def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**',
'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
class TestShibbolethRemoteUserMiddleware(TestCase):
def setUp(self):
self.request_factory = RequestFactory()
self.smw = SessionMiddleware()
self.amw = AuthenticationMiddleware()
self.rmw = RemoteUserMiddleware()
self.srmw = middleware.ShibbolethRemoteUserMiddleware()
def _process_request_through_middleware(self, request):
self.smw.process_request(request)
self.amw.process_request(request)
self.rmw.process_request(request)
return self.srmw.process_request(request)
def test_no_remote_user(self):
test_request = self.request_factory.get('/')
self._process_request_through_middleware(test_request)
#shouldn't have done anything - just return because no REMOTE_USER
self.assertTrue('shib' not in test_request.session)
self.assertFalse(test_request.user.is_authenticated())
def test_remote_user_empty(self):
test_request = self.request_factory.get('/', REMOTE_USER='')
response = self._process_request_through_middleware(test_request)
self.assertTrue('shib' not in test_request.session)
self.assertFalse(test_request.user.is_authenticated())
class SignedCookiesTest(TestCase):
def setUp(self):
self.middleware = SignedCookiesMiddleware()
self.auth_middleware = AuthenticationMiddleware()
self.session_middleware = SessionMiddleware()
def _process_request(self, request):
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
self.middleware.process_request(request)
def _process_response(self, request, response):
self.middleware.process_response(request, response)
self.session_middleware.process_response(request, response)
def test_middleware(self):
request = HttpRequest()
request.COOKIES['key'] = 'foo'
self._process_request(request)
self.failIf('key' in request.COOKIES)
response = HttpResponse()
request = HttpRequest()
self._process_request(request)
response.set_cookie('key', 'foo')
self._process_response(request, response)
signed_val = response.cookies['key'].value
self.failIfEqual(signed_val, 'foo')
request.COOKIES['key'] = signed_val
self._process_request(request)
self.failUnlessEqual(request.COOKIES['key'], 'foo')
def get_request_with_session(path):
"""Get request with attached session."""
request_factory = RequestFactory()
request = request_factory.get(path)
session_middleware = SessionMiddleware()
session_middleware.process_request(request)
authentication_middleware = AuthenticationMiddleware()
authentication_middleware.process_request(request)
return request
class FacebookAuthenticationMiddlewareTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.django_auth_middleware = AuthenticationMiddleware()
self.auth_middleware = FacebookAuthenticationMiddleware()
def request(self, url='/fb'):
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.django_auth_middleware.process_request(request)
return request
def test_no_session(self):
"""
If there is no authenticated session, the user attribute should contain
an anonymous user.
"""
request = self.request()
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
def test_no_matching_user(self):
"""
If an invalid user id is given in the session, the user attribute should
contain an anonymous user.
"""
request = self.request()
request.session[SESSION_KEY] = 9999
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
def test_user_found(self):
"""
If there is an authenticated session with an existing user, the
specified user should be available via the user attribute.
"""
request = self.request()
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
eq_(request.user, user)
def test_user_non_fb_app(self):
"""
If there is an authenticated session with an existing user outside of
the app, the specified user should not be a FacebookUser.
"""
request = self.request(url='/')
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
ok_(not request.user == user)
eq_(request.user.is_anonymous(), True)
def setUp(self):
self.user_password = '******'
self.user = User.objects.create_user('test_user', '*****@*****.**',
self.user_password)
self.middleware = AuthenticationMiddleware()
self.assertTrue(
self.client.login(
username=self.user.username,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
class FBLoginRequiredTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.auth_middleware = AuthenticationMiddleware()
def request(self, url='/'):
"""
Create a mock request object.
"""
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
return request
def test_no_auth(self):
"""
If the user has not been authed, return a redirect to the home page.
"""
request = self.request()
with self.activate('en-US'):
response = view(request)
eq_(response.status_code, 302)
self.assertRedirectsNoFollow(response, reverse('base.home'))
def test_django_auth(self):
"""
If the user has authed via normal django mechanisms, return a redirect.
