def test_invalid_session_handler(self): security_context = SecurityContext({ SCHEME_ID: SESSION_SCHEME_ID, SESSION_ID: 'invalid-session-id' }) handler = SessionAuthnHandler() result = handler.authenticate(security_context) self.assertFalse(result)
def test_invalid_saml_bearer_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_BEARER_SCHEME_ID, SAML_TOKEN: 'invalid-saml-token' }) handler = SamlBearerTokenAuthnHandler() result = handler.authenticate(security_context) self.assertFalse(result)
def test_session_handler_invalid_scheme(self): security_context = SecurityContext({ SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: 'token' }) handler = SessionAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result, None)
def test_invalid_oauth_handler(self): security_context = SecurityContext({ SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: 'invalid-token' }) handler = OAuthTokenAuthnHandler() result = handler.authenticate(security_context) self.assertFalse(result)
def test_saml_bearer_handler_invalid_scheme(self): security_context = SecurityContext({ SCHEME_ID: SESSION_SCHEME_ID, SESSION_ID: 'invalid-session-id' }) handler = SamlBearerTokenAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result, None)
def invoke(self, service_id, operation_id, input_value, ctx): """ Invoke an API request :type service_id: :class:`str` :param service_id: Service identifier :type operation_id: :class:`str` :param operation_id: Operation identifier :type input_value: :class:`vmware.vapi.data.value.StructValue` :param input_value: Method input parameters :type ctx: :class:`vmware.vapi.core.ExecutionContext` :param ctx: Execution context for this method :rtype: :class:`vmware.vapi.core.MethodResult` :return: Result of the method invocation """ sec_ctx = ctx.security_context app_ctx = ctx.application_context authn_result = None request_scheme = sec_ctx.get(SCHEME_ID) if (self._authn_handlers and request_scheme and request_scheme != NO_AUTH): for handler in self._authn_handlers: # Call authenticate method and get the UserIdentity try: authn_result = handler.authenticate(sec_ctx) except Exception as e: logger.exception( 'Error in invoking authentication handler %s - %s', handler, e) error_value = make_error_value_from_msg_id( self._internal_server_error_def, 'vapi.security.authentication.exception', str(e)) return MethodResult(error=error_value) # authn result false means authentication failed if authn_result is False: error_value = make_error_value_from_msg_id( self._unauthenticated_error_def, 'vapi.security.authentication.invalid') return MethodResult(error=error_value) if authn_result is not None: # Matching authN handler found break if authn_result: # Add the authN identity to the security context to pass on to next # provider sec_ctx[AUTHN_IDENTITY] = authn_result ctx = ExecutionContext(app_ctx, sec_ctx) else: # No AuthN handler found pass an empty security context ctx = ExecutionContext(app_ctx, SecurityContext()) return ApiProviderFilter.invoke(self, service_id, operation_id, input_value, ctx)
def test_valid_saml_bearer_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_BEARER_SCHEME_ID, SAML_TOKEN: 'saml-bearer-token' }) handler = SamlBearerTokenAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result.get_username(), 'saml-bearer-user') self.assertEqual(result.get_domain(), 'saml-bearer-domain')
def test_oauth_handler_invalid_scheme(self): security_context = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password' }) handler = OAuthTokenAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result, None)
def test_valid_oauth_handler(self): security_context = SecurityContext({ SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: 'token' }) handler = OAuthTokenAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result.get_username(), 'oauth-user') self.assertEqual(result.get_domain(), None)
def test_invalid_user_pwd_handler(self): security_context = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'pwd' }) handler = UserPwdAuthnHandler() result = handler.authenticate(security_context) self.assertFalse(result)
def test_invalid_saml_hok_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_SCHEME_ID, PRIVATE_KEY: 'key', SAML_TOKEN: 'invalid-saml-token' }) handler = SamlHoKTokenAuthnHandler() result = handler.authenticate(security_context) self.assertFalse(result)
def test_valid_session_handler(self): security_context = SecurityContext({ SCHEME_ID: SESSION_SCHEME_ID, SESSION_ID: 'session-id' }) handler = SessionAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result.get_username(), 'session-user') self.assertEqual(result.get_domain(), None)
def test_valid_saml_hok_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_SCHEME_ID, PRIVATE_KEY: 'key', SAML_TOKEN: 'saml-token' }) handler = SamlHoKTokenAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result.get_username(), 'saml-user') self.assertEqual(result.get_domain(), 'saml-domain')
def test_valid_user_pwd_handler(self): security_context = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password' }) handler = UserPwdAuthnHandler() result = handler.authenticate(security_context) self.assertEqual(result.get_username(), 'testuser') self.assertEqual(result.get_domain(), None)
def test_authn_op_with_sec_ctx(self): sec_ctx = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password' }) ctx = ExecutionContext(None, sec_ctx) input_val = VoidValue() method_result = self.sec_ctx_filter.invoke('svc', 'op2', input_val, ctx) self.assertEqual(method_result.output, IntegerValue(20)) self.assertEqual(method_result.error, None)
