def test_is_authenticated_header(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.META['HTTP_AUTHORIZATION'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel:pass' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated_get_params(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = CustomUser.objects.get(pk=1) create_api_key(CustomUser, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username (email) details. request.GET['username'] = '******' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = john_doe.email self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = john_doe.email request.GET['api_key'] = 'foo' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. ApiKey.objects.all().delete() create_api_key(CustomUser, instance=john_doe, created=True) request.GET['username'] = john_doe.email request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.email)
def test_is_authenticated(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username="******") create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.GET["username"] = "******" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET["username"] = "******" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET["username"] = "******" request.GET["api_key"] = "foo" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username="******") request.GET["username"] = "******" request.GET["api_key"] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated_get_params(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = CustomUser.objects.get(pk=1) create_api_key(CustomUser, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username (email) details. request.GET['username'] = '******' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = john_doe.email self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = john_doe.email request.GET['api_key'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. ApiKey.objects.all().delete() create_api_key(CustomUser, instance=john_doe, created=True) request.GET['username'] = john_doe.email request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), john_doe.email)
def test_is_authenticated(self): auth = ApiKeyAuthentication() request = HttpRequest() # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.GET['username'] = '******' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = '******' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') john_doe.save() request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated(self): auth = ApiKeyAuthentication() request = HttpRequest() # No username/api_key details should fail. self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.GET['username'] = '******' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = '******' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') john_doe.save() request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated_get_params(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.GET['username'] = '******' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = '******' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual( isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'johndoe')
def test_is_authenticated_get_params(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.GET['username'] = '******' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.GET['username'] = '******' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.GET['username'] = '******' request.GET['api_key'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) self.assertEqual(auth.get_identifier(request), 'johndoe')
def test_check_active_true(self): auth = ApiKeyAuthentication() request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) create_api_key(User, instance=bob_doe, created=True) request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_keys.all()[0].key self.assertFalse(auth.is_authenticated(request)) request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_keys.all()[1].key self.assertFalse(auth.is_authenticated(request))
def image_view(request): if request.method != 'POST': return HttpResponse(status=HTML_METHOD_NOT_ALLOWED) auth = ApiKeyAuthentication() auth_result = auth.is_authenticated(request) if auth_result == False: return HttpResponse(status=HTML_UNAUTHORIZED) elif auth_result != True: return auth_result required_params = ['resource_id'] for r in required_params: if r not in request.POST: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No ' + r + ' provided"}') if 'image_file' not in request.FILES: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No image file provided"}') # check owner of resource resource_id = request.POST['resource_id'] try: resource = Resource.objects.get( create_user=request.user, pk=resource_id) except Resource.DoesNotExist: return HttpResponse(status=HTML_UNAUTHORIZED) # handle file upload resource.image = request.FILES['image_file'] resource.save() return HttpResponse(status=HTML_CREATED)
