def test_authenticated_userid_does_not_proxy_if_no_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy):
auth_policy = AuthClientPolicy()
auth_policy.authenticated_userid(pyramid_request)
assert BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.call_count == 0
assert BasicAuthAuthenticationPolicy.return_value.callback.call_count == 0
def test_effective_principals_proxies_to_basic_auth(
self, pyramid_request, check, BasicAuthAuthenticationPolicy):
auth_policy = AuthClientPolicy()
auth_policy.effective_principals(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.effective_principals.assert_called_once_with(
pyramid_request)
def test_check_proxies_to_verify_auth_client(self, pyramid_request,
verify_auth_client):
AuthClientPolicy.check("someusername", "somepassword", pyramid_request)
verify_auth_client.assert_called_once_with("someusername",
"somepassword",
pyramid_request.db)
def test_check_proxies_to_verify_auth_client(
self, pyramid_request, verify_auth_client
):
AuthClientPolicy.check("someusername", "somepassword", pyramid_request)
verify_auth_client.assert_called_once_with(
"someusername", "somepassword", pyramid_request.db
)
def test_unauthenticated_userid_doesnt_proxy_to_basic_auth_if_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy):
pyramid_request.headers['X-Forwarded-User'] = '******'
auth_policy = AuthClientPolicy()
auth_policy.unauthenticated_userid(pyramid_request)
assert BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.call_count == 0
def test_effective_principals_returns_only_Everyone_if_callback_returns_None(
self, pyramid_request, check):
check.return_value = None
policy = AuthClientPolicy(check=check)
principals = policy.effective_principals(pyramid_request)
assert principals == ["system.Everyone"]
def test_check_doesnt_proxy_to_principals_for_auth_client_if_forwarded_user(
self, user_service, pyramid_request, verify_auth_client,
principals_for_auth_client):
pyramid_request.headers['X-Forwarded-User'] = '******'
AuthClientPolicy.check('someusername', 'somepassword', pyramid_request)
assert principals_for_auth_client.call_count == 0
def test_unauthenticated_userid_proxies_to_basic_auth_if_no_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy):
auth_policy = AuthClientPolicy()
unauth_id = auth_policy.unauthenticated_userid(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.assert_called_once_with(
pyramid_request)
assert unauth_id == BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.return_value
def test_effective_principals_returns_only_Everyone_if_callback_returns_None(
self, pyramid_request, check
):
check.return_value = None
policy = AuthClientPolicy(check=check)
principals = policy.effective_principals(pyramid_request)
assert principals == ["system.Everyone"]
def test_check_fetches_user_if_forwarded_user(
self, pyramid_request, verify_auth_client, user_service
):
pyramid_request.headers["X-Forwarded-User"] = "******"
AuthClientPolicy.check("someusername", "somepassword", pyramid_request)
user_service.fetch.assert_called_once_with("acct:[email protected]")
def test_check_fetches_user_if_forwarded_user(self, pyramid_request,
verify_auth_client,
user_service):
pyramid_request.headers["X-Forwarded-User"] = "******"
AuthClientPolicy.check("someusername", "somepassword", pyramid_request)
user_service.fetch.assert_called_once_with("acct:[email protected]")
def test_effective_principals_returns_list_containing_callback_return_value(
self, pyramid_request, check):
check.return_value = ["foople", "blueberry"]
policy = AuthClientPolicy(check=check)
principals = policy.effective_principals(pyramid_request)
assert "foople" in principals
assert "blueberry" in principals
def test_check_fetches_user_if_forwarded_user(self, pyramid_request,
verify_auth_client,
user_service):
pyramid_request.headers['X-Forwarded-User'] = '******'
AuthClientPolicy.check('someusername', 'somepassword', pyramid_request)
user_service.fetch.assert_called_once_with('acct:[email protected]')
def test_effective_principals_proxies_to_basic_auth(
self, pyramid_request, check, BasicAuthAuthenticationPolicy
):
auth_policy = AuthClientPolicy()
auth_policy.effective_principals(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.effective_principals.assert_called_once_with(
pyramid_request
)
def test_effective_principals_returns_list_containing_callback_return_value(
self, pyramid_request, check
):
check.return_value = ["foople", "blueberry"]
policy = AuthClientPolicy(check=check)
principals = policy.effective_principals(pyramid_request)
assert "foople" in principals
assert "blueberry" in principals
def test_authenticated_userid_returns_None_if_callback_not_OK(
self, check, pyramid_request):
check.return_value = None
policy = AuthClientPolicy(check=check)
pyramid_request.headers["X-Forwarded-User"] = "******"
userid = policy.authenticated_userid(pyramid_request)
assert userid is None
def test_authenticated_userid_proxies_to_basic_auth_policy_if_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy):
pyramid_request.headers['X-Forwarded-User'] = '******'
auth_policy = AuthClientPolicy()
auth_policy.authenticated_userid(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.assert_called_once_with(
pyramid_request)
BasicAuthAuthenticationPolicy.return_value.callback.assert_called_once_with(
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.
