def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(api_policy=self.api_policy,
fallback_policy=self.fallback_policy)
self.fallback_policy.remember.return_value = [('Cookie', 'auth=foobar')]
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
# Set up authsanity
settings = config.registry.settings
settings['authsanity.source'] = 'cookie'
settings['authsanity.cookie.max_age'] = 2592000
settings['authsanity.cookie.httponly'] = True
settings['authsanity.secret'] = derive_key(settings['secret_key'],
settings['secret_salt'],
b'h.auth.cookie_secret')
config.include('pyramid_authsanity')
if config.registry.settings.get('h.proxy_auth'):
log.warn('Enabling proxy authentication mode: you MUST ensure that '
'the X-Forwarded-User request header can ONLY be set by '
'trusted downstream reverse proxies! Failure to heed this '
'warning will result in ALL DATA stored by this service '
'being available to ANYONE!')
DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY,
fallback_policy=PROXY_POLICY)
WEBSOCKET_POLICY = TOKEN_POLICY
# Set the default authentication policy. This can be overridden by modules
# that include this one.
config.set_authentication_policy(DEFAULT_POLICY)
# Allow retrieval of the auth_domain from the request object.
config.add_request_method(auth_domain, name='auth_domain', reify=True)
# Allow retrieval of the auth token (if present) from the request object.
config.add_request_method('.tokens.auth_token', reify=True)
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
if config.registry.settings.get('h.proxy_auth'):
log.warn('Enabling proxy authentication mode: you MUST ensure that '
'the X-Forwarded-User request header can ONLY be set by '
'trusted downstream reverse proxies! Failure to heed this '
'warning will result in ALL DATA stored by this service '
'being available to ANYONE!')
DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY,
fallback_policy=PROXY_POLICY)
WEBSOCKET_POLICY = MultiAuthenticationPolicy(
[TOKEN_POLICY, PROXY_POLICY])
# Set the default authentication policy. This can be overridden by modules
# that include this one.
config.set_authentication_policy(DEFAULT_POLICY)
# Allow retrieval of the auth_domain from the request object.
config.add_request_method(auth_domain, name='auth_domain', reify=True)
# Allow retrieval of the auth token (if present) from the request object.
config.add_request_method(auth_token, reify=True)
def includeme(config):
# Allow retrieval of the auth_domain from the request object.
config.add_request_method(auth_domain, name='auth_domain', reify=True)
# Set up pyramid authentication and authorization policies. See the Pyramid
# documentation at:
#
# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html
#
from h.auth.policy import AuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
config.set_authentication_policy(AuthenticationPolicy())
config.set_authorization_policy(ACLAuthorizationPolicy())
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
# Set up authsanity
settings = config.registry.settings
settings["authsanity.source"] = "cookie"
settings["authsanity.cookie.max_age"] = 2592000
settings["authsanity.cookie.httponly"] = True
settings["authsanity.secret"] = derive_key(
settings["secret_key"], settings["secret_salt"], b"h.auth.cookie_secret"
)
config.include("pyramid_authsanity")
if config.registry.settings.get("h.proxy_auth"):
log.warning(
"Enabling proxy authentication mode: you MUST ensure that "
"the X-Forwarded-User request header can ONLY be set by "
"trusted downstream reverse proxies! Failure to heed this "
"warning will result in ALL DATA stored by this service "
"being available to ANYONE!"
)
DEFAULT_POLICY = AuthenticationPolicy(
api_policy=API_POLICY, fallback_policy=PROXY_POLICY
)
WEBSOCKET_POLICY = TOKEN_POLICY
# Set the default authentication policy. This can be overridden by modules
# that include this one.
config.set_authentication_policy(DEFAULT_POLICY)
# Allow retrieval of the authority from the request object.
config.add_request_method(default_authority, name="default_authority", reify=True)