def monitor_cohort_progress_view(request, cohort_id, course_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse("Unauthorized", status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user=request.user) request.user.key = key.key cohort = get_object_or_404( Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now, end_date__gte=now, ) course = get_object_or_404(Course, coursecohort__cohort=cohort, pk=course_id) record_mobile_tracker(request, course, "monitor", '{"en": "progress"}') sections = Section.objects.filter(course=course, order__gt=0).order_by("order") section_list = {} for s in sections: section_list[s.id] = Activity.objects.filter(section=s).values("digest").distinct() participants = Participant.objects.filter(cohort=cohort, role=Participant.STUDENT).order_by("user__first_name") paginator = Paginator(participants, 25) # Make sure page request is an int. If not, deliver first page. try: page = int(request.GET.get("page", "1")) except ValueError: page = 1 try: students = paginator.page(page) for p in students: p.sections = [] for s in sections: user_completed = ( Tracker.objects.filter(user=p.user, completed=True, digest__in=section_list[s.id]) .values("digest") .distinct() ) user_started = ( Tracker.objects.filter(user=p.user, completed=False, digest__in=section_list[s.id]) .values("digest") .distinct() ) temp = { "completed": user_completed.count() * 100 / section_list[s.id].count(), "started": user_started.count() * 100 / section_list[s.id].count(), "section": s, } p.sections.append(temp) except (EmptyPage, InvalidPage): tracks = paginator.page(paginator.num_pages) return render_to_response( "oppia/mobile/monitor/progress.html", {"cohort": cohort, "course": course, "participants": students, "user": request.user}, context_instance=RequestContext(request), )
def scorecard_view(request): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse("Unauthorized", status=401) record_mobile_tracker(request, None, "scorecard", '{"en":"homepage"}') start_date = datetime.datetime.now() - datetime.timedelta(days=14) end_date = datetime.datetime.now() media = { "views": Tracker.activity_views(user=request.user, type="media", start_date=start_date, end_date=end_date), "secs": Tracker.activity_secs(user=request.user, type="media", start_date=start_date, end_date=end_date), "points": Points.media_points(user=request.user, start_date=start_date, end_date=end_date), } quiz = { "views": Tracker.activity_views(user=request.user, type="quiz", start_date=start_date, end_date=end_date), "secs": Tracker.activity_secs(user=request.user, type="quiz", start_date=start_date, end_date=end_date), "points": Points.quiz_points(user=request.user, start_date=start_date, end_date=end_date), } acts = { "views": Tracker.activity_views(user=request.user, type="page", start_date=start_date, end_date=end_date), "secs": Tracker.activity_secs(user=request.user, type="page", start_date=start_date, end_date=end_date), "points": Points.page_points(user=request.user, start_date=start_date, end_date=end_date), } total = { "views": acts["views"] + quiz["views"] + media["views"], "secs": acts["secs"] + quiz["secs"] + media["secs"], "points": acts["points"] + quiz["points"] + media["points"], } scorecard = {"media": media, "quiz": quiz, "acts": acts, "total": total} return render_to_response( "oppia/mobile/scorecard.html", {"scorecard": scorecard}, context_instance=RequestContext(request) )
def image_view(request): if request.method != 'POST': return HttpResponse(status=HTML_METHOD_NOT_ALLOWED) auth = ApiKeyAuthentication() auth_result = auth.is_authenticated(request) if auth_result == False: return HttpResponse(status=HTML_UNAUTHORIZED) elif auth_result != True: return auth_result required_params = ['resource_id'] for r in required_params: if r not in request.POST: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No ' + r + ' provided"}') if 'image_file' not in request.FILES: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No image file provided"}') # check owner of resource resource_id = request.POST['resource_id'] try: resource = Resource.objects.get( create_user=request.user, pk=resource_id) except Resource.DoesNotExist: return HttpResponse(status=HTML_UNAUTHORIZED) # handle file upload resource.image = request.FILES['image_file'] resource.save() return HttpResponse(status=HTML_CREATED)
def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username="******") request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = "POST" request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request1.user = john_doe request2.POST["username"] = "******" request2.POST["api_key"] = "invalid key" request3.method = "POST" request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"} request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"} request3.user = john_doe request3.POST["username"] = "******" request3.POST["api_key"] = "invalid key" # session auth should pass if since john_doe is logged in self.assertEqual(session_auth.is_authenticated(request1), True) # api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid self.assertEqual(request3.user.username, "johndoe") self.assertEqual(auth.is_authenticated(request3), True) self.assertEqual(request3.user.username, "johndoe")