"""
request = self.request()
User.objects.create_user('*****@*****.**', '*****@*****.**',
'asdf1234')
user = authenticate(username='******', password='******')
django_login(request, user)
response = view(request)
eq_(response.status_code, 302)
@patch.object(FacebookUser.objects, 'update_user_info')
def test_facebook_auth(self, update_user_info):
"""
If the user has authed via the Facebook auth mechanism, execute the
view.
"""
request = self.request()
user = FacebookUserFactory()
fb_login(request, user)
response = view(request)
eq_(response, True)
class FBLoginRequiredTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.auth_middleware = AuthenticationMiddleware()
def request(self, url='/'):
"""
Create a mock request object.
"""
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.auth_middleware.process_request(request)
return request
def test_no_auth(self):
"""
If the user has not been authed, return a redirect to the home page.
"""
request = self.request()
with self.activate('en-US'):
response = view(request)
eq_(response.status_code, 302)
self.assert_viewname_url(response['Location'], 'base.landing')
def test_django_auth(self):
"""
If the user has authed via normal django mechanisms, return a redirect.
"""
request = self.request()
User.objects.create_user('*****@*****.**', '*****@*****.**',
'asdf1234')
user = authenticate(username='******', password='******')
django_login(request, user)
response = view(request)
eq_(response.status_code, 302)
@patch.object(FacebookUser.objects, 'update_user_info')
def test_facebook_auth(self, update_user_info):
"""
If the user has authed via the Facebook auth mechanism, execute the
view.
"""
request = self.request()
user = FacebookUserFactory()
fb_login(request, user)
response = view(request)
eq_(response, True)
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email, self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(
self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(PREFIX + self.token, 'woo')
request = rf.get('/')
request.session = {}
r = {
'wsgi.input': django.test.client.FakePayload('')
}
# Hack to set up request middleware.
ClientHandler()(self.rf._base_environ(**r))
auth_mw = AuthenticationMiddleware()
auth_mw.process_request(request)
self.mw.process_view(request, anonymous_csrf(lambda: None), [], {})
self.assertEqual(request.csrf_token, 'woo')
def setUp(self):
load_test_data(self)
self.mox = mox.Mox()
self.factory = RequestFactoryWithMessages()
self.context = {'authorized_tenants': self.tenants.list()}
def fake_conn_request(*args, **kwargs):
raise Exception("An external URI request tried to escape through "
"an httplib2 client. Args: %s, kwargs: %s" %
(args, kwargs))
self._real_conn_request = httplib2.Http._conn_request
httplib2.Http._conn_request = fake_conn_request
self._real_horizon_context_processor = context_processors.horizon
context_processors.horizon = lambda request: self.context
self._real_get_user = utils.get_user
tenants = self.context['authorized_tenants']
self.setActiveUser(id=self.user.id,
token=self.token,
username=self.user.name,
tenant_id=self.tenant.id,
service_catalog=self.service_catalog,
authorized_tenants=tenants)
self.request = http.HttpRequest()
self.request.session = self.client._session()
self.request.session['token'] = self.token.id
middleware.HorizonMiddleware().process_request(self.request)
AuthenticationMiddleware().process_request(self.request)
os.environ["HORIZON_TEST_RUN"] = "True"
class ApiOauthMiddleware(object):
"""Middleware which attempts to use OAuth authentication on API
requests and cookie-based authentication on normal requests."""
auth_middleware = None
def __init__(self):
self.auth_middleware = AuthenticationMiddleware()
def process_request(self, request):
if not default_is_request_api(request):
return self.auth_middleware.process_request(request)
return None
def process_view(self, request, view_func, view_args, view_kwargs):
if default_is_request_api(request):
request.__class__.user = LazyAnonUser()
resource_name = getattr(request, 'oauth_resource_name', None)
if CheckOAuth.is_valid_request(request):
try:
consumer, token, parameters = CheckOAuth.validate_token(request)
except OAuthError, e:
return None
#!! ??return send_oauth_error(e)
if resource_name and token.resource.name != resource_name:
return send_oauth_error(OAuthError(_('You are not allowed to access this resource.')))
elif consumer and token:
if token.user:
request.__class__.user = token.user
return None
def session(self, request):
middleware = SessionMiddleware()
middleware.process_request(request)
request.session.save()
middleware = AuthenticationMiddleware()
middleware.process_request(request)
return request
def test_newly_authenticated_user_is_authenticated(self):
"""
This exists to catch an edge case where a user would be created but
could not be authenticated against.
