def test_invalid_session_handler(self):
security_context = SecurityContext({
SCHEME_ID: SESSION_SCHEME_ID,
SESSION_ID: 'invalid-session-id'
})
handler = SessionAuthnHandler()
result = handler.authenticate(security_context)
self.assertFalse(result)
def test_invalid_saml_bearer_handler(self):
security_context = SecurityContext({
SCHEME_ID: SAML_BEARER_SCHEME_ID,
SAML_TOKEN: 'invalid-saml-token'
})
handler = SamlBearerTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertFalse(result)
def test_session_handler_invalid_scheme(self):
security_context = SecurityContext({
SCHEME_ID: OAUTH_SCHEME_ID,
ACCESS_TOKEN: 'token'
})
handler = SessionAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result, None)
def test_invalid_oauth_handler(self):
security_context = SecurityContext({
SCHEME_ID: OAUTH_SCHEME_ID,
ACCESS_TOKEN: 'invalid-token'
})
handler = OAuthTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertFalse(result)
def test_saml_bearer_handler_invalid_scheme(self):
security_context = SecurityContext({
SCHEME_ID: SESSION_SCHEME_ID,
SESSION_ID: 'invalid-session-id'
})
handler = SamlBearerTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result, None)
def invoke(self, service_id, operation_id, input_value, ctx):
"""
Invoke an API request
:type service_id: :class:`str`
:param service_id: Service identifier
:type operation_id: :class:`str`
:param operation_id: Operation identifier
:type input_value: :class:`vmware.vapi.data.value.StructValue`
:param input_value: Method input parameters
:type ctx: :class:`vmware.vapi.core.ExecutionContext`
:param ctx: Execution context for this method
:rtype: :class:`vmware.vapi.core.MethodResult`
:return: Result of the method invocation
"""
sec_ctx = ctx.security_context
app_ctx = ctx.application_context
authn_result = None
request_scheme = sec_ctx.get(SCHEME_ID)
if (self._authn_handlers and request_scheme
and request_scheme != NO_AUTH):
for handler in self._authn_handlers:
# Call authenticate method and get the UserIdentity
try:
authn_result = handler.authenticate(sec_ctx)
except Exception as e:
logger.exception(
'Error in invoking authentication handler %s - %s',
handler, e)
error_value = make_error_value_from_msg_id(
self._internal_server_error_def,
'vapi.security.authentication.exception', str(e))
return MethodResult(error=error_value)
# authn result false means authentication failed
if authn_result is False:
error_value = make_error_value_from_msg_id(
self._unauthenticated_error_def,
'vapi.security.authentication.invalid')
return MethodResult(error=error_value)
if authn_result is not None:
# Matching authN handler found
break
if authn_result:
# Add the authN identity to the security context to pass on to next
# provider
sec_ctx[AUTHN_IDENTITY] = authn_result
ctx = ExecutionContext(app_ctx, sec_ctx)
else:
# No AuthN handler found pass an empty security context
ctx = ExecutionContext(app_ctx, SecurityContext())
return ApiProviderFilter.invoke(self, service_id, operation_id,
input_value, ctx)
def test_valid_saml_bearer_handler(self):
security_context = SecurityContext({
SCHEME_ID: SAML_BEARER_SCHEME_ID,
SAML_TOKEN: 'saml-bearer-token'
})
handler = SamlBearerTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result.get_username(), 'saml-bearer-user')
self.assertEqual(result.get_domain(), 'saml-bearer-domain')
def test_oauth_handler_invalid_scheme(self):
security_context = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password'
})
handler = OAuthTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result, None)
def test_valid_oauth_handler(self):
security_context = SecurityContext({
SCHEME_ID: OAUTH_SCHEME_ID,
ACCESS_TOKEN: 'token'
})