# Allow retrieval of the auth token (if present) from the request object.
config.add_request_method(".tokens.auth_token", reify=True)
'WEBSOCKET_POLICY',
)
log = logging.getLogger(__name__)
PROXY_POLICY = RemoteUserAuthenticationPolicy(
environ_key='HTTP_X_FORWARDED_USER', callback=groupfinder)
TICKET_POLICY = pyramid_authsanity.AuthServicePolicy()
TOKEN_POLICY = TokenAuthenticationPolicy(callback=groupfinder)
AUTH_CLIENT_POLICY = AuthClientPolicy()
API_POLICY = APIAuthenticationPolicy(user_policy=TOKEN_POLICY,
client_policy=AUTH_CLIENT_POLICY)
DEFAULT_POLICY = AuthenticationPolicy(api_policy=API_POLICY,
fallback_policy=TICKET_POLICY)
WEBSOCKET_POLICY = TOKEN_POLICY
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
# Set up authsanity
settings = config.registry.settings
settings['authsanity.source'] = 'cookie'
settings['authsanity.cookie.max_age'] = 2592000
settings['authsanity.cookie.httponly'] = True
settings['authsanity.secret'] = derive_key(settings['secret_key'],
settings['secret_salt'],
b'h.auth.cookie_secret')
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(api_policy=self.api_policy, fallback_policy=self.fallback_policy)
self.fallback_policy.remember.return_value = [("Cookie", "auth=foobar")]
# api_request and nonapi_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=API_PATHS)
def api_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
@pytest.fixture(params=NONAPI_PATHS)
def nonapi_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
def test_authenticated_userid_uses_fallback_policy_for_nonapi_paths(self, nonapi_request):
result = self.policy.authenticated_userid(nonapi_request)
self.fallback_policy.authenticated_userid.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.authenticated_userid.return_value
def test_authenticated_userid_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.authenticated_userid(api_request)
self.api_policy.authenticated_userid.assert_called_once_with(api_request)
assert result == self.api_policy.authenticated_userid.return_value
def test_unauthenticated_userid_uses_fallback_policy_for_nonapi_paths(self, nonapi_request):
result = self.policy.unauthenticated_userid(nonapi_request)
self.fallback_policy.unauthenticated_userid.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.unauthenticated_userid.return_value
def test_unauthenticated_userid_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.unauthenticated_userid(api_request)
self.api_policy.unauthenticated_userid.assert_called_once_with(api_request)
assert result == self.api_policy.unauthenticated_userid.return_value
def test_effective_principals_uses_fallback_policy_for_nonapi_paths(self, nonapi_request):
result = self.policy.effective_principals(nonapi_request)
self.fallback_policy.effective_principals.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.effective_principals.return_value
def test_effective_principals_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.effective_principals(api_request)
self.api_policy.effective_principals.assert_called_once_with(api_request)
assert result == self.api_policy.effective_principals.return_value
def test_remember_uses_fallback_policy_for_nonapi_paths(self, nonapi_request):
result = self.policy.remember(nonapi_request, "foo", bar="baz")
self.fallback_policy.remember.assert_called_once_with(nonapi_request, "foo", bar="baz")
assert result == self.fallback_policy.remember.return_value
def test_remember_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.remember(api_request, "foo", bar="baz")
self.api_policy.remember.assert_called_once_with(api_request, "foo", bar="baz")
assert result == self.api_policy.remember.return_value
def test_forget_uses_fallback_policy_for_nonapi_paths(self, nonapi_request):
result = self.policy.forget(nonapi_request)
self.fallback_policy.forget.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.forget.return_value
def test_forget_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.forget(api_request)
self.api_policy.forget.assert_called_once_with(api_request)
assert result == self.api_policy.forget.return_value
def includeme(config):
config.set_root_factory('h.resources:Root')
config.add_subscriber('h.subscribers.add_renderer_globals',
'pyramid.events.BeforeRender')
config.add_subscriber('h.subscribers.publish_annotation_event',
'h.api.events.AnnotationEvent')
config.add_subscriber('h.subscribers.send_reply_notifications',
'h.api.events.AnnotationEvent')
config.add_tween('h.tweens.conditional_http_tween_factory', under=EXCVIEW)
config.add_tween('h.tweens.csrf_tween_factory')
config.add_tween('h.tweens.auth_token')
config.add_tween('h.tweens.content_security_policy_tween_factory')
config.add_renderer('csv', 'h.renderers.CSV')
config.add_request_method(in_debug_mode, 'debug', reify=True)
config.include('pyramid_jinja2')
config.add_jinja2_extension('h.jinja_extensions.Filters')