def auto(self, request, **kwargs): self.method_check(request, allowed=['post']) apikey_auth = ApiKeyAuthentication() if apikey_auth.is_authenticated(request) == True: data = self.deserialize(request, request.body, format=request.META.get('CONTENT_TYPE', 'application/json')) username = data.get('username', None) password = data.get('password', None) try: w = Weixin(username, password) w.login() user_dict = w.get_user_info() public_account = PublicAccount.objects.get_or_create( user=request.user, type=user_dict['type'], title=user_dict['title'], weixin_id=user_dict['weixin_id'], thumbnail_url=request.build_absolute_uri(user_dict['thumbnail_url']) )[0] public_account.save() public_account.callback_url = request.build_absolute_uri(public_account.callback_url) public_account.save() bundle = self.build_bundle(obj=public_account, request=request) bundle = self.full_dehydrate(bundle) return self.create_response(request, bundle) except Exception as e: return self.obj_create(request, {}, HttpBadRequest) else: return self.create_response(request, {}, HttpUnauthorized)
def dehydrate(self, bundle): bundle.data['url'] = bundle.obj.profile.get_absolute_url() # return full user data with follows and casted votes if hasattr(bundle.request, 'REQUEST') and 'user_full' in bundle.request.REQUEST: follows = [] follow_rsc = FollowResource() for f in DateaFollow.objects.filter(user=bundle.obj, published=True): f_bundle = follow_rsc.build_bundle(obj=f) f_bundle = follow_rsc.full_dehydrate(f_bundle) follows.append(f_bundle.data) bundle.data['follows'] = follows votes = [] vote_rsc = VoteResource() for v in DateaVote.objects.filter(user=bundle.obj): v_bundle = vote_rsc.build_bundle(obj=v) v_bundle = vote_rsc.full_dehydrate(v_bundle) votes.append(v_bundle.data) bundle.data['votes'] = votes if 'with_action_ids' in bundle.request.REQUEST: bundle.data['actions'] = [a.id for a in DateaAction.objects.filter(user=bundle.obj)] if 'api_key' in bundle.request.REQUEST: keyauth = ApiKeyAuthentication() if keyauth.is_authenticated(bundle.request): if bundle.request.user and bundle.request.user == bundle.obj: bundle.data['email'] = bundle.obj.email return bundle
def readability(request, pk): # Support both API key and session authentication if request.method != 'POST': return HttpResponseForbidden() if not request.user.is_authenticated(): auth = ApiKeyAuthentication() auth._unauthorized = lambda: False if not auth.is_authenticated(request): return HttpResponseForbidden() url = request.POST.get('url') if not url: return HttpResponseForbidden() publication = get_object_or_404(Publication, pk=pk) r = Readability.objects.create(url=url, publication=publication) tasks.parse_readability.delay(r) Meter('chrome.submitted').inc() return HttpResponse()
def change_password(self, request, **kwargs): self.method_check(request, allowed=['post']) apikey_auth = ApiKeyAuthentication() if apikey_auth.is_authenticated(request) == True: data = self.deserialize(request, request.body, format=request.META.get('CONTENT_TYPE', 'application/json')) if request.user.has_usable_password(): password_change_form = ChangePasswordForm(request.user, data) else: password_change_form = SetPasswordForm(request.user, data) if password_change_form.is_valid(): password_change_form.save() response_data = {'status': "success"} if request.user.is_authenticated(): logout(request) else: if request.user.is_authenticated(): logout(request) return self.create_response(request, { 'error': password_change_form.errors, }, HttpBadRequest) return HttpResponse(json.dumps(response_data), mimetype='application/json')
def attachment_upload(self, request, **kwargs): self.method_check(request, allowed=['post']) apikey_auth = ApiKeyAuthentication() if apikey_auth.is_authenticated(request) == True: if request.user.is_staff: if 'multipart/form-data' not in str(request.META['CONTENT_TYPE']): return self.create_response(request, { 'error': 'Unsupported media type', }, HttpBadRequest) else: if ('file' in request.FILES): file = request.FILES['file'] name = request.POST.get('name', file.name) attachment = Attachment(user=request.user, name=name, file=file) attachment.save() return self.create_response( request, {'id': attachment.id, 'url': request.build_absolute_uri(attachment.file.url)}) else: return self.create_response(request, { 'error': 'No file found', }, HttpBadRequest) else: return self.create_response(request, {}, HttpUnauthorized)
def me(self, request, **kwargs): self.method_check(request, allowed=['post']) apikey_auth = ApiKeyAuthentication() if apikey_auth.is_authenticated(request) == True: return self.generate_response(request, request.user) else: return self.create_response(request, {}, HttpUnauthorized)
