def run(): if not request.isSecure() and not getDevelopmentMode(): raise TBadRequest( '/users/<username>/verify requests must use HTTPS') dictionary = registry.checkRequest(usage, request) user = cachingGetUser(self.username.decode('utf-8')) if not user: raise TNoSuchUser(self.username) password = dictionary['password'] if checkPassword(password, user.passwordHash): # FIXME Hard-coding the 'anon' consumer here isn't great, # but for now it means we don't have to change the public # API. -jkakar api = OAuthConsumerAPI() consumer = cachingGetUser(u'anon') accessToken = api.getAccessToken(consumer, user) renewalToken = api.getRenewalToken(consumer, user) return {'accessToken': accessToken.encrypt(), 'fullname': user.fullname, 'renewalToken': renewalToken.encrypt(), 'role': str(user.role), 'valid': True} else: return {'valid': False}
def testRequestAvatarId(self): """ L{FacadeOAuthChecker.requestAvatarId} creates a L{FluidinfoSession} for the authenticated user only if credentials are correct. """ UserAPI().create([(u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumerUser = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() consumer = api.register(consumerUser) token = api.getAccessToken(consumerUser, user) self.store.commit() timestamp = 1314976811 headers = {'header1': 'foo'} arguments = 'argument1=bar' # FIXME This isn't ideal. It'd be better to use a hard-coded # signature, because then we'd know when something changed. It's hard # to do that, though, because the encrypted token generated by # fluiddb.util.minitoken is always different. -jkakar request = Request.from_request('GET', u'https://fluidinfo.com/foo', headers, {'argument1': 'bar'}) signature = SignatureMethod_HMAC_SHA1().sign(request, consumer, None) nonce = 'nonce' credentials = OAuthCredentials('fluidinfo.com', consumerUser.username, token.encrypt(), 'HMAC-SHA1', signature, timestamp, nonce, 'GET', u'https://fluidinfo.com/foo', headers, arguments) session = yield self.checker.requestAvatarId(credentials) self.assertEqual(user.username, session.auth.username) self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateOAuth(self): """ L{OAuthConsumerAPI.authenticate} returns the L{User} when passed valid L{OAuthCredentials}. In the case of OAuth Echo, and in the case of this test, a consumer makes a request using a token that grants it access to act on behalf of a particular user. """ UserAPI().create([(u'consumer', u'password', u'Consumer', u'*****@*****.**')]) UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')]) consumer = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() api.register(consumer, secret='abyOTsAfo9MVN0qz') token = api.getAccessToken(consumer, user) timestamp = 1314976811 headers = {'header1': 'foo'} arguments = 'argument1=bar' signature = 'Sno1ocDhYv9vwJnEJATE3cmUvSo=' nonce = 'nonce' credentials = OAuthCredentials( 'fluidinfo.com', consumer.username, token.encrypt(), 'HMAC-SHA1', signature, timestamp, nonce, 'GET', u'https://fluidinfo.com/foo', headers, arguments) self.assertIdentical(user, api.authenticate(credentials))
def testAuthenticateUserWithOAuthIncorrectSignature(self): """ L{FacadeAuthMixin.authenticateUserWithOAuth} raises a L{TPasswordIncorrect} exception if the signature in the OAuth credentials is incorrect. """ UserAPI().create([ (u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumerUser = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() api.register(consumerUser) token = api.getAccessToken(consumerUser, user) self.store.commit() timestamp = 1314976811 headers = {'header1': 'foo'} arguments = 'argument1=bar' signature = 'wrong' nonce = 'nonce' credentials = OAuthCredentials( 'fluidinfo.com', user.username, token.encrypt(), u'HMAC-SHA1', signature, timestamp, nonce, 'GET', 'https://fluidinfo.com/foo', headers, arguments) deferred = self.facade.authenticateUserWithOAuth(credentials) return self.assertFailure(deferred, TPasswordIncorrect)