# Register a deferred action to setup the assets environment
# when the configuration is committed.
config.action(None, configure_jinja2_assets, args=(config,))
# Configure the transaction manager to support retrying retryable
# exceptions. We also register the session factory with the thread-local
# transaction manager, so that all sessions it creates are registered.
config.add_settings({
"tm.attempts": 3,
"tm.activate_hook": tm_activate_hook,
"tm.annotate_user": False,
})
config.include('pyramid_tm')
zope.sqlalchemy.register(db.Session)
# Enable a Content Security Policy
# This is initially copied from:
# https://github.com/pypa/warehouse/blob/e1cf03faf9bbaa15d67d0de2c70f9a9f732596aa/warehouse/config.py#L327
config.add_settings({
"csp": {
"font-src": ["'self'", "fonts.gstatic.com"],
"report-uri": [config.registry.settings.get("csp.report_uri")],
"script-src": ["'self'"],
"style-src": ["'self'", "fonts.googleapis.com"],
},
})
# Set up pyramid authentication and authorization policies. See the Pyramid
# documentation at:
#
# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html
#
config.set_authentication_policy(AuthenticationPolicy())
config.set_authorization_policy(ACLAuthorizationPolicy())
# API module
#
# We include this first so that:
# - configuration directives provided by modules in `h.api` are available
# to the rest of the application at startup.
# - we can override behaviour from `h.api` if necessary.
config.include('h.api', route_prefix='/api')
# Core site modules
config.include('h.assets')
config.include('h.auth')
config.include('h.db')
config.include('h.features')
config.include('h.form')
config.include('h.indexer')
config.include('h.models')
config.include('h.realtime')
config.include('h.sentry')
config.include('h.stats')
config.include('h.views')
# Site modules
config.include('h.accounts')
config.include('h.admin', route_prefix='/admin')
config.include('h.badge')
config.include('h.feeds')
config.include('h.groups')
config.include('h.links')
config.include('h.nipsa')
config.include('h.notification')
def policy(self):
self.session_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.token_policy = mock.Mock(spec_set=TokenAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.session_policy
self.policy.token_policy = self.token_policy
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(
api_policy=self.api_policy, fallback_policy=self.fallback_policy)
self.fallback_policy.remember.return_value = [("Cookie", "auth=foobar")
]
# api_request and nonapi_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=API_PATHS)
def api_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
@pytest.fixture(params=NONAPI_PATHS)
def nonapi_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
def test_authenticated_userid_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.authenticated_userid(nonapi_request)
self.fallback_policy.authenticated_userid.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.authenticated_userid.return_value
def test_authenticated_userid_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.authenticated_userid(api_request)
self.api_policy.authenticated_userid.assert_called_once_with(
api_request)
assert result == self.api_policy.authenticated_userid.return_value
def test_unauthenticated_userid_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.unauthenticated_userid(nonapi_request)
self.fallback_policy.unauthenticated_userid.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.unauthenticated_userid.return_value
def test_unauthenticated_userid_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.unauthenticated_userid(api_request)
self.api_policy.unauthenticated_userid.assert_called_once_with(
api_request)
assert result == self.api_policy.unauthenticated_userid.return_value
def test_effective_principals_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.effective_principals(nonapi_request)
self.fallback_policy.effective_principals.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.effective_principals.return_value
def test_effective_principals_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.effective_principals(api_request)
self.api_policy.effective_principals.assert_called_once_with(
api_request)
assert result == self.api_policy.effective_principals.return_value
def test_remember_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.remember(nonapi_request, "foo", bar="baz")
self.fallback_policy.remember.assert_called_once_with(nonapi_request,
"foo",
bar="baz")
assert result == self.fallback_policy.remember.return_value
def test_remember_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.remember(api_request, "foo", bar="baz")
self.api_policy.remember.assert_called_once_with(api_request,
"foo",
bar="baz")
assert result == self.api_policy.remember.return_value
def test_forget_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.forget(nonapi_request)
self.fallback_policy.forget.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.forget.return_value
def test_forget_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.forget(api_request)
self.api_policy.forget.assert_called_once_with(api_request)
assert result == self.api_policy.forget.return_value
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.upstream_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.upstream_policy