def logout(self, request, **kwargs): auth = ApiKeyAuthentication() self.method_check(request, allowed=['post']) if auth.is_authenticated(request): logout(request) return self.create_response(request, { 'success': True }) else: return self.create_response(request, { 'success': False }, HttpUnauthorized)
def test_check_active_true(self): auth = ApiKeyAuthentication() request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key self.assertFalse(auth.is_authenticated(request))
def test_check_active_true(self): auth = ApiKeyAuthentication() request = HttpRequest() bob_doe = User.objects.get(username="******") create_api_key(User, instance=bob_doe, created=True) request.META["HTTP_AUTHORIZATION"] = "ApiKey bobdoe:%s" % bob_doe.api_key.key self.assertEqual(auth.is_authenticated(request), False)
def logout(self, request, **kwargs): auth = ApiKeyAuthentication() self.method_check(request, allowed=['post']) if auth.is_authenticated(request): logout(request) return self.create_response(request, {'success': True}) else: return self.create_response(request, {'success': False}, HttpUnauthorized)
def monitor_cohort_student_view(request,cohort_id, student_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user = request.user) request.user.key = key.key cohort = get_object_or_404(Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now,end_date__gte=now) raise Http404
def test_check_active_true(self): user_class = get_user_model() auth = ApiKeyAuthentication() request = HttpRequest() bob_doe = user_class.objects.get(**{user_class.USERNAME_FIELD: 'bobdoe'}) create_api_key(User, instance=bob_doe, created=True) request.META['HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key self.assertFalse(auth.is_authenticated(request))
def monitor_cohort_student_view(request,cohort_id, student_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user = request.user) request.user.key = key.key cohort = get_object_or_404(Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now,end_date__gte=now) raise Http404
class ApiKeyAuthenticationTestCase(FixtureTestCase): def setUp(self): super(ApiKeyAuthenticationTestCase, self).setUp() ApiKey.objects.all().delete() self.auth = ApiKeyAuthentication() self.request = HttpRequest() # Simulate sending the signal. user = User.objects.get(username='******') create_api_key(User, instance=user, created=True) def test_is_not_authenticated(self): """Should return HttpUnauthorized when incorrect credentials are given""" # No username/api_key details self.assertEqual( isinstance(self.auth.is_authenticated(self.request), HttpUnauthorized), True) # Wrong username details. self.request.GET['username'] = '******' self.assertEqual( isinstance(self.auth.is_authenticated(self.request), HttpUnauthorized), True) # No api_key. self.request.GET['username'] = '******' self.assertEqual( isinstance(self.auth.is_authenticated(self.request), HttpUnauthorized), True) # Wrong user/api_key. self.request.GET['username'] = '******' self.request.GET['api_key'] = 'foo' self.assertEqual( isinstance(self.auth.is_authenticated(self.request), HttpUnauthorized), True) def test_is_authenticated(self): """Should correctly authenticate when using an existing user and key""" # Correct user/api_key. user = User.objects.get(username='******') self.request.GET['username'] = '******' self.request.GET['api_key'] = user.api_key.key self.assertEqual(self.auth.is_authenticated(self.request), True)
def test_check_active_true(self): user_class = get_user_model() auth = ApiKeyAuthentication() request = HttpRequest() bob_doe = user_class.objects.get( **{user_class.USERNAME_FIELD: 'bobdoe'}) create_api_key(User, instance=bob_doe, created=True) request.META[ 'HTTP_AUTHORIZATION'] = 'ApiKey bobdoe:%s' % bob_doe.api_key.key self.assertFalse(auth.is_authenticated(request))
class ApiKeyAuthenticationTestCase(FixtureTestCase): def setUp(self): super(ApiKeyAuthenticationTestCase, self).setUp() ApiKey.objects.all().delete() self.auth = ApiKeyAuthentication() self.request = HttpRequest() # Simulate sending the signal. user = User.objects.get(username='******') create_api_key(User, instance=user, created=True) def test_is_not_authenticated(self): """Should return HttpUnauthorized when incorrect credentials are given""" # No username/api_key details self.assertEqual(isinstance( self.auth.is_authenticated(self.request), HttpUnauthorized), True) # Wrong username details. self.request.GET['username'] = '******' self.assertEqual(isinstance( self.auth.is_authenticated(self.request), HttpUnauthorized), True) # No api_key. self.request.GET['username'] = '******' self.assertEqual(isinstance( self.auth.is_authenticated(self.request), HttpUnauthorized), True) # Wrong user/api_key. self.request.GET['username'] = '******' self.request.GET['api_key'] = 'foo' self.assertEqual(isinstance( self.auth.is_authenticated(self.request), HttpUnauthorized), True) def test_is_authenticated(self): """Should correctly authenticate when using an existing user and key""" # Correct user/api_key. user = User.objects.get(username='******') self.request.GET['username'] = '******' self.request.GET['api_key'] = user.api_key.key self.assertEqual(self.auth.is_authenticated(self.request), True)