Using User.objects.create(...) instead of User.objects.create_user(...)
will not throw an error, but the created user can't be authenticated
against.
Who knows what Django does internally that's different from manually
adding a user? Just don't delete this test.
"""
email = "*****@*****.**"
# Django does not include middleware in tests, so add it manually
# The request can be nondescript because it's just to satisfy Django
request = self.request_factory.get("/")
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
user = IdentityService.sign_up(request, email, "hunter2", "John",
"Doe")
self.assertTrue(user is not None)
self.assertEqual(user.email, email)
def log_in(username, password):
"""
Log the user in programatically.
This will delete any existing cookies to ensure that the user
logs in to the correct session.
"""
# Authenticate the user
world.scenario_dict['USER'] = authenticate(username=username,
password=password)
assert (world.scenario_dict['USER'] is not None
and world.scenario_dict['USER'].is_active)
# Send a fake HttpRequest to log the user in
# We need to process the request using
# Session middleware and Authentication middleware
# to ensure that session state can be stored
request = HttpRequest()
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
login(request, world.scenario_dict['USER'])
# Save the session
request.session.save()
# Retrieve the sessionid and add it to the browser's cookies
cookie_dict = {settings.SESSION_COOKIE_NAME: request.session.session_key}
world.browser.cookies.delete()
world.browser.cookies.add(cookie_dict)
def test_vary_with_original_update_cache_middleware(self):
"""
Mainly to demonstrate the need to remove the Vary: Cookie header
during caching. Same basic test as test_vary() but with django's
UpdateCacheMiddleware instead of PatchedVaryUpdateCacheMiddleware.
This does not get a cache hit if the cookies are not the same.
"""
request = self.factory.get('/')
request.method = 'GET'
request.COOKIES = {'test': 'foo'}
request.META['HTTP_COOKIE'] = 'test=foo'
response = HttpResponse()
patch_vary_headers(response, ['Cookie'])
response.set_cookie('test', 'foo')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertEqual(cache_hit, None)
response = UpdateCacheMiddleware().process_response(request, response)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertTrue(isinstance(cache_hit, HttpResponse))
new_request = self.factory.get('/')
new_request.method = 'GET'
# note: not using cookies here. this demonstrates that cookies don't
# affect the cache key
cache_hit = FetchFromCacheMiddleware().process_request(new_request)
self.assertEqual(cache_hit, None)
def test_vary(self):
"""
Ensure caching works even when cookies are present and `Vary: Cookie` is on.
"""
request = self.factory.get('/test/vary')
request.COOKIES = {'test': 'foo'}
request.META['HTTP_COOKIE'] = 'test=foo'
response = HttpResponse()
patch_vary_headers(response, ['Cookie'])
response.set_cookie('test', 'foo')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertTrue(cache_hit is None)
response = PatchedVaryUpdateCacheMiddleware().process_response(request, response)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertTrue(isinstance(cache_hit, HttpResponse))
new_request = self.factory.get('/test/vary')
# note: not using cookies here. this demonstrates that cookies don't
# affect the cache key
cache_hit = FetchFromCacheMiddleware().process_request(new_request)
self.assertTrue(isinstance(cache_hit, HttpResponse))
def test_without_process_view(self):
with self.login(self.user):
request = self.factory.get(reverse('view'),
**self.extra_header(1, 2))
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
CitixenProfileMiddleware().process_view(request, None)
self.assertEqual(request.profile, None)
def setUp(self):
self.user_password = "******"
self.user = User.objects.create_user("test_user", "*****@*****.**", self.user_password)
self.middleware = AuthenticationMiddleware()
self.assertTrue(self.client.login(username=self.user.username, password=self.user_password))
self.request = HttpRequest()
self.request.session = self.client.session
def test_setting_DRAL_HEADER_user_in_custom_header_is_authenticated(self):
with self.settings(DRAL_HEADER='CUSTOM', DRAL_CHECK_DOMAIN=False):
m = middleware.RemoteUserMiddleware()
headers = {'CUSTOM': 'alice'}
request = RequestFactory().get('/', **headers)
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
m.process_request(request)
self.assertIsNotNone(get_user_model().objects.get(username='******'))
def test_anon_token_from_cookie(self):
rf = django.test.RequestFactory()
rf.cookies['anoncsrf'] = self.token
cache.set(prep_key(self.token), 'woo')
request = rf.get('/')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