# session_request and token_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=SESSION_AUTH_PATHS)
def session_request(self, request):
return DummyRequest(path=request.param)
@pytest.fixture(params=TOKEN_AUTH_PATHS)
def token_request(self, request):
return DummyRequest(path=request.param)
def test_authenticated_userid_delegates_for_session_auth_paths(self, session_request):
result = self.policy.authenticated_userid(session_request)
self.upstream_policy.authenticated_userid.assert_called_once_with(session_request)
assert result == self.upstream_policy.authenticated_userid.return_value
@mock.patch('h.auth.policy.tokens')
def test_authenticated_userid_uses_tokens_for_token_auth_paths(self, tokens, token_request):
result = self.policy.authenticated_userid(token_request)
tokens.authenticated_userid.assert_called_once_with(token_request)
assert result == tokens.authenticated_userid.return_value
def test_unauthenticated_userid_delegates_for_session_auth_paths(self, session_request):
result = self.policy.unauthenticated_userid(session_request)
self.upstream_policy.unauthenticated_userid.assert_called_once_with(session_request)
assert result == self.upstream_policy.unauthenticated_userid.return_value
@mock.patch('h.auth.policy.tokens')
def test_unauthenticated_userid_uses_tokens_for_token_auth_paths(self, tokens, token_request):
result = self.policy.unauthenticated_userid(token_request)
tokens.authenticated_userid.assert_called_once_with(token_request)
assert result == tokens.authenticated_userid.return_value
@mock.patch('h.auth.policy.util')
def test_effective_principals_calls_effective_principals_with_authenticated_userid(self, util, authn_policy):
authn_policy.authenticated_userid.return_value = 'acct:[email protected]'
request = DummyRequest()
result = self.policy.effective_principals(request)
util.effective_principals.assert_called_once_with('acct:[email protected]', request)
assert result == util.effective_principals.return_value
def test_remember_delegates_for_session_auth_paths(self, session_request):
result = self.policy.remember(session_request, 'foo', bar='baz')
self.upstream_policy.remember.assert_called_once_with(session_request, 'foo', bar='baz')
assert result == self.upstream_policy.remember.return_value
def test_remember_does_nothing_for_token_auth_paths(self, token_request):
result = self.policy.remember(token_request, 'foo', bar='baz')
self.upstream_policy.remember.assert_not_called()
assert result == []
def test_forget_delegates_for_session_auth_paths(self, session_request):
result = self.policy.forget(session_request)
self.upstream_policy.forget.assert_called_once_with(session_request)
assert result == self.upstream_policy.forget.return_value
def test_forget_does_nothing_for_token_auth_paths(self, token_request):
result = self.policy.forget(token_request)
self.upstream_policy.forget.assert_not_called()
assert result == []
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.session_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.token_policy = mock.Mock(spec_set=TokenAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.session_policy
self.policy.token_policy = self.token_policy
# session_request and token_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=SESSION_AUTH_PATHS)
def session_request(self, request):
return DummyRequest(path=request.param)
@pytest.fixture(params=TOKEN_AUTH_PATHS)
def token_request(self, request):
return DummyRequest(path=request.param)
def test_authenticated_userid_uses_session_policy_for_session_auth_paths(
self, session_request):
result = self.policy.authenticated_userid(session_request)
self.session_policy.authenticated_userid.assert_called_once_with(
session_request)
assert result == self.session_policy.authenticated_userid.return_value
def test_authenticated_userid_uses_token_policy_for_token_auth_paths(
self, token_request):
result = self.policy.authenticated_userid(token_request)
self.token_policy.authenticated_userid.assert_called_once_with(
token_request)
assert result == self.token_policy.authenticated_userid.return_value
def test_unauthenticated_userid_uses_session_policy_for_session_auth_paths(
self, session_request):
result = self.policy.unauthenticated_userid(session_request)
self.session_policy.unauthenticated_userid.assert_called_once_with(
session_request)
assert result == self.session_policy.unauthenticated_userid.return_value
def test_unauthenticated_userid_uses_token_policy_for_token_auth_paths(
self, token_request):
result = self.policy.unauthenticated_userid(token_request)
self.token_policy.unauthenticated_userid.assert_called_once_with(
token_request)
assert result == self.token_policy.unauthenticated_userid.return_value
def test_effective_principals_uses_session_policy_for_session_auth_paths(
self, session_request):
result = self.policy.effective_principals(session_request)
self.session_policy.effective_principals.assert_called_once_with(
session_request)
assert result == self.session_policy.effective_principals.return_value
def test_effective_principals_uses_token_policy_for_token_auth_paths(
self, token_request):
result = self.policy.effective_principals(token_request)
self.token_policy.effective_principals.assert_called_once_with(
token_request)
assert result == self.token_policy.effective_principals.return_value
def test_remember_uses_session_policy_for_session_auth_paths(
self, session_request):