return_value, pyramid_request)
def test_authenticated_userid_does_not_proxy_if_no_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy
):
auth_policy = AuthClientPolicy()
auth_policy.authenticated_userid(pyramid_request)
assert (
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.call_count
== 0
)
assert BasicAuthAuthenticationPolicy.return_value.callback.call_count == 0
def test_authenticated_userid_returns_None_if_callback_not_OK(
self, check, pyramid_request
):
check.return_value = None
policy = AuthClientPolicy(check=check)
pyramid_request.headers["X-Forwarded-User"] = "******"
userid = policy.authenticated_userid(pyramid_request)
assert userid is None
def test_check_doesnt_proxy_to_principals_for_auth_client_if_forwarded_user(
self,
user_service,
pyramid_request,
verify_auth_client,
principals_for_auth_client,
):
pyramid_request.headers["X-Forwarded-User"] = "******"
AuthClientPolicy.check("someusername", "somepassword", pyramid_request)
assert principals_for_auth_client.call_count == 0
def test_unauthenticated_userid_doesnt_proxy_to_basic_auth_if_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy
):
pyramid_request.headers["X-Forwarded-User"] = "******"
auth_policy = AuthClientPolicy()
auth_policy.unauthenticated_userid(pyramid_request)
assert (
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.call_count
== 0
)
def test_unauthenticated_userid_proxies_to_basic_auth_if_no_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy
):
auth_policy = AuthClientPolicy()
unauth_id = auth_policy.unauthenticated_userid(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.assert_called_once_with(
pyramid_request
)
assert (
unauth_id
== BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.return_value
)
def test_authenticated_userid_proxies_to_basic_auth_policy_if_forwarded_user(
self, pyramid_request, BasicAuthAuthenticationPolicy
):
pyramid_request.headers["X-Forwarded-User"] = "******"
auth_policy = AuthClientPolicy()
auth_policy.authenticated_userid(pyramid_request)
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.assert_called_once_with(
pyramid_request
)
BasicAuthAuthenticationPolicy.return_value.callback.assert_called_once_with(
BasicAuthAuthenticationPolicy.return_value.unauthenticated_userid.return_value,
pyramid_request,
)
def test_check_returns_None_if_verify_auth_client_fails(
self, pyramid_request, verify_auth_client):
verify_auth_client.return_value = None
principals = AuthClientPolicy.check("someusername", "somepassword",
pyramid_request)
assert principals is None
def test_it_instantiates_a_BasicAuthAuthenticationPolicy(
self, BasicAuthAuthenticationPolicy
):
AuthClientPolicy()
BasicAuthAuthenticationPolicy.assert_called_once_with(
check=AuthClientPolicy.check
)
def test_check_returns_None_if_fetch_forwarded_user_fails(
self, pyramid_request, verify_auth_client, user_service):
user_service.fetch.return_value = None
pyramid_request.headers["X-Forwarded-User"] = "******"
principals = AuthClientPolicy.check("someusername", "somepassword",
pyramid_request)
assert principals is None
def test_check_returns_None_if_verify_auth_client_fails(
self, pyramid_request, verify_auth_client
):
verify_auth_client.return_value = None
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
assert principals is None
def test_check_returns_None_if_user_fetch_raises_valueError(
self, pyramid_request, verify_auth_client, user_service):
pyramid_request.headers['X-Forwarded-User'] = '******'
user_service.fetch.side_effect = ValueError('whoops')
principals = AuthClientPolicy.check('someusername', 'somepassword',
pyramid_request)
assert principals is None
def test_check_returns_None_if_user_fetch_raises_valueError(
self, pyramid_request, verify_auth_client, user_service):
pyramid_request.headers["X-Forwarded-User"] = "******"
user_service.fetch.side_effect = ValueError("whoops")
principals = AuthClientPolicy.check("someusername", "somepassword",
pyramid_request)
assert principals is None
def test_check_proxies_to_principals_for_auth_client_if_no_forwarded_user(
self, pyramid_request, verify_auth_client,
principals_for_auth_client):
principals = AuthClientPolicy.check("someusername", "somepassword",
pyramid_request)
assert principals == principals_for_auth_client.return_value
principals_for_auth_client.assert_called_once_with(
verify_auth_client.return_value)
def test_check_returns_None_if_fetch_forwarded_user_fails(
self, pyramid_request, verify_auth_client, user_service
