def test_create_new_user(self, get):
get.return_value.status_code = 200
get.return_value.json.return_value = {
'groups': ['tester', 'admin'],
'name': 'new_user',
}
environ_base = {
'REMOTE_USER': '******',
'OIDC_access_token': '39283',
'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',
'OIDC_CLAIM_scope':
'openid https://id.fedoraproject.org/scope/groups',
}
with app.test_request_context(environ_base=environ_base):
load_openidc_user(flask.request)
new_user = db.session.query(User).filter(
User.username == 'new_user')[0]
self.assertEqual(new_user, flask.g.user)
self.assertEqual('new_user', flask.g.user.username)
self.assertEqual(sorted(['admin', 'tester']),
sorted(flask.g.groups))
def test_return_existing_user(self, get):
get.return_value.status_code = 200
get.return_value.json.return_value = {
'groups': ['testers', 'admins'],
'name': self.user.username,
}
environ_base = {
'REMOTE_USER': self.user.username,
'OIDC_access_token': '39283',
'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',
'OIDC_CLAIM_scope':
'openid https://id.fedoraproject.org/scope/groups',
}
with app.test_request_context(environ_base=environ_base):
original_users_count = db.session.query(User.id).count()
load_openidc_user(flask.request)
users_count = db.session.query(User.id).count()
self.assertEqual(original_users_count, users_count)
# Ensure existing user is set in g
self.assertEqual(self.user.id, flask.g.user.id)
self.assertEqual(['admins', 'testers'], sorted(flask.g.groups))
def test_401_if_scope_not_present(self):
environ_base = {
'REMOTE_USER': '******',
'OIDC_access_token': '39283',
'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',
# Missing OIDC_CLAIM_scope here
}
with app.test_request_context(environ_base=environ_base):
self.assertRaises(Unauthorized, load_openidc_user, flask.request)
def test_401_if_remote_user_not_present(self):
environ_base = {
# Missing REMOTE_USER here
'OIDC_access_token': '39283',
'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',
'OIDC_CLAIM_scope':
'openid https://id.fedoraproject.org/scope/groups',
}
with app.test_request_context(environ_base=environ_base):
self.assertRaises(Unauthorized, load_openidc_user, flask.request)
def test_load_krb_or_ssl_user_from_request_remote_user(
self, load_krb_user, load_ssl_user):
load_krb_user.return_value = "krb_user"
load_ssl_user.return_value = "ssl_user"
environ_base = {'REMOTE_USER': '******'}
with app.test_request_context(environ_base=environ_base):
user = load_krb_or_ssl_user_from_request(flask.request)
self.assertEqual(user, "krb_user")
def test_401_if_cn_not_set(self):
environ_base = {
'SSL_CLIENT_VERIFY': 'SUCCESS',
}
with app.test_request_context(environ_base=environ_base):
with self.assertRaises(Unauthorized) as ctx:
load_ssl_user_from_request(flask.request)
self.assertIn(
'Unable to get user information (DN) from client certificate',
ctx.exception.description)
def test_401_if_ssl_client_verify_not_success(self):
environ_base = {
'SSL_CLIENT_VERIFY': 'GENEROUS',
'SSL_CLIENT_S_DN': self.user.username,
}
with app.test_request_context(environ_base=environ_base):
with self.assertRaises(Unauthorized) as ctx:
load_ssl_user_from_request(flask.request)
self.assertIn('Cannot verify client: GENEROUS',
ctx.exception.description)
def test_load_krb_or_ssl_user_from_request_ssl_client(
self, load_krb_user, load_ssl_user):
load_krb_user.return_value = "krb_user"
load_ssl_user.return_value = "ssl_user"
environ_base = {
'SSL_CLIENT_VERIFY': 'SUCCESS',
'SSL_CLIENT_S_DN': 'ssl_user',
}
with app.test_request_context(environ_base=environ_base):
user = load_krb_or_ssl_user_from_request(flask.request)
self.assertEqual(user, "ssl_user")
def test_return_existing_user(self):
environ_base = {
'SSL_CLIENT_VERIFY': 'SUCCESS',
'SSL_CLIENT_S_DN': self.user.username,
}
with app.test_request_context(environ_base=environ_base):
load_ssl_user_from_request(flask.request)
self.assertEqual(self.user.id, flask.g.user.id)
self.assertEqual(self.user.username, flask.g.user.username)
# Ensure user's groups are set to empty list
self.assertEqual(0, len(flask.g.groups))
def test_401_if_required_scope_not_present_in_token_scope(self):
environ_base = {
'REMOTE_USER': '******',
'OIDC_access_token': '39283',
'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',
'OIDC_CLAIM_scope':
'openid https://id.fedoraproject.org/scope/groups',
}
with patch.object(freshmaker.auth.conf, 'auth_openidc_required_scopes',
['new-compose']):
with app.test_request_context(environ_base=environ_base):
with self.assertRaises(Unauthorized) as ctx:
load_openidc_user(flask.request)
self.assertTrue('Required OIDC scope new-compose not present.'
in ctx.exception.description)
def test_return_existing_user(self, query_ldap_groups):
query_ldap_groups.return_value = self.sample_groups
original_users_count = db.session.query(User.id).count()
environ_base = {
'REMOTE_USER': '******'.format(self.user.username)
}
with app.test_request_context(environ_base=environ_base):
load_krb_user_from_request(flask.request)
self.assertEqual(original_users_count,
db.session.query(User.id).count())
self.assertEqual(self.user.id, flask.g.user.id)
self.assertEqual(self.user.username, flask.g.user.username)
self.assertEqual(self.sample_groups, flask.g.groups)
def test_create_new_user(self):
environ_base = {
'SSL_CLIENT_VERIFY': 'SUCCESS',
'SSL_CLIENT_S_DN': 'CN=client,L=prod,DC=example,DC=com',
}
with app.test_request_context(environ_base=environ_base):
load_ssl_user_from_request(flask.request)
expected_user = db.session.query(User).filter(
User.username == 'CN=client,L=prod,DC=example,DC=com')[0]
self.assertEqual(expected_user.id, flask.g.user.id)
self.assertEqual(expected_user.username, flask.g.user.username)
# Ensure user's groups are set to empty list
self.assertEqual(0, len(flask.g.groups))
def test_create_new_user(self, query_ldap_groups):
query_ldap_groups.return_value = self.sample_groups
environ_base = {'REMOTE_USER': '******'}
with app.test_request_context(environ_base=environ_base):
load_krb_user_from_request(flask.request)
expected_user = db.session.query(User).filter(
User.username == 'newuser')[0]
self.assertEqual(expected_user.id, flask.g.user.id)
self.assertEqual(expected_user.username, flask.g.user.username)
# Ensure user's groups are created
self.assertEqual(2, len(flask.g.groups))
self.assertEqual(self.sample_groups, flask.g.groups)
def test_401_if_remote_user_not_present(self):
with app.test_request_context():
with self.assertRaises(Unauthorized) as ctx:
load_krb_user_from_request(flask.request)
self.assertIn('REMOTE_USER is not present in request.',
ctx.exception.description)