result = self.policy.remember(session_request, 'foo', bar='baz')
self.session_policy.remember.assert_called_once_with(session_request,
'foo',
bar='baz')
assert result == self.session_policy.remember.return_value
def test_remember_uses_token_policy_for_token_auth_paths(
self, token_request):
result = self.policy.remember(token_request, 'foo', bar='baz')
self.token_policy.remember.assert_called_once_with(token_request,
'foo',
bar='baz')
assert result == self.token_policy.remember.return_value
def test_forget_uses_session_policy_for_session_auth_paths(
self, session_request):
result = self.policy.forget(session_request)
self.session_policy.forget.assert_called_once_with(session_request)
assert result == self.session_policy.forget.return_value
def test_forget_uses_token_policy_for_token_auth_paths(
self, token_request):
result = self.policy.forget(token_request)
self.token_policy.forget.assert_called_once_with(token_request)
assert result == self.token_policy.forget.return_value
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.session_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.token_policy = mock.Mock(spec_set=TokenAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.session_policy
self.policy.token_policy = self.token_policy
# session_request and token_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=SESSION_AUTH_PATHS)
def session_request(self, request):
return DummyRequest(path=request.param)
@pytest.fixture(params=TOKEN_AUTH_PATHS)
def token_request(self, request):
return DummyRequest(path=request.param)
def test_authenticated_userid_uses_session_policy_for_session_auth_paths(self, session_request):
result = self.policy.authenticated_userid(session_request)
self.session_policy.authenticated_userid.assert_called_once_with(session_request)
assert result == self.session_policy.authenticated_userid.return_value
def test_authenticated_userid_uses_token_policy_for_token_auth_paths(self, token_request):
result = self.policy.authenticated_userid(token_request)
self.token_policy.authenticated_userid.assert_called_once_with(token_request)
assert result == self.token_policy.authenticated_userid.return_value
def test_unauthenticated_userid_uses_session_policy_for_session_auth_paths(self, session_request):
result = self.policy.unauthenticated_userid(session_request)
self.session_policy.unauthenticated_userid.assert_called_once_with(session_request)
assert result == self.session_policy.unauthenticated_userid.return_value
def test_unauthenticated_userid_uses_token_policy_for_token_auth_paths(self, token_request):
result = self.policy.unauthenticated_userid(token_request)
self.token_policy.unauthenticated_userid.assert_called_once_with(token_request)
assert result == self.token_policy.unauthenticated_userid.return_value
def test_effective_principals_uses_session_policy_for_session_auth_paths(self, session_request):
result = self.policy.effective_principals(session_request)
self.session_policy.effective_principals.assert_called_once_with(session_request)
assert result == self.session_policy.effective_principals.return_value
def test_effective_principals_uses_token_policy_for_token_auth_paths(self, token_request):
result = self.policy.effective_principals(token_request)
self.token_policy.effective_principals.assert_called_once_with(token_request)
assert result == self.token_policy.effective_principals.return_value
def test_remember_uses_session_policy_for_session_auth_paths(self, session_request):
result = self.policy.remember(session_request, 'foo', bar='baz')
self.session_policy.remember.assert_called_once_with(session_request, 'foo', bar='baz')
assert result == self.session_policy.remember.return_value
def test_remember_uses_token_policy_for_token_auth_paths(self, token_request):
result = self.policy.remember(token_request, 'foo', bar='baz')
self.token_policy.remember.assert_called_once_with(token_request, 'foo', bar='baz')
assert result == self.token_policy.remember.return_value
def test_forget_uses_session_policy_for_session_auth_paths(self, session_request):
result = self.policy.forget(session_request)
self.session_policy.forget.assert_called_once_with(session_request)
assert result == self.session_policy.forget.return_value
def test_forget_uses_token_policy_for_token_auth_paths(self, token_request):
result = self.policy.forget(token_request)
self.token_policy.forget.assert_called_once_with(token_request)
assert result == self.token_policy.forget.return_value
def policy(self):
self.session_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.token_policy = mock.Mock(spec_set=TokenAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.session_policy
self.policy.token_policy = self.token_policy
from h.auth.tokens import auth_token
from h.auth.util import groupfinder
__all__ = (
'DEFAULT_POLICY',
'WEBSOCKET_POLICY',
)
log = logging.getLogger(__name__)
PROXY_POLICY = RemoteUserAuthenticationPolicy(
environ_key='HTTP_X_FORWARDED_USER', callback=groupfinder)
SESSION_POLICY = SessionAuthenticationPolicy(callback=groupfinder)
TOKEN_POLICY = TokenAuthenticationPolicy(callback=groupfinder)
DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY,
fallback_policy=SESSION_POLICY)
WEBSOCKET_POLICY = MultiAuthenticationPolicy([TOKEN_POLICY, SESSION_POLICY])
def auth_domain(request):
"""Return the value of the h.auth_domain config settings.
