def test_log_activity__anonymous(self):
from webidentity.views.user import log_activity
session = DBSession()
self.assertEquals(0, session.query(Activity).count())
request = testing.DummyRequest()
log_activity(request, Activity.LOGIN)
self.assertEquals(0, session.query(Activity).count())
def test_log_activity__with_url(self):
from webidentity.views.user import log_activity
self.config.testing_securitypolicy(userid=u"dokai")
session = DBSession()
self.assertEquals(0, session.query(Activity).count())
user = User("dokai", "secret", "*****@*****.**")
session.add(user)
request = testing.DummyRequest(environ={"REMOTE_ADDR": "1.2.3.4"}, cookies={"auth_tkt": "sessiontoken"})
log_activity(request, Activity.LOGIN, "http://www.rp.com")
self.assertEquals(1, session.query(Activity).count())
log_entry = session.query(Activity).first()
self.assertEquals(user.id, log_entry.user_id)
self.assertEquals("1.2.3.4", log_entry.ipaddr)
self.assertEquals("sessiontoken", log_entry.session)
self.assertEquals(Activity.LOGIN, log_entry.action)
self.assertEquals("http://www.rp.com", log_entry.url)
def confirm(request):
"""Confirmation for an OpenID authentication request."""
user = authenticated_user(request)
if user is not None and 'form.submitted' in request.params:
if request.POST.get('csrf_token') != request.session.get_csrf_token():
raise Forbidden
session = DBSession()
result = session.query(CheckIdRequest)\
.filter_by(key=request.environ.get('repoze.browserid', ''))\
.first()
if result is not None:
openid_request = result.request
session.delete(result)
else:
# TODO: Return an error message
return HTTPBadRequest('Invalid confirmation request')
if 'accept' in request.params:
ax_attributes = get_ax_attributes(request)
visit = session.query(VisitedSite)\
.join(User)\
.filter(User.id == user.id)\
.filter(VisitedSite.trust_root == openid_request.trust_root)\
.first()
if visit is None:
# This is the first time the user is visiting this RP
visit = VisitedSite(openid_request.trust_root)
user.visited_sites.append(visit)
visit.remember = 'remember' in request.params
try:
persona_id = int(request.params.get('persona'))
# Make sure that the referenced persona actually belongs to the user
persona = session.query(Persona)\
.join(User)\
.filter(User.id == user.id)\
.filter(Persona.id == persona_id)\
.first()
if persona is not None:
visit.persona = persona
except (TypeError, ValueError):
pass
session.add(visit)
identity = identity_url(request, user.username)
openid_response = openid_request.answer(True, identity=identity)
add_ax_response(openid_request, openid_response, ax_attributes)
add_sreg_response(openid_request, openid_response, ax_attributes)
if visit.remember:
log_activity(request, Activity.AUTHORIZE, openid_request.trust_root)
else:
log_activity(request, Activity.AUTHORIZE_ONCE, openid_request.trust_root)
else:
log_activity(request, Activity.DENY, openid_request.trust_root)
openid_response = openid_request.answer(False)
store = AlchemyStore(session)
openid_server = server.Server(store, route_url('openid_endpoint', request))
response = webob_response(openid_server.encodeResponse(openid_response), request)
response.headerlist.extend(forget(request))
return response
return HTTPBadRequest('Invalid confirmation request')