # for v2 with static permissions for consumers instead of associates users. Once we # have users and permissions flushed out for v2, this code will look much better. # user = check_consumer_cert(cert_pem) user = check_consumer_cert_no_user(cert_pem) if user: is_consumer = True consumer_base_url = '/v2/consumers/%s' % user + '/' permissions[consumer_base_url] = [0, 1, 2, 3, 4] # third, check oauth credentials if user is None: auth = http.http_authorization() username = http.request_info('HTTP_PULP_USER') if None in (auth, username): if cert_pem is not None: return self.unauthorized(cert_fail_msg) else: meth = http.request_info('REQUEST_METHOD') url = http.request_url() query = http.request_info('QUERY_STRING') user = check_oauth(username, meth, url, auth, query) if user is None: return self.unauthorized(oauth_fail_msg) # authentication has failed if user is None: return self.unauthorized(authen_fail_msg) # procedure to check consumer permissions - part of the temporary solution described above def is_consumer_authorized(resource, consumer, operation): if consumer_base_url in resource and operation in permissions[consumer_base_url]: return True else: return False # forth, check authorization user_query_manager = factory.user_query_manager() if super_user_only and not user_query_manager.is_superuser(user['login']): return self.unauthorized(author_fail_msg) # if the operation is None, don't check authorization elif operation is not None: if is_consumer and is_consumer_authorized(http.resource_path(), user, operation): value = method(self, *args, **kwargs) clear_principal() return value elif user_query_manager.is_authorized(http.resource_path(), user['login'], operation): pass else: return self.unauthorized(author_fail_msg) # everything ok, manage the principal and call the method set_principal(user) value = method(self, *args, **kwargs) clear_principal() return value