def disconnect_socialaccount(self, request, provider, **kwargs): self.method_check(request, allowed=['post']) apikey_auth = ApiKeyAuthentication() if apikey_auth.is_authenticated(request) == True: user_provider_tokens = SocialToken.objects.filter(user=request.user, app__provider=provider) if user_provider_tokens: user_provider_tokens.delete() response_data = {'status': "success"} return HttpResponse(json.dumps(response_data), mimetype='application/json')
def test_is_authenticated_header(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.META['HTTP_AUTHORIZATION'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel:pass' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) # Capitalization shouldn't matter. john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = 'aPiKeY johndoe:%s' % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated_header(self): auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username="******") create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.META["HTTP_AUTHORIZATION"] = "foo" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.META["HTTP_AUTHORIZATION"] = "ApiKey daniel" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.META["HTTP_AUTHORIZATION"] = "ApiKey daniel:pass" self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = User.objects.get(username="******") request.META["HTTP_AUTHORIZATION"] = "ApiKey johndoe:%s" % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) # Capitalization shouldn't matter. john_doe = User.objects.get(username="******") request.META["HTTP_AUTHORIZATION"] = "aPiKeY johndoe:%s" % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_is_authenticated_header(self): user_class = get_user_model() auth = ApiKeyAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = user_class.objects.get(**{user_class.USERNAME_FIELD: 'johndoe'}) create_api_key(User, instance=john_doe, created=True) # No username/api_key details should fail. self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong username details. request.META['HTTP_AUTHORIZATION'] = 'foo' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # No api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Wrong user/api_key. request.META['HTTP_AUTHORIZATION'] = 'ApiKey daniel:pass' self.assertEqual(isinstance(auth.is_authenticated(request), HttpUnauthorized), True) # Correct user/api_key. john_doe = user_class.objects.get(**{user_class.USERNAME_FIELD: 'johndoe'}) request.META['HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True) # Capitalization shouldn't matter. john_doe = user_class.objects.get(**{user_class.USERNAME_FIELD: 'johndoe'}) request.META['HTTP_AUTHORIZATION'] = 'aPiKeY johndoe:%s' % john_doe.api_key.key self.assertEqual(auth.is_authenticated(request), True)
def test_whitelisting(self): auth = ApiKeyAuthentication(whitelisted_methods=['a_method']) request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # Calling with a whitelisted method_name without credentials should work self.assertEqual(auth.is_authenticated(request, method_name='a_method'), True) # Calling any other method should require the Api Key self.assertEqual(isinstance(auth.is_authenticated(request, method_name='another_method'), HttpUnauthorized), True) # Correct user/api_key john_doe = User.objects.get(username='******') request.GET['username'] = '******' request.GET['api_key'] = john_doe.api_key.key self.assertEqual(auth.is_authenticated(request, method_name="another_method"), True) self.assertEqual(auth.get_identifier(request), 'johndoe') self.assertEqual(auth.is_authenticated(request, method_name="a_method"), True) self.assertEqual(auth.get_identifier(request), 'johndoe')
def authenticate_request(request): api_auth = ApiKeyAuthentication() authorized = api_auth.is_authenticated(request) if authorized == True: client_ip = request.META['REMOTE_ADDR'] whitelist = helpers.get_setting('api_whitelist', '127.0.0.1').split("\r\n") try: whitelist.index(client_ip) return True except: pass return False
def monitor_home_view(request): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) record_mobile_tracker(request,None,'monitor','{"en":"homepage"}') # find courses this user is a teacher on now = datetime.datetime.now() cohorts = Cohort.objects.filter(participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now,end_date__gte=now) key = ApiKey.objects.get(user = request.user) request.user.key = key.key return render_to_response('oppia/mobile/monitor/home.html',{ 'cohorts_list':cohorts, 'user': request.user }, context_instance=RequestContext(request))