self.mw.process_request(request)
self.assertEqual(request.csrf_token, 'woo')
def get_result(request):
url_match = resolve(request.path)
module = importlib.import_module(url_match.func.__module__)
view = getattr(module, url_match.func.__name__)()
request = copy.deepcopy(request)
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
view.request = request
return view.get_result(request, *url_match.args, **url_match.kwargs)
def setUp(self):
# Pass request object through session middleware so session is
# available to login and logout functions
self.wrapped_request = factory.get('/')
self.request = Request(self.wrapped_request)
SessionMiddleware().process_request(self.wrapped_request)
AuthenticationMiddleware().process_request(self.wrapped_request)
User.objects.create_user('ringo', '*****@*****.**', 'yellow')
self.user = authenticate(username='******', password='******')
def setUp(self):
super(TestCase, self).setUp()
self.mox = mox.Mox()
self._setup_test_data()
self._setup_factory()
self._setup_user()
self._setup_request()
middleware.HorizonMiddleware().process_request(self.request)
AuthenticationMiddleware().process_request(self.request)
os.environ["HORIZON_TEST_RUN"] = "True"
def test_can_stop_users_from_proceeding_if_not_logged_in(self):
"""
Several routes depend on a method to get the session user that will
throw if no request user is logged in.
"""
request = self.request_factory.get("/")
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
with self.assertRaises(AuthenticationRequiredException):
IdentityService.get_required_session_user(request)
def setUp(self):
self.mox = mox.Mox()
self.factory = RequestFactoryWithMessages()
self.user = User.objects.create_user(username='******', password='******')
self.assertTrue(self.client.login(username="******", password="******"))
self.request = http.HttpRequest()
self.request.session = self.client._session()
middleware.HorizonMiddleware().process_request(self.request)
AuthenticationMiddleware().process_request(self.request)
os.environ["HORIZON_TEST_RUN"] = "True"
def __init__(self):
print
print "Starting SOCKETIO Application"
print "=" * 20
print
namespaces = load_namespaces()
if namespaces:
self._my_namespaces = namespaces
self.django_wsgi = WSGIHandler()
super(Application, self).__init__()
self.middleware = [SessionMiddleware(), AuthenticationMiddleware()]
def setUp(self):
super().setUp()
self._setup_test_data()
self._setup_factory()
self._setup_user()
self._setup_request()
# A dummy get_response function (which is not callable) is passed
# because middlewares below are used only to populate request attrs.
middleware.HorizonMiddleware('dummy_get_response') \
._process_request(self.request)
AuthenticationMiddleware('dummy_get_response') \
.process_request(self.request)
os.environ["HORIZON_TEST_RUN"] = "True"
class TestAuthenticationMiddleware(TestCase):
def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
def test_no_password_change_doesnt_invalidate_session(self):
self.request.session = self.client.session
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
def test_changed_password_invalidates_session(self):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertIsNone(self.request.session.session_key)
class TestAuthenticationMiddleware(TestCase):
def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
def test_no_password_change_doesnt_invalidate_session(self):
self.request.session = self.client.session
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous)
def test_changed_password_invalidates_session(self):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous)
# session should be flushed
self.assertIsNone(self.request.session.session_key)
def test_without_values(self, rf):
request = rf.get('/')
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
# Let's test the decorator
@shib_meta_to_user
def sample_view(request):
# Let's check the attribute
assert request.user.shib == {}
return HttpResponse()
response = sample_view(request)
assert response.status_code == 200
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email,
self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_with_values(self, db, monkeypatch, rf, shib_meta):
monkeypatch.setattr(ShibbolethRemoteUserMiddleware, 'parse_attributes',
lambda x, y: (shib_meta, None))
request = rf.get('/', REMOTE_USER=shib_meta.get('username'))
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
ShibbolethRemoteUserMiddleware().process_request(request)
# Let's test the decorator
@shib_meta_to_user
def sample_view(request):
# Let's check the attribute
assert request.user.shib == shib_meta
return HttpResponse()
response = sample_view(request)
assert response.status_code == 200
def test_no_vary(self):
"""
Ensure basic caching works.