Falls back on returning request.domain if h.auth_domain isn't set.
"""
return request.registry.settings.get('h.auth_domain', request.domain)
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
def policy(self):
self.upstream_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.upstream_policy
def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(api_policy=self.api_policy,
fallback_policy=self.fallback_policy)
def policy(self):
self.upstream_policy = mock.Mock(
spec_set=SessionAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.upstream_policy
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.upstream_policy = mock.Mock(
spec_set=SessionAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.upstream_policy
# session_request and token_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=SESSION_AUTH_PATHS)
def session_request(self, request):
return DummyRequest(path=request.param)
@pytest.fixture(params=TOKEN_AUTH_PATHS)
def token_request(self, request):
return DummyRequest(path=request.param)
def test_authenticated_userid_delegates_for_session_auth_paths(
self, session_request):
result = self.policy.authenticated_userid(session_request)
self.upstream_policy.authenticated_userid.assert_called_once_with(
session_request)
assert result == self.upstream_policy.authenticated_userid.return_value
@mock.patch('h.auth.policy.tokens')
def test_authenticated_userid_uses_tokens_for_token_auth_paths(
self, tokens, token_request):
result = self.policy.authenticated_userid(token_request)
tokens.authenticated_userid.assert_called_once_with(token_request)
assert result == tokens.authenticated_userid.return_value
def test_unauthenticated_userid_delegates_for_session_auth_paths(
self, session_request):
result = self.policy.unauthenticated_userid(session_request)
self.upstream_policy.unauthenticated_userid.assert_called_once_with(
session_request)
assert result == self.upstream_policy.unauthenticated_userid.return_value
@mock.patch('h.auth.policy.tokens')
def test_unauthenticated_userid_uses_tokens_for_token_auth_paths(
self, tokens, token_request):
result = self.policy.unauthenticated_userid(token_request)
tokens.authenticated_userid.assert_called_once_with(token_request)
assert result == tokens.authenticated_userid.return_value
@mock.patch('h.auth.policy.util')
def test_effective_principals_calls_effective_principals_with_authenticated_userid(
self, util, authn_policy):
authn_policy.authenticated_userid.return_value = 'acct:[email protected]'
request = DummyRequest()
result = self.policy.effective_principals(request)
util.effective_principals.assert_called_once_with(
'acct:[email protected]', request)
assert result == util.effective_principals.return_value
def test_remember_delegates_for_session_auth_paths(self, session_request):
result = self.policy.remember(session_request, 'foo', bar='baz')
self.upstream_policy.remember.assert_called_once_with(session_request,
'foo',
bar='baz')
assert result == self.upstream_policy.remember.return_value
def test_remember_does_nothing_for_token_auth_paths(self, token_request):
result = self.policy.remember(token_request, 'foo', bar='baz')
self.upstream_policy.remember.assert_not_called()
assert result == []
def test_forget_delegates_for_session_auth_paths(self, session_request):
result = self.policy.forget(session_request)
self.upstream_policy.forget.assert_called_once_with(session_request)
assert result == self.upstream_policy.forget.return_value
def test_forget_does_nothing_for_token_auth_paths(self, token_request):
result = self.policy.forget(token_request)
self.upstream_policy.forget.assert_not_called()
assert result == []
class TestAuthenticationPolicy(object):
@pytest.fixture(autouse=True)
def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.migration_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(
api_policy=self.api_policy,
fallback_policy=self.fallback_policy,
migration_policy=self.migration_policy)
self.fallback_policy.remember.return_value = [('Cookie', 'auth=foobar')
]
