def test_log_activity__anonymous(self):
        from webidentity.views.user import log_activity

        session = DBSession()
        self.assertEquals(0, session.query(Activity).count())

        request = testing.DummyRequest()
        log_activity(request, Activity.LOGIN)
        self.assertEquals(0, session.query(Activity).count())
    def test_log_activity__with_url(self):
        from webidentity.views.user import log_activity

        self.config.testing_securitypolicy(userid=u"dokai")
        session = DBSession()
        self.assertEquals(0, session.query(Activity).count())
        user = User("dokai", "secret", "*****@*****.**")
        session.add(user)

        request = testing.DummyRequest(environ={"REMOTE_ADDR": "1.2.3.4"}, cookies={"auth_tkt": "sessiontoken"})
        log_activity(request, Activity.LOGIN, "http://www.rp.com")

        self.assertEquals(1, session.query(Activity).count())
        log_entry = session.query(Activity).first()
        self.assertEquals(user.id, log_entry.user_id)
        self.assertEquals("1.2.3.4", log_entry.ipaddr)
        self.assertEquals("sessiontoken", log_entry.session)
        self.assertEquals(Activity.LOGIN, log_entry.action)
        self.assertEquals("http://www.rp.com", log_entry.url)
예제 #3
0
def confirm(request):
    """Confirmation for an OpenID authentication request."""
    user = authenticated_user(request)
    if user is not None and 'form.submitted' in request.params:
        if request.POST.get('csrf_token') != request.session.get_csrf_token():
            raise Forbidden

        session = DBSession()
        result = session.query(CheckIdRequest)\
                    .filter_by(key=request.environ.get('repoze.browserid', ''))\
                    .first()

        if result is not None:
            openid_request = result.request
            session.delete(result)
        else:
            # TODO: Return an error message
            return HTTPBadRequest('Invalid confirmation request')

        if 'accept' in request.params:
            ax_attributes = get_ax_attributes(request)

            visit = session.query(VisitedSite)\
                        .join(User)\
                        .filter(User.id == user.id)\
                        .filter(VisitedSite.trust_root == openid_request.trust_root)\
                        .first()
            if visit is None:
                # This is the first time the user is visiting this RP
                visit = VisitedSite(openid_request.trust_root)
                user.visited_sites.append(visit)

            visit.remember = 'remember' in request.params

            try:
                persona_id = int(request.params.get('persona'))
                # Make sure that the referenced persona actually belongs to the user
                persona = session.query(Persona)\
                            .join(User)\
                            .filter(User.id == user.id)\
                            .filter(Persona.id == persona_id)\
                            .first()
                if persona is not None:
                    visit.persona = persona
            except (TypeError, ValueError):
                pass

            session.add(visit)

            identity = identity_url(request, user.username)
            openid_response = openid_request.answer(True, identity=identity)
            add_ax_response(openid_request, openid_response, ax_attributes)
            add_sreg_response(openid_request, openid_response, ax_attributes)

            if visit.remember:
                log_activity(request, Activity.AUTHORIZE, openid_request.trust_root)
            else:
                log_activity(request, Activity.AUTHORIZE_ONCE, openid_request.trust_root)

        else:
            log_activity(request, Activity.DENY, openid_request.trust_root)
            openid_response = openid_request.answer(False)

        store = AlchemyStore(session)
        openid_server = server.Server(store, route_url('openid_endpoint', request))

        response = webob_response(openid_server.encodeResponse(openid_response), request)
        response.headerlist.extend(forget(request))

        return response

    return HTTPBadRequest('Invalid confirmation request')