def test_from_settings(self):
settings = {
"foo": "bar",
"ipauth.ipaddrs": "123.123.0.1 124.124.0.1/16",
"ipauth.userid": "one",
"ipauth.principals": "two three",
"otherauth.ipaddrs": "127.0.0.*",
"otherauth.userid": "other",
"otherauth.proxies": "127.0.0.1 127.0.0.2",
}
# Try basic instantiation.
auth = IPAuthenticationPolicy.from_settings(settings)
self.assertTrue(IPAddress("123.123.0.1") in auth.ipaddrs)
self.assertEqual(auth.userid, "one")
self.assertEqual(auth.principals, ["two", "three"])
self.assertEqual(auth.proxies, IPSet([]))
# Try instantiation with custom prefix.
auth = IPAuthenticationPolicy.from_settings(settings,
prefix="otherauth.")
self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs)
self.assertEqual(auth.userid, "other")
self.assertEqual(auth.principals, [])
self.assertTrue(IPAddress("127.0.0.1") in auth.proxies)
self.assertTrue(IPAddress("127.0.0.2") in auth.proxies)
self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
# Try instantiation with extra keywords
auth = IPAuthenticationPolicy.from_settings(settings,
prefix="otherauth.",
userid="overwritten")
self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs)
self.assertEqual(auth.userid, "overwritten")
self.assertEqual(auth.principals, [])
self.assertTrue(IPAddress("127.0.0.1") in auth.proxies)
self.assertTrue(IPAddress("127.0.0.2") in auth.proxies)
self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
def test_from_settings(self):
settings = {
"foo": "bar",
"ipauth.ipaddrs": "123.123.0.1 124.124.0.1/16",
"ipauth.userid": "one",
"ipauth.principals": "two three",
"otherauth.ipaddrs": "127.0.0.*",
"otherauth.userid": "other",
"otherauth.proxies": "127.0.0.1 127.0.0.2",
}
# Try basic instantiation.
auth = IPAuthenticationPolicy.from_settings(settings)
self.assertTrue(IPAddress("123.123.0.1") in auth.ipaddrs)
self.assertEquals(auth.userid, "one")
self.assertEquals(auth.principals, ["two", "three"])
self.assertEquals(auth.proxies, IPSet([]))
# Try instantiation with custom prefix.
auth = IPAuthenticationPolicy.from_settings(settings,
prefix="otherauth.")
self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs)
self.assertEquals(auth.userid, "other")
self.assertEquals(auth.principals, [])
self.assertTrue(IPAddress("127.0.0.1") in auth.proxies)
self.assertTrue(IPAddress("127.0.0.2") in auth.proxies)
self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
# Try instantiation with extra keywords
auth = IPAuthenticationPolicy.from_settings(settings,
prefix="otherauth.",
userid="overwritten")
self.assertTrue(IPAddress("127.0.0.1") in auth.ipaddrs)
self.assertEquals(auth.userid, "overwritten")
self.assertEquals(auth.principals, [])
self.assertTrue(IPAddress("127.0.0.1") in auth.proxies)
self.assertTrue(IPAddress("127.0.0.2") in auth.proxies)
self.assertFalse(IPAddress("127.0.0.3") in auth.proxies)
def test_callbacks(self):
def get_userid(ipaddr):
if str(ipaddr).startswith('192'):
return 'LAN-user'
if str(ipaddr).startswith('127'):
return 'localhost-user'
return None
def get_principals(userid, ipaddr):
principals = {
'LAN-user': ['view'],
'localhost-user': ['view', 'edit'],
}
return principals.get(userid, [])
policy = IPAuthenticationPolicy("all", get_userid=get_userid,
get_principals=get_principals)
# Addresses outside the range don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.unauthenticated_userid(request), "LAN-user")
self.assertEqual(policy.authenticated_userid(request), "LAN-user")
self.assertEqual(policy.effective_principals(request),
["LAN-user", Everyone, Authenticated, 'view'])
request = DummyRequest(environ={"REMOTE_ADDR": "127.0.0.1"})
self.assertEqual(policy.unauthenticated_userid(request),
"localhost-user")
self.assertEqual(policy.authenticated_userid(request),
"localhost-user")
self.assertEqual(policy.effective_principals(request),
["localhost-user", Everyone, Authenticated,
'view', 'edit'])
request = DummyRequest(environ={"REMOTE_ADDR": "86.8.8.8"})
self.assertEqual(policy.unauthenticated_userid(request), None)
self.assertEqual(policy.authenticated_userid(request), None)
self.assertEqual(policy.effective_principals(request), [Everyone])
def test_remote_addr(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user")
# Addresses outside the range don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
# Addresses inside the range do authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.1.2"})
self.assertEqual(policy.authenticated_userid(request), "user")
def test_remote_addr(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user")
# Addresses outside the range don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEquals(policy.authenticated_userid(request), None)
# Addresses inside the range do authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEquals(policy.authenticated_userid(request), "user")
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.1.2"})
self.assertEquals(policy.authenticated_userid(request), "user")
def test_principals(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"],
principals=["test"])
# Addresses outside the range don't get metadata set
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEquals(policy.effective_principals(request), [Everyone])