def testAuthenticateUserWithOAuthIgnoresCase(self): """ L{FacadeAuthMixin.authenticateUserWithOAuth} ignores the case in the consumer key. """ UserAPI().create([ (u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumerUser = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() consumer = api.register(consumerUser) token = api.getAccessToken(consumerUser, user) self.store.commit() timestamp = 1314976811 headers = {'header1': 'foo'} arguments = 'argument1=bar' request = Request.from_request('GET', u'https://fluidinfo.com/foo', headers, {'argument1': 'bar'}) signature = SignatureMethod_HMAC_SHA1().sign(request, consumer, None) nonce = 'nonce' credentials = OAuthCredentials( 'fluidinfo.com', u'ConsumeR', token.encrypt(), 'HMAC-SHA1', signature, timestamp, nonce, 'GET', u'https://fluidinfo.com/foo', headers, arguments) session = yield self.facade.authenticateUserWithOAuth(credentials) self.assertEqual(user.username, session.auth.username) self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateAnonymousUserWithOAuth2(self): """ L{FacadeAuthMixin.authenticateUserWithOAuth2} should create a L{FluidinfoSession} for the anonymous user. """ anonymous = self.system.users[u'anon'] UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')]) user = getUser(u'user') api = OAuthConsumerAPI() api.register(anonymous) token = api.getAccessToken(anonymous, user) self.store.commit() credentials = OAuth2Credentials(u'anon', None, token.encrypt()) session = yield self.facade.authenticateUserWithOAuth2(credentials) self.assertEqual(user.username, session.auth.username) self.assertEqual(user.objectID, session.auth.objectID)
def testAuthenticateOAuth2(self): """ L{OAuthConsumerAPI.authenticate} returns the L{User} when passed valid L{OAuth2Credentials}. In the case of OAuth Echo, and in the case of this test, a consumer makes a request using a token that grants it access to act on behalf of a particular user. """ UserAPI().create([(u'consumer', u'password', u'Consumer', u'*****@*****.**')]) UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')]) consumer = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() api.register(consumer, secret='abyOTsAfo9MVN0qz') token = api.getAccessToken(consumer, user) credentials = OAuth2Credentials(u'consumer', u'secret1', token.encrypt()) self.assertIdentical(user, api.authenticate(credentials))
def testRequestAvatarId(self): """ L{FacadeOAuth2Checker.requestAvatarId} creates a L{FluidinfoSession} for the authenticated user only if credentials are correct. """ UserAPI().create([(u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumerUser = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() api.register(consumerUser) token = api.getAccessToken(consumerUser, user) self.store.commit() credentials = OAuth2Credentials(u'consumer', 'secret', token.encrypt()) session = yield self.checker.requestAvatarId(credentials) self.assertEqual(user.username, session.auth.username) self.assertEqual(user.objectID, session.auth.objectID)
def testGetAccessToken(self): """ L{OAuthConsumerAPI.getAccessToken} returns an L{OAuthAccessToken} for a consumer to act on behalf of a L{User}. It includes the consumer, the user to act on behalf of, and the creation time, after which the token will not be accepted. """ UserAPI().create([ (u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumerUser = getUser(u'consumer') user = getUser(u'user') now = datetime.utcnow() api = OAuthConsumerAPI() api.register(consumerUser) token = api.getAccessToken(consumerUser, user, now=lambda: now) self.assertTrue(isinstance(token, OAuthAccessToken)) self.assertIdentical(consumerUser, token.consumer) self.assertIdentical(user, token.user) self.assertEqual(now, token.creationTime)
def testAuthenticateUserWithOAuth2IgnoresCase(self): """ L{FacadeAuthMixin.authenticateUserWithOAuth2} creates a L{FluidinfoSession} for the authenticated user only if credentials are correct. """ UserAPI().create([ (u'consumer', u'secret', u'Consumer', u'*****@*****.**'), (u'user', u'secret', u'User', u'*****@*****.**')]) consumer = getUser(u'consumer') user = getUser(u'user') api = OAuthConsumerAPI() api.register(consumer) token = api.getAccessToken(consumer, user) self.store.commit() credentials = OAuth2Credentials(u'ConsumeR', u'secret', token.encrypt()) session = yield self.facade.authenticateUserWithOAuth2(credentials) self.assertEqual(user.username, session.auth.username) self.assertEqual(user.objectID, session.auth.objectID)