def monitor_cohort_quizzes_view(request, cohort_id, course_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse("Unauthorized", status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user=request.user) request.user.key = key.key cohort = get_object_or_404( Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now, end_date__gte=now, ) course = get_object_or_404(Course, coursecohort__cohort=cohort, pk=course_id) record_mobile_tracker(request, course, "monitor", '{"en": "quizzes"}') quizzes = Activity.objects.filter(section__course=course, type="quiz").order_by("section__order") participants = Participant.objects.filter(cohort=cohort, role=Participant.STUDENT).order_by("user__first_name") paginator = Paginator(participants, 25) # Make sure page request is an int. If not, deliver first page. try: page = int(request.GET.get("page", "1")) except ValueError: page = 1 try: students = paginator.page(page) for p in students: p.quizzes = [] for quiz in quizzes: completed = False if Tracker.objects.filter(user=p.user, digest=quiz.digest, completed=True).count() > 0: completed = True started = False if Tracker.objects.filter(user=p.user, digest=quiz.digest, completed=False).count() > 0: started = True temp = {"quiz": quiz, "completed": completed, "started": started} p.quizzes.append(temp) except (EmptyPage, InvalidPage): tracks = paginator.page(paginator.num_pages) return render_to_response( "oppia/mobile/monitor/quizzes.html", {"cohort": cohort, "course": course, "participants": students, "user": request.user}, context_instance=RequestContext(request), )
def authenticate_request(request): api_auth = ApiKeyAuthentication() authorized = api_auth.is_authenticated(request) if authorized == True: client_ip = request.META['REMOTE_ADDR'] whitelist = helpers.get_setting('api_whitelist', '127.0.0.1').split("\r\n") try: whitelist.index(client_ip) return True except: pass return False
def chrome_extension(request): # Support both API key and session authentication if not request.user.is_authenticated(): auth = ApiKeyAuthentication() auth._unauthorized = lambda: False if not auth.is_authenticated(request): return HttpResponseForbidden() groups = request.user.get_groups() Meter('chrome.clicked').inc() return { 'groups': groups }
def authenticate_request(request): error = None api_auth = ApiKeyAuthentication() authorized = api_auth.is_authenticated(request) # 'authorized' can be True, False or tastypie.http.HttpUnauthorized # Check explicitly for True, not just truthiness if authorized is True: client_ip = request.META['REMOTE_ADDR'] whitelist = helpers.get_setting('api_whitelist', '127.0.0.1').split() if client_ip not in whitelist: error = 'Host/IP ' + client_ip + ' not authorized.' else: error = 'API key not valid.' return error
def monitor_home_view(request): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) record_mobile_tracker(request,None,'monitor','{"en":"homepage"}') # find courses this user is a teacher on now = datetime.datetime.now() cohorts = Cohort.objects.filter(participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now, end_date__gte=now) cohorts_list = [] for cohort in cohorts: courses = Course.objects.filter(coursecohort__cohort=cohort).order_by('title') cohorts_list.append([cohort,courses]) key = ApiKey.objects.get(user = request.user) request.user.key = key.key return render_to_response('oppia/mobile/monitor/home.html',{ 'cohorts_list':cohorts_list, 'user': request.user }, context_instance=RequestContext(request))
def authenticate_request(request): error = None api_auth = ApiKeyAuthentication() authorized = api_auth.is_authenticated(request) if authorized == True: client_ip = request.META['REMOTE_ADDR'] whitelist = helpers.get_setting('api_whitelist', '127.0.0.1').split("\r\n") try: whitelist.index(client_ip) return except: error = 'Host/IP ' + client_ip + ' not authorized.' else: error = 'API key not valid.' return error
def authenticate_request(request): error = None api_auth = ApiKeyAuthentication() authorized = api_auth.is_authenticated(request) if authorized == True: client_ip = request.META['REMOTE_ADDR'] whitelist = helpers.get_setting('api_whitelist', '127.0.0.1').split("\r\n") try: whitelist.index(client_ip) return except: error = 'Host/IP ' + client_ip + ' not authorized.' else: error = 'API key not valid.' return error
def test_apikey_and_authentication_enforce_user(self): session_auth = SessionAuthentication() api_key_auth = ApiKeyAuthentication() auth = MultiAuthentication(api_key_auth, session_auth) john_doe = User.objects.get(username='******') request1 = HttpRequest() request2 = HttpRequest() request3 = HttpRequest() request1.method = 'POST' request1.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request1.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request1.user = john_doe request2.POST['username'] = '******' request2.POST['api_key'] = 'invalid key' request3.method = 'POST' request3.META = { 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890' } request3.COOKIES = { settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890' } request3.user = john_doe request3.POST['username'] = '******' request3.POST['api_key'] = 'invalid key' # session auth should pass if since john_doe is logged in self.assertTrue(session_auth.is_authenticated(request1)) # api key auth should fail because of invalid api key self.assertEqual( isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid self.assertEqual(request3.user.username, 'johndoe') self.assertTrue(auth.is_authenticated(request3)) self.assertEqual(request3.user.username, 'johndoe')