"""
request = self.factory.get('/test/no-vary')
response = HttpResponse()
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertEqual(cache_hit, None)
response = PatchedVaryUpdateCacheMiddleware().process_response(request, response)
cache_hit = FetchFromCacheMiddleware().process_request(request)
self.assertTrue(isinstance(cache_hit, HttpResponse))
def forward_request(client, backend, auth_func):
headers_complete = False
body_part = None
authenticated = False
headers = StringIO()
if not headers_complete:
# Accumulate headers, then parse them.
while True:
data = client.recv(1024)
logger.debug(data)
if not data:
break
header_part, header_end, body_part = data.partition('\r\n\r\n')
headers.write(header_part)
if header_end:
headers.write(header_end)
# Build a Django flavor HttpRequest from the raw headers
request = DjangoizedHttpRequest(StringIO(headers.getvalue()),
client)
# Run it through the middleware we need
SessionMiddleware().process_request(request)
AuthenticationMiddleware().process_request(request)
authenticated = auth_func(request)
break
if authenticated:
backend.sendall(headers.getvalue())
if body_part:
backend.sendall(body_part)
while True:
data = client.recv(1024)
if not data:
break
backend.sendall(data)
else:
# Close backend connection.
backend.sendall("")
# Respond to client with forbidden
body = u"403 Forbidden"
response = u"\r\n".join(("HTTP/1.1 403 Forbidden",
"Content-Type: text/plain; charset=utf-8",
"Content-Length: %s" % len(body),
"Connection: close", "\r\n", body))
client.sendall(response)
# Close client connection.
client.sendall("")
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email, self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(
self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
# Changing a user's password shouldn't invalidate the session if session
# verification isn't activated.
session_key = self.request.session.session_key
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(
MIDDLEWARE_CLASSES=
{
'append': [
'django.contrib.auth.middleware.SessionAuthenticationMiddleware'
]
}):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
def test_login_invalid(self):
req = self.request_factory.post(
'login_django',
data={
'username': '******',
'password': '******'
},
)
SessionMiddleware().process_request(req)
req.session.save()
AuthenticationMiddleware().process_request(req)
req._dont_enforce_csrf_checks = True
# req.user = AnonymousUser()
# Initalized so the users are loaded
Django_Login_Mock_Saml2_Auth(req)
resp = MockSSOLoginView.as_view()(req)
self.assertEqual(resp.status_code, 200)
def setUp(self):
super(TestCase, self).setUp()
if self.use_mox:
LOG.warning("'use_mox' will be dropped at the beginning of "
"'Stein' release. If you still depend on mox, "
"you must prepare mox environment in your test case.")
self.mox = mox.Mox()
self._setup_test_data()
self._setup_factory()
self._setup_user()
self._setup_request()
# A dummy get_response function (which is not callable) is passed
# because middlewares below are used only to populate request attrs.
middleware.HorizonMiddleware('dummy_get_response') \
.process_request(self.request)
AuthenticationMiddleware('dummy_get_response') \
.process_request(self.request)
os.environ["HORIZON_TEST_RUN"] = "True"
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_email = '*****@*****.**'
self.user_password = '******'
self.user = get_user_model().objects.create_user(
self.user_email,
self.user_password)
self.middleware_auth = AuthenticationMiddleware()
self.middleware_session_auth = SessionAuthenticationMiddleware()