# Addresses inside the range do get metadata set
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEquals(policy.effective_principals(request),
[Everyone, Authenticated, "test"])
policy.userid = "user"
self.assertEquals(policy.effective_principals(request),
["user", Everyone, Authenticated, "test"])
def test_noncontiguous_ranges(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16", "124.124.1.0/24"],
"user")
# Addresses outside the range don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
request = DummyRequest(environ={"REMOTE_ADDR": "124.124.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
# Addresses inside the range do authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
request = DummyRequest(environ={"REMOTE_ADDR": "124.124.1.2"})
self.assertEqual(policy.authenticated_userid(request), "user")
def test_x_forwarded_for(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"],
"user",
proxies=["124.124.0.0/24"])
# Requests without X-Forwarded-For work as normal
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests with untrusted X-Forwarded-For don't authenticate
request = DummyRequest(environ={
"REMOTE_ADDR": "192.168.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1"
})
self.assertEqual(policy.authenticated_userid(request), None)
# Requests from single trusted proxy do authenticate
request = DummyRequest(environ={
"REMOTE_ADDR": "124.124.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1"
})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests from chain of trusted proxies do authenticate
request = DummyRequest(
environ={
"REMOTE_ADDR": "124.124.0.2",
"HTTP_X_FORWARDED_FOR": "123.123.0.1, 124.124.0.1"
})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests with untrusted proxy in chain don't authenticate
request = DummyRequest(
environ={
"REMOTE_ADDR": "124.124.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1, 192.168.0.1"
})
self.assertEqual(policy.authenticated_userid(request), None)
def test_x_forwarded_for(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user",
proxies=["124.124.0.0/24"])
# Requests without X-Forwarded-For work as normal
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests with untrusted X-Forwarded-For don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
# Requests from single trusted proxy do authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "124.124.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests from chain of trusted proxies do authenticate
request = DummyRequest(
environ={
"REMOTE_ADDR": "124.124.0.2",
"HTTP_X_FORWARDED_FOR": "123.123.0.1, 124.124.0.1"})
self.assertEqual(policy.authenticated_userid(request), "user")
# Requests with untrusted proxy in chain don't authenticate
request = DummyRequest(
environ={
"REMOTE_ADDR": "124.124.0.1",
"HTTP_X_FORWARDED_FOR": "123.123.0.1, 192.168.0.1"})
self.assertEqual(policy.authenticated_userid(request), None)
def test_principals(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], principals="test")
# Addresses outside the range don't get metadata set
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.effective_principals(request), [Everyone])
# Addresses inside the range do get metadata set
request = DummyRequest(environ={"REMOTE_ADDR": "123.123.0.1"})
self.assertEqual(policy.effective_principals(request),
[Everyone, "test"])
policy.userid = "user"
self.assertEqual(policy.effective_principals(request),
["user", Everyone, Authenticated, "test"])
def test_remember_forget(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user")
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.remember(request, "user"), [])
self.assertEqual(policy.forget(request), [])
def test_callbacks(self):
def get_userid(ipaddr):
if str(ipaddr).startswith('192'):
return 'LAN-user'
if str(ipaddr).startswith('127'):
return 'localhost-user'
return None
def get_principals(userid, ipaddr):
principals = {
'LAN-user': ['view'],
'localhost-user': ['view', 'edit'],
}
return principals.get(userid, [])
policy = IPAuthenticationPolicy("all",
get_userid=get_userid,
get_principals=get_principals)
# Addresses outside the range don't authenticate
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEqual(policy.unauthenticated_userid(request), "LAN-user")
self.assertEqual(policy.authenticated_userid(request), "LAN-user")
self.assertEqual(policy.effective_principals(request),
["LAN-user", Everyone, Authenticated, 'view'])
request = DummyRequest(environ={"REMOTE_ADDR": "127.0.0.1"})
self.assertEqual(policy.unauthenticated_userid(request),
"localhost-user")
self.assertEqual(policy.authenticated_userid(request),
"localhost-user")
self.assertEqual(
policy.effective_principals(request),
["localhost-user", Everyone, Authenticated, 'view', 'edit'])
request = DummyRequest(environ={"REMOTE_ADDR": "86.8.8.8"})
self.assertEqual(policy.unauthenticated_userid(request), None)
self.assertEqual(policy.authenticated_userid(request), None)
self.assertEqual(policy.effective_principals(request), [Everyone])
def test_remember_forget(self):
policy = IPAuthenticationPolicy(["123.123.0.0/16"], "user")
request = DummyRequest(environ={"REMOTE_ADDR": "192.168.0.1"})
self.assertEquals(policy.remember(request, "user"), [])
self.assertEquals(policy.forget(request), [])