# api_request and nonapi_request are parametrized fixtures, which will
# take on each value in the passed `params` sequence in turn. This is a
# quick and easy way to generate a named fixture which takes multiple
# values and can be used by multiple tests.
@pytest.fixture(params=API_PATHS)
def api_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
@pytest.fixture(params=NONAPI_PATHS)
def nonapi_request(self, request, pyramid_request):
pyramid_request.path = request.param
return pyramid_request
def test_authenticated_userid_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.authenticated_userid(nonapi_request)
self.fallback_policy.authenticated_userid.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.authenticated_userid.return_value
def test_authenticated_userid_uses_migration_policy_when_fallback_returns_none(
self, nonapi_request):
self.fallback_policy.authenticated_userid.return_value = None
result = self.policy.authenticated_userid(nonapi_request)
self.migration_policy.authenticated_userid.assert_called_once_with(
nonapi_request)
assert result == self.migration_policy.authenticated_userid.return_value
def test_authenticated_userid_remembers_value_from_migration_policy_in_fallback_policy(
self, nonapi_request):
self.fallback_policy.authenticated_userid.return_value = None
self.policy.authenticated_userid(nonapi_request)
self.fallback_policy.remember.assert_called_once_with(
nonapi_request,
self.migration_policy.authenticated_userid.return_value)
def test_authenticated_userid_sets_cookie_when_migrating(
self, nonapi_request):
self.fallback_policy.authenticated_userid.return_value = None
self.policy.authenticated_userid(nonapi_request)
cookies = nonapi_request.response.headers.getall('Cookie')
assert 'auth=foobar' in cookies
def test_authenticated_userid_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.authenticated_userid(api_request)
self.api_policy.authenticated_userid.assert_called_once_with(
api_request)
assert result == self.api_policy.authenticated_userid.return_value
def test_unauthenticated_userid_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.unauthenticated_userid(nonapi_request)
self.fallback_policy.unauthenticated_userid.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.unauthenticated_userid.return_value
def test_unauthenticated_userid_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.unauthenticated_userid(api_request)
self.api_policy.unauthenticated_userid.assert_called_once_with(
api_request)
assert result == self.api_policy.unauthenticated_userid.return_value
def test_effective_principals_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.effective_principals(nonapi_request)
self.fallback_policy.effective_principals.assert_called_once_with(
nonapi_request)
assert result == self.fallback_policy.effective_principals.return_value
def test_effective_principals_uses_api_policy_for_api_paths(
self, api_request):
result = self.policy.effective_principals(api_request)
self.api_policy.effective_principals.assert_called_once_with(
api_request)
assert result == self.api_policy.effective_principals.return_value
def test_remember_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.remember(nonapi_request, 'foo', bar='baz')
self.fallback_policy.remember.assert_called_once_with(nonapi_request,
'foo',
bar='baz')
assert result == self.fallback_policy.remember.return_value
def test_remember_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.remember(api_request, 'foo', bar='baz')
self.api_policy.remember.assert_called_once_with(api_request,
'foo',
bar='baz')
assert result == self.api_policy.remember.return_value
def test_forget_uses_fallback_policy_for_nonapi_paths(
self, nonapi_request):
result = self.policy.forget(nonapi_request)
self.fallback_policy.forget.assert_called_once_with(nonapi_request)
assert result == self.fallback_policy.forget.return_value
def test_forget_uses_api_policy_for_api_paths(self, api_request):
result = self.policy.forget(api_request)
self.api_policy.forget.assert_called_once_with(api_request)
assert result == self.api_policy.forget.return_value
def policy(self):
self.api_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.fallback_policy = mock.Mock(spec_set=list(IAuthenticationPolicy))
self.policy = AuthenticationPolicy(
api_policy=self.api_policy, fallback_policy=self.fallback_policy)