self.assertTrue(self.client.login(
username=self.user_email,
password=self.user_password,
))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
# Changing a user's password shouldn't invalidate the session if session
# verification isn't activated.
session_key = self.request.session.session_key
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(MIDDLEWARE_CLASSES={'append': ['django.contrib.auth.middleware.SessionAuthenticationMiddleware']}):
# After password change, user should be anonymous
self.user.set_password('new_password')
self.user.save()
self.middleware_auth.process_request(self.request)
self.middleware_session_auth.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
class TestSessionAuthenticationMiddleware(TestCase):
def setUp(self):
self.user_password = "******"
self.user = User.objects.create_user("test_user", "*****@*****.**", self.user_password)
self.middleware = AuthenticationMiddleware()
self.assertTrue(self.client.login(username=self.user.username, password=self.user_password))
self.request = HttpRequest()
self.request.session = self.client.session
def test_changed_password_doesnt_invalidate_session(self):
"""
Changing a user's password shouldn't invalidate the session if session
verification isn't activated.
"""
session_key = self.request.session.session_key
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
# After password change, user should remain logged in.
self.user.set_password("new_password")
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous())
self.assertEqual(session_key, self.request.session.session_key)
def test_changed_password_invalidates_session_with_middleware(self):
session_key = self.request.session.session_key
with self.modify_settings(
MIDDLEWARE_CLASSES={"append": ["django.contrib.auth.middleware.SessionAuthenticationMiddleware"]}
):
# After password change, user should be anonymous
self.user.set_password("new_password")
self.user.save()
self.middleware.process_request(self.request)
self.assertIsNotNone(self.request.user)
self.assertTrue(self.request.user.is_anonymous())
# session should be flushed
self.assertNotEqual(session_key, self.request.session.session_key)
class FacebookAuthenticationMiddlewareTests(TestCase):
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.django_auth_middleware = AuthenticationMiddleware()
self.auth_middleware = FacebookAuthenticationMiddleware()
def request(self, url='/fb', locale='en-US'):
request = self.factory.get(url)
self.session_middleware.process_request(request)
self.django_auth_middleware.process_request(request)
request.META['HTTP_ACCEPT_LANGUAGE'] = locale
return request
@patch('facebook.middleware.activate_locale')
def test_no_session(self, activate_locale):
"""
If there is no authenticated session, the user attribute should contain
an anonymous user.
"""
request = self.request()
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'en-US')
@patch('facebook.middleware.activate_locale')
def test_no_matching_user(self, activate_locale):
"""
If an invalid user id is given in the session, the user attribute should
contain an anonymous user.
"""
request = self.request(locale='es')
request.session[SESSION_KEY] = 9999
self.auth_middleware.process_request(request)
eq_(request.user.is_anonymous(), True)
# Check that the locale from the request was activated.
activate_locale.assert_called_once_with(ANY, 'es')
@patch('facebook.middleware.activate_locale')
def test_user_found(self, activate_locale):
"""
If there is an authenticated session with an existing user, the
specified user should be available via the user attribute.
"""
request = self.request()
user = FacebookUserFactory.create(locale='fr')
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
eq_(request.user, user)
# Check that the locale from the user object was activated.
activate_locale.assert_called_once_with(ANY, 'fr')
@patch('facebook.middleware.activate_locale')
def test_user_non_fb_app(self, activate_locale):
"""
If there is an authenticated session with an existing user outside of
the app, the specified user should not be a FacebookUser.
"""
request = self.request(url='/', locale='pt-BR')
user = FacebookUserFactory.create()
request.session[SESSION_KEY] = user.id
self.auth_middleware.process_request(request)
ok_(not request.user == user)
eq_(request.user.is_anonymous(), True)
# Check that the FB locale stuff was never called.
eq_(activate_locale.called, False)
def setUp(self):
self.middleware = SignedCookiesMiddleware()
self.auth_middleware = AuthenticationMiddleware()
self.session_middleware = SessionMiddleware()
def setUp(self):
self.factory = RequestFactory()
self.session_middleware = SessionMiddleware()
self.auth_middleware = AuthenticationMiddleware()
def setUp(self):
self.user = User.objects.create_user('test_user', '*****@*****.**', 'test_password')
self.middleware = AuthenticationMiddleware()
self.client.force_login(self.user)
self.request = HttpRequest()
self.request.session = self.client.session
def __init__(self):
self.auth_middleware = AuthenticationMiddleware()