handler = OAuthTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result.get_username(), 'oauth-user')
self.assertEqual(result.get_domain(), None)
def test_invalid_user_pwd_handler(self):
security_context = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'pwd'
})
handler = UserPwdAuthnHandler()
result = handler.authenticate(security_context)
self.assertFalse(result)
def test_invalid_saml_hok_handler(self):
security_context = SecurityContext({
SCHEME_ID: SAML_SCHEME_ID,
PRIVATE_KEY: 'key',
SAML_TOKEN: 'invalid-saml-token'
})
handler = SamlHoKTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertFalse(result)
def test_valid_session_handler(self):
security_context = SecurityContext({
SCHEME_ID: SESSION_SCHEME_ID,
SESSION_ID: 'session-id'
})
handler = SessionAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result.get_username(), 'session-user')
self.assertEqual(result.get_domain(), None)
def test_valid_saml_hok_handler(self):
security_context = SecurityContext({
SCHEME_ID: SAML_SCHEME_ID,
PRIVATE_KEY: 'key',
SAML_TOKEN: 'saml-token'
})
handler = SamlHoKTokenAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result.get_username(), 'saml-user')
self.assertEqual(result.get_domain(), 'saml-domain')
def test_valid_user_pwd_handler(self):
security_context = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password'
})
handler = UserPwdAuthnHandler()
result = handler.authenticate(security_context)
self.assertEqual(result.get_username(), 'testuser')
self.assertEqual(result.get_domain(), None)
def test_authn_op_with_sec_ctx(self):
sec_ctx = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password'
})
ctx = ExecutionContext(None, sec_ctx)
input_val = VoidValue()
method_result = self.sec_ctx_filter.invoke('svc', 'op2', input_val,
ctx)
self.assertEqual(method_result.output, IntegerValue(20))
self.assertEqual(method_result.error, None)
def test_unauthorized_oauth_handler(self):
security_context = SecurityContext({
SCHEME_ID:
OAUTH_SCHEME_ID,
ACCESS_TOKEN:
'token',
AUTHN_IDENTITY:
UserIdentity('invalid-oauth-user')
})
handler = OAuthTokenAuthzHandler()
result = handler.authorize('com.vmware.pkg', 'op', security_context)
self.assertFalse(result)
def test_invalid_session_handler(self):
security_context = SecurityContext({
SCHEME_ID:
SESSION_SCHEME_ID,
SESSION_ID:
'invalid-session-id',
AUTHN_IDENTITY:
UserIdentity('invalid-session-user')
})
handler = SessionAuthzHandler()
result = handler.authorize('com.vmware.pkg', 'op', security_context)
self.assertFalse(result)
def test_invalid_domain_saml_bearer_handler(self):
security_context = SecurityContext({
SCHEME_ID:
SAML_BEARER_SCHEME_ID,
SAML_TOKEN:
'invalid-saml-token',
AUTHN_IDENTITY:
UserIdentity('valid-saml-user', 'invalid-saml-domain')
})
handler = SamlTokenAuthzHandler()
result = handler.authorize('com.vmware.pkg', 'op', security_context)
self.assertFalse(result)
def create_saml_bearer_security_context(token):
"""
Create a security context for SAML bearer token based
authentication scheme
:type token: :class:`str`
:param token: SAML Token
"""
return SecurityContext({
SCHEME_ID: SAML_BEARER_SCHEME_ID,
SAML_TOKEN: token
})
def test_invalid_user_pwd_scheme(self):
sec_ctx = SecurityContext({
SCHEME_ID: OAUTH_SCHEME_ID,
ACCESS_TOKEN: 'token'
})
app_ctx = ApplicationContext()
ctx = ExecutionContext(app_ctx, sec_ctx)
input_val = VoidValue()
method_result = self.authn_filter.invoke('com.pkg.svc', 'op',
input_val, ctx)
self.assertEqual(method_result.output, IntegerValue(10))
self.assertEqual(method_result.error, None)
def create_oauth_security_context(access_token):
"""
Create a security context for Oauth2 based authentication
scheme
:type access_token: :class:`str`
