def make_successful_response(user):
return cas.CasResponse(
authenticated=True, user=user._primary_key,
attributes={
'accessToken': fake.md5()
}
)
def test_has_permission_read_scope_write_action_forbidden(self):
component = ProjectFactory(creator=self.user, is_public=False, parent=self.node)
cas_resp = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
attributes={'accessTokenScope': {'osf.nodes.data_read'}})
assert_true(component.has_permission(self.user, 'write'))
with assert_raises(HTTPError) as exc_info:
views.check_access(component, Auth(user=self.user), 'upload', cas_resp)
assert_equal(exc_info.exception.code, 403)
def test_has_permission_write_scope_read_action(self):
component_admin = AuthUserFactory()
component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
cas_resp = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
attributes={'accessTokenScope': {'osf.nodes.data_write'}})
assert_false(component.has_permission(self.user, 'write'))
res = views.check_access(component, Auth(user=self.user), 'download', cas_resp)
assert_true(res)
def test_has_permission_private_not_authenticated(self):
component_admin = AuthUserFactory()
component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
cas_resp = cas.CasResponse(authenticated=False)
assert_false(component.has_permission(self.user, 'write'))
with assert_raises(HTTPError) as exc_info:
views.check_access(component, Auth(user=self.user), 'download', cas_resp)
assert_equal(exc_info.exception.code, 403)
def test_auth_bad_bearer_token(self, mock_cas_client):
mock_cas_client.return_value = mock.Mock(profile=mock.Mock(
return_value=cas.CasResponse(authenticated=False)))
url = self.build_url()
res = self.test_app.get(
url,
headers={'Authorization': 'Bearer invalid_access_token'},
expect_errors=True)
assert_equal(res.status_code, 403)
def test_valid_token_authenticates_and_has_permissions(
self, mock_user_info):
mock_user_info.return_value = cas.CasResponse(authenticated=True,
user=self.user1._id)
res = self.app.get(self.reachable_url,
auth='some_valid_token',
auth_type='jwt')
assert_equal(res.status_code, 200, msg=res.json)
def test_valid_token_returns_unknown_user_thus_fails(self, mock_user_info):
mock_user_info.return_value = cas.CasResponse(authenticated=True,
user='******')
res = self.app.get(self.reachable_url,
auth='some_valid_token',
auth_type='jwt',
expect_errors=True)
assert_equal(res.status_code, 403, msg=res.json)
def test_invalid_token_fails(self, mock_user_info):
mock_user_info.return_value = cas.CasResponse(authenticated=False,
user=None)
res = self.app.get(self.reachable_url,
auth='invalid_token',
auth_type='jwt',
expect_errors=True)
assert_equal(res.status_code, 403, msg=res.json)
def test_has_permission_private_irrelevant_scope_forbidden(self):
component_admin = AuthUserFactory()
component = ProjectFactory(creator=component_admin, is_public=False, parent=self.node)
cas_resp = cas.CasResponse(authenticated=True, status=None, user=self.user._id,
attributes={'accessTokenScope': {'osf.users.all_read'}})
assert_false(component.has_permission(self.user, 'write'))
with assert_raises(HTTPError) as exc_info:
views.check_access(component, Auth(user=self.user), 'download', cas_resp)
assert_equal(exc_info.exception.code, 403)
def test_valid_token_authenticates_but_user_lacks_permissions(
self, mock_user_info):
mock_user_info.return_value = cas.CasResponse(authenticated=True,
user=self.user1._id)
res = self.app.get(self.unreachable_url,
auth='some_valid_token',
auth_type='jwt',
expect_errors=True)
assert_equal(res.status_code, 403, msg=res.json)
def make_external_response():
return cas.CasResponse(
authenticated=True,
user='******'.format(fake.numerify('####-####-####-####')),
attributes={
'given-names': fake.first_name(),
'family-name': fake.last_name(),
'accessToken': fake.md5(),
}
)
def test_invalid_token_fails(self, mock_user_info):
mock_user_info.return_value = cas.CasResponse(
authenticated=False,
user=None,
attributes={'accessTokenScope': ['osf.full_read']})
res = self.app.get(self.reachable_url,
auth='invalid_token',
auth_type='jwt',
expect_errors=True)
assert_equal(res.status_code, 401, msg=res.json)
def make_external_response(release=True, unicode=False):
attributes = {
'accessToken': fake.md5(),
}
if release:
attributes.update({
'given-names': fake.first_name() if not unicode else u'нет',
'family-name': fake.last_name() if not unicode else u'Да',
})
return cas.CasResponse(
authenticated=True,
user='******'.format(fake.numerify('####-####-####-####')),
attributes=attributes
)
def test_can_reset_password_if_form_success(self, mock_service_validate):
# load reset password page and submit email
res = self.app.get(self.get_url)
form = res.forms['resetPasswordForm']
form['password'] = '******'
form['password2'] = 'newpassword'
res = form.submit()
# check request URL is /resetpassword with username and new verification_key_v2 token
request_url_path = res.request.path
assert_in('resetpassword', request_url_path)
assert_in(self.user._id, request_url_path)
assert_not_in(self.user.verification_key_v2['token'], request_url_path)
# check verification_key_v2 for OSF is destroyed and verification_key for CAS is in place
self.user.reload()
assert_equal(self.user.verification_key_v2, {})
assert_not_equal(self.user.verification_key, None)
# check redirection to CAS login with username and the new verification_key(CAS)
assert_equal(res.status_code, 302)
location = res.headers.get('Location')
assert_true('login?service=' in location)
assert_true('username={}'.format(self.user.username) in location)
assert_true('verification_key={}'.format(self.user.verification_key) in
location)
# check if password was updated
self.user.reload()
assert_true(self.user.check_password('newpassword'))
# check if verification_key is destroyed after service validation
mock_service_validate.return_value = cas.CasResponse(
authenticated=True,
user=self.user._primary_key,
attributes={'accessToken': fake.md5()})
ticket = fake.md5()
service_url = 'http://accounts.osf.io/?ticket=' + ticket
cas.make_response_from_ticket(ticket, service_url)
assert_equal(self.user.verification_key, None)
def _scoped_response(self, scopes_list, user=None):
user = user or self.user
return cas.CasResponse(
authenticated=True, user=user._id,
attributes={'accessTokenScope': scopes_list}
)
def make_failure_response():
return cas.CasResponse(
authenticated=False,
user=None,
)