def test_invalid_services(self):
"""
When invalid services are configured, ``service_allowed()``
should raise ``ImproperlyConfigured``.
"""
with self.assertRaises(ImproperlyConfigured):
service_allowed('http://www.example.com')
def test_invalid_services(self):
"""
When invalid services are configured, ``service_allowed()``
should raise ``ImproperlyConfigured``.
"""
with self.assertRaises(ImproperlyConfigured):
service_allowed('http://www.example.com')
def test_service_allowed(self):
"""
When valid services are configured, ``service_allowed()``
should return ``True`` if the provided URL matches, and
``False`` otherwise.
"""
self.assertTrue(service_allowed('http://www.example.com'))
self.assertFalse(service_allowed('http://www.example.org'))
def test_service_allowed(self):
"""
When valid services are configured, ``service_allowed()``
should return ``True`` if the provided URL matches, and
``False`` otherwise.
"""
self.assertTrue(service_allowed('http://www.example.com'))
self.assertFalse(service_allowed('http://www.example.org'))
def test_custom_backend(self):
"""
Test that a custom service backend can be used
"""
# CustomTestServiceBackend allows any service with 'test.com' in
# addition to defined services
self.assertFalse(service_allowed('http://www.foo.com'))
self.assertTrue(service_allowed('http://www.example.com'))
self.assertTrue(service_allowed('http://www.test.com'))
def test_custom_backend_security(self):
"""
Test that a custom service backend can be used and it's service_allowed function is respected, also when the
`MAMA_CAS_SERVICES` setting isn't present in the django settings.py
"""
del settings.MAMA_CAS_SERVICES
# CustomTestServiceBackendNoSettings allows only services containing 'test.com'
self.assertFalse(service_allowed('http://www.foo.com'))
self.assertFalse(service_allowed('http://www.example.com'))
self.assertTrue(service_allowed('http://www.test.com'))
def test_empty_valid_services_tuple(self):
"""
When no valid services are configured,
``service_allowed()`` should return ``True``.
"""
del settings.MAMA_CAS_SERVICES
self.assertTrue(service_allowed('http://www.example.com'))
def test_empty_valid_services_tuple(self):
"""
When no valid services are configured,
``service_allowed()`` should return ``True``.
"""
del settings.MAMA_CAS_SERVICES
self.assertTrue(service_allowed('http://www.example.com'))
def validate_ticket(self, ticket, service, renew=False, require_https=False):
"""
Given a ticket string and service identifier, validate the
corresponding ``Ticket``. If validation succeeds, return the
``Ticket``. If validation fails, raise an appropriate error.
If ``renew`` is ``True``, ``ServiceTicket`` validation will
only succeed if the ticket was issued from the presentation
of the user's primary credentials.
If ``require_https`` is ``True``, ``ServiceTicket`` validation
will only succeed if the service URL scheme is HTTPS.
"""
if not ticket:
raise InvalidRequest("No ticket string provided")
if not self.model.TICKET_RE.match(ticket):
raise InvalidTicket("Ticket string %s is invalid" % ticket)
try:
t = self.get(ticket=ticket)
except self.model.DoesNotExist:
raise InvalidTicket("Ticket %s does not exist" % ticket)
if t.is_consumed():
raise InvalidTicket("%s %s has already been used" %
(t.name, ticket))
if t.is_expired():
raise InvalidTicket("%s %s has expired" % (t.name, ticket))
if not service:
raise InvalidRequest("No service identifier provided")
if require_https and not is_scheme_https(service):
raise InvalidService("Service %s is not HTTPS" % service)
if not service_allowed(service):
raise InvalidService("Service %s is not a valid %s URL" %
(service, t.name))
try:
if not match_service(t.service, service):
raise InvalidService("%s %s for service %s is invalid for "
"service %s" % (t.name, ticket, t.service, service))
except AttributeError:
pass
try:
if renew and not t.is_primary():
raise InvalidTicket("%s %s was not issued via primary "
"credentials" % (t.name, ticket))
except AttributeError:
pass
logger.debug("Validated %s %s" % (t.name, ticket))
return t
def validate_ticket(self, ticket, service, renew=False, require_https=False):
"""
Given a ticket string and service identifier, validate the
corresponding ``Ticket``. If validation succeeds, return the
``Ticket``. If validation fails, raise an appropriate error.
If ``renew`` is ``True``, ``ServiceTicket`` validation will
only succeed if the ticket was issued from the presentation
of the user's primary credentials.
If ``require_https`` is ``True``, ``ServiceTicket`` validation
will only succeed if the service URL scheme is HTTPS.
