def test_1(): import shutil from pykern import pkconfig, pkunit, pkio from pykern.pkunit import pkeq from pykern.pkdebug import pkdp from sirepo import srunit srunit.flask_client() from sirepo import cookie cookie.init_mock() cookie.init('x') with pkunit.pkexcept('Unauthorized'): cookie.get_user() with pkunit.pkexcept('Unauthorized'): cookie.get_user(checked=False) cookie.set_sentinel() cookie.set_user('abc') cookie.set_value('hi', 'hello') r = _Response(status_code=200) cookie.save_to_cookie(r) pkeq('sirepo_dev', r.args[0]) pkeq(False, r.kwargs['secure']) pkeq('abc', cookie.get_user()) cookie.clear_user() cookie.unchecked_remove('hi') pkeq(None, cookie.get_user(checked=False)) cookie.init('sirepo_dev={}'.format(r.args[1])) pkeq('hello', cookie.get_value('hi')) pkeq('abc', cookie.get_user())
def api_srUnit(): v = getattr(flask.current_app, SRUNIT_TEST_IN_REQUEST) if v.want_cookie: from sirepo import cookie cookie.set_sentinel() v.op() return ''
def _auth_hook_from_header(values): """Migrate from old cookie values Always sets _COOKIE_STATE, which is our sentinel. Args: values (dict): just parsed values Returns: dict: unmodified or migrated values """ if values.get(_COOKIE_STATE): # normal case: we've seen a cookie at least once # check for cfg.methods changes m = values.get(_COOKIE_METHOD) if m and m not in valid_methods: # invalid method (changed config), reset state pkdlog( 'possibly misconfigured server: invalid cookie_method={}, clearing values={}', m, values, ) pkcollections.unchecked_del( values, _COOKIE_METHOD, _COOKIE_USER, _COOKIE_STATE, ) return values u = values.get('sru') or values.get('uid') if not u: # normal case: new visitor, and no user/state; set logged out # and return all values values[_COOKIE_STATE] = _STATE_LOGGED_OUT return values # Migrate o = values.get('sros') or values.get('oauth_login_state') s = _STATE_COMPLETE_REGISTRATION if o is None or o in ('anonymous', 'a'): m = METHOD_GUEST elif o in ('logged_in', 'li', 'logged_out', 'lo'): m = 'github' if 'i' not in o: s = _STATE_LOGGED_OUT else: pkdlog('unknown cookie values, clearing, not migrating: {}', values) return {} # Upgrade cookie to current structure. Set the sentinel, too. values = { _COOKIE_USER: u, _COOKIE_METHOD: m, _COOKIE_STATE: s, } cookie.set_sentinel(values) pkdlog('migrated cookie={}', values) return values
def require_auth_basic(): m = _METHOD_MODULES['basic'] _validate_method(m) uid = m.require_user() if not uid: raise sirepo.util.Response( sirepo.util.flask_app().response_class( status=401, headers={'WWW-Authenticate': 'Basic realm="*"'}, ), ) cookie.set_sentinel() login(m, uid=uid)
def check_api_call(func): expect = getattr(func, api_perm.ATTR) a = api_perm.APIPerm if expect in (a.REQUIRE_COOKIE_SENTINEL, a.REQUIRE_USER): if not cookie.has_sentinel(): raise sirepo.util.SRException('missingCookies', None) if expect == a.REQUIRE_USER: auth.require_user() elif expect == a.ALLOW_VISITOR: pass elif expect in (a.ALLOW_COOKIELESS_SET_USER, a.ALLOW_COOKIELESS_REQUIRE_USER): cookie.set_sentinel() if expect == a.ALLOW_COOKIELESS_REQUIRE_USER: auth.require_user() elif expect == a.REQUIRE_AUTH_BASIC: auth.require_auth_basic() else: raise AssertionError('unhandled api_perm={}'.format(expect))
def assert_api_call(func): p = getattr(func, api_perm.ATTR) a = api_perm.APIPerm if p == a.REQUIRE_USER: if not cookie.has_sentinel(): util.raise_unauthorized( 'cookie does not have a sentinel: perm={} func={}', p, func.__name__, ) elif p == a.ALLOW_VISITOR: pass elif p == a.ALLOW_COOKIELESS_USER: cookie.set_sentinel() if login_module: login_module.allow_cookieless_user() elif p == a.ALLOW_LOGIN: #TODO(robnagler) need state so that set_user can happen cookie.set_sentinel() else: raise AssertionError('unexpected api_perm={}'.format(p))