def test_unauthorized_oauth_handler(self): security_context = SecurityContext({ SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: 'token', AUTHN_IDENTITY: UserIdentity('invalid-oauth-user') }) handler = OAuthTokenAuthzHandler() result = handler.authorize('com.vmware.pkg', 'op', security_context) self.assertFalse(result)
def test_invalid_session_handler(self): security_context = SecurityContext({ SCHEME_ID: SESSION_SCHEME_ID, SESSION_ID: 'invalid-session-id', AUTHN_IDENTITY: UserIdentity('invalid-session-user') }) handler = SessionAuthzHandler() result = handler.authorize('com.vmware.pkg', 'op', security_context) self.assertFalse(result)
def test_invalid_domain_saml_bearer_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_BEARER_SCHEME_ID, SAML_TOKEN: 'invalid-saml-token', AUTHN_IDENTITY: UserIdentity('valid-saml-user', 'invalid-saml-domain') }) handler = SamlTokenAuthzHandler() result = handler.authorize('com.vmware.pkg', 'op', security_context) self.assertFalse(result)
def create_saml_bearer_security_context(token): """ Create a security context for SAML bearer token based authentication scheme :type token: :class:`str` :param token: SAML Token """ return SecurityContext({ SCHEME_ID: SAML_BEARER_SCHEME_ID, SAML_TOKEN: token })
def test_invalid_user_pwd_scheme(self): sec_ctx = SecurityContext({ SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: 'token' }) app_ctx = ApplicationContext() ctx = ExecutionContext(app_ctx, sec_ctx) input_val = VoidValue() method_result = self.authn_filter.invoke('com.pkg.svc', 'op', input_val, ctx) self.assertEqual(method_result.output, IntegerValue(10)) self.assertEqual(method_result.error, None)
def create_oauth_security_context(access_token): """ Create a security context for Oauth2 based authentication scheme :type access_token: :class:`str` :param access_token: Access token :rtype: :class:`vmware.vapi.core.SecurityContext` :return: Newly created security context """ return SecurityContext({SCHEME_ID: OAUTH_SCHEME_ID, ACCESS_TOKEN: access_token})
def security_ctx(ctx): """ get security context from jsonrpc dict :type ctx: :class:`dict` :param ctx: json security context :rtype: :class:`vmware.vapi.core.SecurityContext` :return: json user session """ if ctx is not None: return SecurityContext(ctx) return None
def test_user_pwd_scheme(self): sec_ctx = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password' }) app_ctx = ApplicationContext() ctx = ExecutionContext(app_ctx, sec_ctx) input_val = VoidValue() method_result = self.authn_filter.invoke('com.pkg.svc', 'op', input_val, ctx) self.assertEqual(method_result.output, IntegerValue(10)) self.assertEqual(method_result.error, None)
def test_invalid_user_pwd(self): sec_ctx = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'invalidpassword' }) app_ctx = ApplicationContext() ctx = ExecutionContext(app_ctx, sec_ctx) input_val = VoidValue() method_result = self.authn_filter.invoke('com.pkg.svc', 'op', input_val, ctx) self.assertEqual(method_result.error.name, 'com.vmware.vapi.std.errors.unauthenticated')
def test_op_with_sec_ctx_on_filter(self): sec_ctx = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password' }) self.sec_ctx_filter.set_security_context(sec_ctx) ctx = ExecutionContext(ApplicationContext(), None) input_val = VoidValue() method_result = self.sec_ctx_filter.invoke('svc', 'op1', input_val, ctx) self.assertEqual(method_result.output, IntegerValue(10)) self.assertEqual(method_result.error, None)
def test_noauth_op_with_valid_user(self): sec_ctx = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'testuser', PASSWORD_KEY: 'password', AUTHN_IDENTITY: UserIdentity('testuser') }) app_ctx = ApplicationContext() ctx = ExecutionContext(app_ctx, sec_ctx) input_val = VoidValue() method_result = self.authz_filter.invoke('com.pkg.svc', 'op1', input_val, ctx) self.assertEqual(method_result.output, IntegerValue(10)) self.assertEqual(method_result.error, None)
def create_session_security_context(session_id): """ Create a security context for Session Id based authentication scheme :type session_id: :class:`str` :param session_id: Session ID :rtype: :class:`vmware.vapi.core.SecurityContext` :return: Newly created security context """ return SecurityContext({ SCHEME_ID: SESSION_SCHEME_ID, SESSION_ID: session_id })
def test_valid_saml_hok_handler(self): security_context = SecurityContext({ SCHEME_ID: SAML_SCHEME_ID, PRIVATE_KEY: 'key', SAML_TOKEN: 'valid-saml-token', AUTHN_IDENTITY: UserIdentity('valid-saml-user', 'valid-saml-domain') }) handler = SamlTokenAuthzHandler() result = handler.authorize('com.vmware.pkg', 'op', security_context) self.assertTrue(result)
def test_unauthorized_user_pwd_handler(self): security_context = SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: 'unauthorizeduser', PASSWORD_KEY: 'password', AUTHN_IDENTITY: UserIdentity('unauthorizeduser') }) handler = UserPwdAuthzHandler() result = handler.authorize('com.vmware.pkg', 'op', security_context) self.assertFalse(result)
def create_user_password_security_context(user_name, password): """ Create a security context for Username-Password based authentication scheme :type user_name: :class:`str` :param user_name: Name of the user :type password: :class:`str` :param password: Password of the user :rtype: :class:`vmware.vapi.core.SecurityContext` :return: Newly created security context """ return SecurityContext({ SCHEME_ID: USER_PASSWORD_SCHEME_ID, USER_KEY: user_name, PASSWORD_KEY: password })