def is_authenticated(self, request, **kwargs): # noqa # too complex ''' handles backends explicitly so that it can return False when credentials are given but wrong and return Anonymous User when credentials are not given or the session has expired (web use). ''' auth_info = request.META.get('HTTP_AUTHORIZATION') if 'HTTP_AUTHORIZATION' not in request.META: if hasattr(request.user, 'allowed_tokens'): tokens = request.user.allowed_tokens session_auth = SessionAuthentication() check = session_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): session_auth_result = False else: request._authentication_backend = session_auth session_auth_result = check else: request.user = AnonymousUser() session_auth_result = True request.user.allowed_tokens = tokens return session_auth_result else: if auth_info.startswith('Basic'): basic_auth = BasicAuthentication() check = basic_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = basic_auth return check if auth_info.startswith('ApiKey'): apikey_auth = ApiKeyAuthentication() check = apikey_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = apikey_auth return check
def is_authenticated(self, request, **kwargs): # noqa # too complex ''' handles backends explicitly so that it can return False when credentials are given but wrong and return Anonymous User when credentials are not given or the session has expired (web use). ''' auth_info = request.META.get('HTTP_AUTHORIZATION') if 'HTTP_AUTHORIZATION' not in request.META: if hasattr(request.user, 'allowed_tokens'): tokens = request.user.allowed_tokens session_auth = SessionAuthentication() check = session_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): session_auth_result = False else: request._authentication_backend = session_auth session_auth_result = check else: request.user = AnonymousUser() session_auth_result = True request.user.allowed_tokens = tokens return session_auth_result else: if auth_info.startswith('Basic'): basic_auth = BasicAuthentication() check = basic_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = basic_auth return check if auth_info.startswith('ApiKey'): apikey_auth = ApiKeyAuthentication() check = apikey_auth.is_authenticated(request, **kwargs) if check: if isinstance(check, HttpUnauthorized): return False else: request._authentication_backend = apikey_auth return check
def get(self,request): obj=ApiKeyAuthentication() try: username_from_request=request.META['HTTP_USERNAME'] password=request.META['HTTP_PASSWORD'] if username_from_request is not None and password is not None: user=authenticate(username=username_from_request,password=password) if user is not None: is_auth=obj.is_authenticated(request) if is_auth: return HttpResponse(status=200,content_type='application/json') else: return HttpResponse(status=200,content_type='application/json') else: return HttpResponse(status=401,content_type='application/json') else: return HttpResponse(status=401,content_type='application/json') except(KeyError): return HttpResponse(status=400,content_type='application/json')
def monitor_cohort_quizzes_view(request, cohort_id, course_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user = request.user) request.user.key = key.key cohort = get_object_or_404(Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now,end_date__gte=now) course = get_object_or_404(Course, coursecohort__cohort=cohort, pk=course_id) record_mobile_tracker(request, course, 'monitor','{"en": "quizzes"}') quizzes = Activity.objects.filter(section__course=course,type='quiz').order_by('section__order') participants = Participant.objects.filter(cohort=cohort,role=Participant.STUDENT).order_by('user__first_name') paginator = Paginator(participants, 25) # Make sure page request is an int. If not, deliver first page. try: page = int(request.GET.get('page', '1')) except ValueError: page = 1 try: students = paginator.page(page) for p in students: p.quizzes = [] for quiz in quizzes: completed = False if Tracker.objects.filter(user=p.user, digest=quiz.digest,completed=True).count() > 0: completed = True started = False if Tracker.objects.filter(user=p.user, digest=quiz.digest,completed=False).count() > 0: started = True temp = { 'quiz': quiz, 'completed': completed, 'started': started} p.quizzes.append(temp) except (EmptyPage, InvalidPage): tracks = paginator.page(paginator.num_pages) return render_to_response('oppia/mobile/monitor/quizzes.html',{ 'cohort':cohort, 'course': course, 'participants': students, 'user': request.user }, context_instance=RequestContext(request))