):
user_service.fetch.return_value = None
pyramid_request.headers["X-Forwarded-User"] = "******"
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
assert principals is None
def test_check_returns_None_if_userid_is_invalid(self, pyramid_request,
verify_auth_client,
user_service):
pyramid_request.headers["X-Forwarded-User"] = "******"
user_service.fetch.side_effect = InvalidUserId("badly_formatted")
principals = AuthClientPolicy.check(mock.sentinel.username,
mock.sentinel.password,
pyramid_request)
assert principals is None
def test_check_returns_None_if_user_fetch_raises_valueError(
self, pyramid_request, verify_auth_client, user_service
):
pyramid_request.headers["X-Forwarded-User"] = "******"
user_service.fetch.side_effect = ValueError("whoops")
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
assert principals is None
def test_check_proxies_to_principals_for_auth_client_if_no_forwarded_user(
self, pyramid_request, verify_auth_client, principals_for_auth_client
):
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
assert principals == principals_for_auth_client.return_value
principals_for_auth_client.assert_called_once_with(
verify_auth_client.return_value
)
def test_check_returns_None_if_forwarded_user_authority_mismatch(
self, pyramid_request, verify_auth_client, user_service,
factories):
mismatched_user = factories.User(authority="two.com")
verify_auth_client.return_value = factories.ConfidentialAuthClient(
authority="one.com")
user_service.fetch.return_value = mismatched_user
pyramid_request.headers["X-Forwarded-User"] = mismatched_user.userid
principals = AuthClientPolicy.check("someusername", "somepassword",
pyramid_request)
assert principals is None
def test_it_proxies_to_principals_for_user_if_fetch_forwarded_user_ok(
self, pyramid_request, verify_auth_client, user_service, factories,
principals_for_auth_client_user):
matched_user = factories.User(authority="one.com")
verify_auth_client.return_value = factories.ConfidentialAuthClient(
authority="one.com")
user_service.fetch.return_value = matched_user
pyramid_request.headers['X-Forwarded-User'] = matched_user.userid
principals = AuthClientPolicy.check('someusername', 'somepassword',
pyramid_request)
principals_for_auth_client_user.assert_called_once_with(
matched_user, verify_auth_client.return_value)
assert principals == principals_for_auth_client_user.return_value
def test_check_returns_None_if_forwarded_user_authority_mismatch(
self, pyramid_request, verify_auth_client, user_service, factories
):
mismatched_user = factories.User(authority="two.com")
verify_auth_client.return_value = factories.ConfidentialAuthClient(
authority="one.com"
)
user_service.fetch.return_value = mismatched_user
pyramid_request.headers["X-Forwarded-User"] = mismatched_user.userid
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
assert principals is None
def test_it_proxies_to_principals_for_user_if_fetch_forwarded_user_ok(
self,
pyramid_request,
verify_auth_client,
user_service,
factories,
principals_for_auth_client_user,
):
matched_user = factories.User(authority="one.com")
verify_auth_client.return_value = factories.ConfidentialAuthClient(
authority="one.com"
)
user_service.fetch.return_value = matched_user
pyramid_request.headers["X-Forwarded-User"] = matched_user.userid
principals = AuthClientPolicy.check(
"someusername", "somepassword", pyramid_request
)
principals_for_auth_client_user.assert_called_once_with(
matched_user, verify_auth_client.return_value
)
assert principals == principals_for_auth_client_user.return_value
from h.auth.util import default_authority, groupfinder
from h.security import derive_key
__all__ = (
'DEFAULT_POLICY',
'WEBSOCKET_POLICY',
)
log = logging.getLogger(__name__)
PROXY_POLICY = RemoteUserAuthenticationPolicy(
environ_key='HTTP_X_FORWARDED_USER', callback=groupfinder)
TICKET_POLICY = pyramid_authsanity.AuthServicePolicy()
TOKEN_POLICY = TokenAuthenticationPolicy(callback=groupfinder)
AUTH_CLIENT_POLICY = AuthClientPolicy()
API_POLICY = APIAuthenticationPolicy(user_policy=TOKEN_POLICY,
client_policy=AUTH_CLIENT_POLICY)
DEFAULT_POLICY = AuthenticationPolicy(api_policy=API_POLICY,
fallback_policy=TICKET_POLICY)
WEBSOCKET_POLICY = TOKEN_POLICY
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
# Set up authsanity
settings = config.registry.settings
def auth_policy(self, check):
auth_policy = AuthClientPolicy(check=check)
return auth_policy