:param access_token: Access token
:rtype: :class:`vmware.vapi.core.SecurityContext`
:return: Newly created security context
"""
return SecurityContext({SCHEME_ID: OAUTH_SCHEME_ID,
ACCESS_TOKEN: access_token})
def security_ctx(ctx):
"""
get security context from jsonrpc dict
:type ctx: :class:`dict`
:param ctx: json security context
:rtype: :class:`vmware.vapi.core.SecurityContext`
:return: json user session
"""
if ctx is not None:
return SecurityContext(ctx)
return None
def test_user_pwd_scheme(self):
sec_ctx = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password'
})
app_ctx = ApplicationContext()
ctx = ExecutionContext(app_ctx, sec_ctx)
input_val = VoidValue()
method_result = self.authn_filter.invoke('com.pkg.svc', 'op',
input_val, ctx)
self.assertEqual(method_result.output, IntegerValue(10))
self.assertEqual(method_result.error, None)
def test_invalid_user_pwd(self):
sec_ctx = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'invalidpassword'
})
app_ctx = ApplicationContext()
ctx = ExecutionContext(app_ctx, sec_ctx)
input_val = VoidValue()
method_result = self.authn_filter.invoke('com.pkg.svc', 'op',
input_val, ctx)
self.assertEqual(method_result.error.name,
'com.vmware.vapi.std.errors.unauthenticated')
def test_op_with_sec_ctx_on_filter(self):
sec_ctx = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password'
})
self.sec_ctx_filter.set_security_context(sec_ctx)
ctx = ExecutionContext(ApplicationContext(), None)
input_val = VoidValue()
method_result = self.sec_ctx_filter.invoke('svc', 'op1', input_val,
ctx)
self.assertEqual(method_result.output, IntegerValue(10))
self.assertEqual(method_result.error, None)
def test_noauth_op_with_valid_user(self):
sec_ctx = SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: 'testuser',
PASSWORD_KEY: 'password',
AUTHN_IDENTITY: UserIdentity('testuser')
})
app_ctx = ApplicationContext()
ctx = ExecutionContext(app_ctx, sec_ctx)
input_val = VoidValue()
method_result = self.authz_filter.invoke('com.pkg.svc', 'op1',
input_val, ctx)
self.assertEqual(method_result.output, IntegerValue(10))
self.assertEqual(method_result.error, None)
def create_session_security_context(session_id):
"""
Create a security context for Session Id based authentication
scheme
:type session_id: :class:`str`
:param session_id: Session ID
:rtype: :class:`vmware.vapi.core.SecurityContext`
:return: Newly created security context
"""
return SecurityContext({
SCHEME_ID: SESSION_SCHEME_ID,
SESSION_ID: session_id
})
def test_valid_saml_hok_handler(self):
security_context = SecurityContext({
SCHEME_ID:
SAML_SCHEME_ID,
PRIVATE_KEY:
'key',
SAML_TOKEN:
'valid-saml-token',
AUTHN_IDENTITY:
UserIdentity('valid-saml-user', 'valid-saml-domain')
})
handler = SamlTokenAuthzHandler()
result = handler.authorize('com.vmware.pkg', 'op', security_context)
self.assertTrue(result)
def test_unauthorized_user_pwd_handler(self):
security_context = SecurityContext({
SCHEME_ID:
USER_PASSWORD_SCHEME_ID,
USER_KEY:
'unauthorizeduser',
PASSWORD_KEY:
'password',
AUTHN_IDENTITY:
UserIdentity('unauthorizeduser')
})
handler = UserPwdAuthzHandler()
result = handler.authorize('com.vmware.pkg', 'op', security_context)
self.assertFalse(result)
def create_user_password_security_context(user_name, password):
"""
Create a security context for Username-Password based authentication
scheme
:type user_name: :class:`str`
:param user_name: Name of the user
:type password: :class:`str`
:param password: Password of the user
:rtype: :class:`vmware.vapi.core.SecurityContext`
:return: Newly created security context
"""
return SecurityContext({
SCHEME_ID: USER_PASSWORD_SCHEME_ID,
USER_KEY: user_name,
PASSWORD_KEY: password
})