def monitor_cohort_progress_view(request,cohort_id, course_id): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) now = datetime.datetime.now() key = ApiKey.objects.get(user = request.user) request.user.key = key.key cohort = get_object_or_404(Cohort, pk=cohort_id, participant__user=request.user, participant__role=Participant.TEACHER, start_date__lte=now,end_date__gte=now) course = get_object_or_404(Course, coursecohort__cohort=cohort, pk=course_id) record_mobile_tracker(request,course,'monitor','{"en": "progress"}') sections = Section.objects.filter(course=course,order__gt=0).order_by('order') section_list = {} for s in sections: section_list[s.id] = Activity.objects.filter(section=s).values('digest').distinct() participants = Participant.objects.filter(cohort=cohort, role=Participant.STUDENT).order_by('user__first_name') paginator = Paginator(participants, 25) # Make sure page request is an int. If not, deliver first page. try: page = int(request.GET.get('page', '1')) except ValueError: page = 1 try: students = paginator.page(page) for p in students: p.sections = [] for s in sections: user_completed = Tracker.objects.filter(user=p.user,completed=True,digest__in=section_list[s.id]).values('digest').distinct() user_started = Tracker.objects.filter(user=p.user,completed=False,digest__in=section_list[s.id]).values('digest').distinct() temp = {'completed': user_completed.count()*100/section_list[s.id].count(), 'started':user_started.count()*100/section_list[s.id].count(), 'section': s} p.sections.append(temp) except (EmptyPage, InvalidPage): tracks = paginator.page(paginator.num_pages) return render_to_response('oppia/mobile/monitor/progress.html',{ 'cohort':cohort, 'course': course, 'participants': students, 'user': request.user }, context_instance=RequestContext(request))
def file_view(request): if request.method != 'POST': return HttpResponse(status=HTML_METHOD_NOT_ALLOWED) auth = ApiKeyAuthentication() auth_result = auth.is_authenticated(request) if auth_result == False: return HttpResponse(status=HTML_UNAUTHORIZED) elif auth_result != True: return auth_result required_params = ['resource_id', 'title', 'description', 'order_by'] for r in required_params: if r not in request.POST: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No ' + r + ' provided"}') if 'resource_file' not in request.FILES: return HttpResponse(status=HTML_BADREQUEST, content='{ "error": "No resource file provided"}') # check owner of resource resource_id = request.POST['resource_id'] try: resource = Resource.objects.get( create_user=request.user, pk=resource_id) except Resource.DoesNotExist: return HttpResponse(status=HTML_UNAUTHORIZED) rf = ResourceFile() rf.title = request.POST['title'] rf.resource = resource rf.create_user = request.user rf.update_user = request.user rf.file = request.FILES['resource_file'] rf.description = request.POST['description'] rf.order_by = request.POST['order_by'] rf.save() return HttpResponse(status=HTML_CREATED)
def scorecard_view(request): auth = ApiKeyAuthentication() if auth.is_authenticated(request) is not True: return HttpResponse('Unauthorized', status=401) record_mobile_tracker(request,None,'scorecard','{"en":"homepage"}') start_date = datetime.datetime.now() - datetime.timedelta(days=14) end_date = datetime.datetime.now() media = {'views':Tracker.activity_views(user=request.user,type='media',start_date=start_date,end_date=end_date), 'secs':Tracker.activity_secs(user=request.user,type='media',start_date=start_date,end_date=end_date), 'points':Points.media_points(user=request.user,start_date=start_date,end_date=end_date)} quiz = {'views':Tracker.activity_views(user=request.user,type='quiz',start_date=start_date,end_date=end_date), 'secs':Tracker.activity_secs(user=request.user,type='quiz',start_date=start_date,end_date=end_date), 'points':Points.quiz_points(user=request.user,start_date=start_date,end_date=end_date)} acts = {'views':Tracker.activity_views(user=request.user,type='page',start_date=start_date,end_date=end_date), 'secs':Tracker.activity_secs(user=request.user,type='page',start_date=start_date,end_date=end_date), 'points':Points.page_points(user=request.user,start_date=start_date,end_date=end_date)} total = {'views':acts['views'] + quiz['views'] + media['views'], 'secs': acts['secs'] + quiz['secs'] + media['secs'], 'points': acts['points'] + quiz['points'] + media['points'],} scorecard = {'media':media, 'quiz':quiz, 'acts':acts, 'total': total} return render_to_response('oppia/mobile/scorecard.html',{ 'scorecard':scorecard }, context_instance=RequestContext(request))
def get(self, request): authentication = ApiKeyAuthentication() if authentication.is_authenticated(request) is not True: return Response(Respostas.NAO_AUTORIZADO.value)