"""
if not ticket:
raise InvalidRequest("No ticket string provided")
if not self.model.TICKET_RE.match(ticket):
raise InvalidTicket("Ticket string %s is invalid" % ticket)
try:
t = self.get(ticket=ticket)
except self.model.DoesNotExist:
raise InvalidTicket("Ticket %s does not exist" % ticket)
if t.is_consumed():
raise InvalidTicket("%s %s has already been used" %
(t.name, ticket))
if t.is_expired():
raise InvalidTicket("%s %s has expired" % (t.name, ticket))
if not service:
raise InvalidRequest("No service identifier provided")
if require_https and not is_scheme_https(service):
raise InvalidService("Service %s is not HTTPS" % service)
if not service_allowed(service):
raise InvalidService("Service %s is not a valid %s URL" %
(service, t.name))
try:
if not match_service(t.service, service):
raise InvalidService("%s %s for service %s is invalid for "
"service %s" % (t.name, ticket, t.service, service))
except AttributeError:
pass
try:
if renew and not t.is_primary():
raise InvalidTicket("%s %s was not issued via primary "
"credentials" % (t.name, ticket))
except AttributeError:
pass
logger.debug("Validated %s %s" % (t.name, ticket))
return t
def test_invalid_custom_backend(self):
"""
Test that a custom service backend without properly defined
attributes raises ``NotImplementedError``
"""
with self.assertRaises(NotImplementedError):
service_allowed('http://www.example.com')
with self.assertRaises(NotImplementedError):
get_callbacks('http://www.example.com')
with self.assertRaises(NotImplementedError):
get_logout_url('http://www.example.com')
with self.assertRaises(NotImplementedError):
logout_allowed('http://www.example.com')
with self.assertRaises(NotImplementedError):
proxy_allowed('http://www.example.com')
def get(self, request, *args, **kwargs):
service = request.GET.get('service')
ticket = request.GET.get('ticket')
if not service_allowed(service):
return redirect('cas_login')
msg = _("Do you want to access %(service)s as %(user)s?") % {
'service': clean_service_url(service),
'user': request.user}
messages.info(request, msg)
kwargs['service'] = add_query_params(service, {'ticket': ticket})
return super(WarnView, self).get(request, *args, **kwargs)
def handle(self, **options):
service = options['service']
pgturl = options['pgturl']
if service_allowed(service):
self.stdout.write('Valid Service: %s' % service)
self.stdout.write('Proxy Allowed: %s' % proxy_allowed(service))
if pgturl:
self.stdout.write('Proxy Callback Allowed: %s' %
proxy_callback_allowed(service, pgturl))
self.stdout.write('Logout Allowed: %s' % logout_allowed(service))
self.stdout.write('Logout URL: %s' % get_logout_url(service))
self.stdout.write('Callbacks: %s' % get_callbacks(service))
else:
self.stdout.write(self.style.ERROR('Invalid Service: %s' %
service))
def redirect(to, *args, **kwargs):
"""
Similar to the Django ``redirect`` shortcut but with altered
functionality. If an optional ``params`` argument is provided, the
dictionary items will be injected as query parameters on the
redirection URL.
"""
params = kwargs.pop('params', {})
try:
to = urlresolvers.reverse(to, args=args, kwargs=kwargs)
except urlresolvers.NoReverseMatch:
if '/' not in to and '.' not in to:
to = urlresolvers.reverse('cas_login')
elif not service_allowed(to):
raise PermissionDenied()
if params:
to = add_query_params(to, params)
logger.debug("Redirecting to %s" % to)
return HttpResponseRedirect(to)
def redirect(to, *args, **kwargs):
"""
Similar to the Django ``redirect`` shortcut but with altered
functionality. If an optional ``params`` argument is provided, the
dictionary items will be injected as query parameters on the
redirection URL.
"""
params = kwargs.pop('params', {})
try:
to = urlresolvers.reverse(to, args=args, kwargs=kwargs)
except urlresolvers.NoReverseMatch:
if '/' not in to and '.' not in to:
to = urlresolvers.reverse('cas_login')
elif not service_allowed(to):
raise PermissionDenied()
if params:
to = add_query_params(to, params)
logger.debug("Redirecting to %s" % to)
return HttpResponseRedirect(to)
def handle(self, **options):
self.service = options['service']
self.pgturl = options['pgturl']
self.verbosity = options['verbosity']
if service_allowed(self.service):
try:
self.stdout.write(self.style.SUCCESS("Valid service: %s" % self.service))
except AttributeError:
# Django 1.8 does not have the "Success" style
self.stdout.write(self.style.SQL_FIELD("Valid service: %s" % self.service))
if self.verbosity >= 1:
self.format_output('Proxy allowed', proxy_allowed(self.service))
if self.pgturl:
self.format_output('Proxy callback allowed', proxy_callback_allowed(self.service, self.pgturl))
self.format_output('Logout allowed', logout_allowed(self.service))
self.format_output('Logout URL', get_logout_url(self.service))
self.format_output('Callbacks', ', '.join(get_callbacks(self.service)))
if self.verbosity >= 2:
self.format_output('Backend', get_backend_path(self.service))
else:
self.stdout.write(self.style.ERROR("Invalid service: %s" % self.service))
def test_empty_services(self):
"""
When no valid services are configured,
``service_allowed()`` should return ``True``.
"""
self.assertTrue(service_allowed('http://www.example.com'))
def test_empty_services(self):
"""
When no valid services are configured,
``service_allowed()`` should return ``True``.
"""
self.assertTrue(service_allowed('http://www.example.com'))
