def test_invalid_services(self): """ When invalid services are configured, ``service_allowed()`` should raise ``ImproperlyConfigured``. """ with self.assertRaises(ImproperlyConfigured): service_allowed('http://www.example.com')
def test_service_allowed(self): """ When valid services are configured, ``service_allowed()`` should return ``True`` if the provided URL matches, and ``False`` otherwise. """ self.assertTrue(service_allowed('http://www.example.com')) self.assertFalse(service_allowed('http://www.example.org'))
def test_custom_backend(self): """ Test that a custom service backend can be used """ # CustomTestServiceBackend allows any service with 'test.com' in # addition to defined services self.assertFalse(service_allowed('http://www.foo.com')) self.assertTrue(service_allowed('http://www.example.com')) self.assertTrue(service_allowed('http://www.test.com'))
def test_custom_backend_security(self): """ Test that a custom service backend can be used and it's service_allowed function is respected, also when the `MAMA_CAS_SERVICES` setting isn't present in the django settings.py """ del settings.MAMA_CAS_SERVICES # CustomTestServiceBackendNoSettings allows only services containing 'test.com' self.assertFalse(service_allowed('http://www.foo.com')) self.assertFalse(service_allowed('http://www.example.com')) self.assertTrue(service_allowed('http://www.test.com'))
def test_empty_valid_services_tuple(self): """ When no valid services are configured, ``service_allowed()`` should return ``True``. """ del settings.MAMA_CAS_SERVICES self.assertTrue(service_allowed('http://www.example.com'))
def validate_ticket(self, ticket, service, renew=False, require_https=False): """ Given a ticket string and service identifier, validate the corresponding ``Ticket``. If validation succeeds, return the ``Ticket``. If validation fails, raise an appropriate error. If ``renew`` is ``True``, ``ServiceTicket`` validation will only succeed if the ticket was issued from the presentation of the user's primary credentials. If ``require_https`` is ``True``, ``ServiceTicket`` validation will only succeed if the service URL scheme is HTTPS. """ if not ticket: raise InvalidRequest("No ticket string provided") if not self.model.TICKET_RE.match(ticket): raise InvalidTicket("Ticket string %s is invalid" % ticket) try: t = self.get(ticket=ticket) except self.model.DoesNotExist: raise InvalidTicket("Ticket %s does not exist" % ticket) if t.is_consumed(): raise InvalidTicket("%s %s has already been used" % (t.name, ticket)) if t.is_expired(): raise InvalidTicket("%s %s has expired" % (t.name, ticket)) if not service: raise InvalidRequest("No service identifier provided") if require_https and not is_scheme_https(service): raise InvalidService("Service %s is not HTTPS" % service) if not service_allowed(service): raise InvalidService("Service %s is not a valid %s URL" % (service, t.name)) try: if not match_service(t.service, service): raise InvalidService("%s %s for service %s is invalid for " "service %s" % (t.name, ticket, t.service, service)) except AttributeError: pass try: if renew and not t.is_primary(): raise InvalidTicket("%s %s was not issued via primary " "credentials" % (t.name, ticket)) except AttributeError: pass logger.debug("Validated %s %s" % (t.name, ticket)) return t
def test_invalid_custom_backend(self): """ Test that a custom service backend without properly defined attributes raises ``NotImplementedError`` """ with self.assertRaises(NotImplementedError): service_allowed('http://www.example.com') with self.assertRaises(NotImplementedError): get_callbacks('http://www.example.com') with self.assertRaises(NotImplementedError): get_logout_url('http://www.example.com') with self.assertRaises(NotImplementedError): logout_allowed('http://www.example.com') with self.assertRaises(NotImplementedError): proxy_allowed('http://www.example.com')
def get(self, request, *args, **kwargs): service = request.GET.get('service') ticket = request.GET.get('ticket') if not service_allowed(service): return redirect('cas_login') msg = _("Do you want to access %(service)s as %(user)s?") % { 'service': clean_service_url(service), 'user': request.user} messages.info(request, msg) kwargs['service'] = add_query_params(service, {'ticket': ticket}) return super(WarnView, self).get(request, *args, **kwargs)
def handle(self, **options): service = options['service'] pgturl = options['pgturl'] if service_allowed(service): self.stdout.write('Valid Service: %s' % service) self.stdout.write('Proxy Allowed: %s' % proxy_allowed(service)) if pgturl: self.stdout.write('Proxy Callback Allowed: %s' % proxy_callback_allowed(service, pgturl)) self.stdout.write('Logout Allowed: %s' % logout_allowed(service)) self.stdout.write('Logout URL: %s' % get_logout_url(service)) self.stdout.write('Callbacks: %s' % get_callbacks(service)) else: self.stdout.write(self.style.ERROR('Invalid Service: %s' % service))
def redirect(to, *args, **kwargs): """ Similar to the Django ``redirect`` shortcut but with altered functionality. If an optional ``params`` argument is provided, the dictionary items will be injected as query parameters on the redirection URL. """ params = kwargs.pop('params', {}) try: to = urlresolvers.reverse(to, args=args, kwargs=kwargs) except urlresolvers.NoReverseMatch: if '/' not in to and '.' not in to: to = urlresolvers.reverse('cas_login') elif not service_allowed(to): raise PermissionDenied() if params: to = add_query_params(to, params) logger.debug("Redirecting to %s" % to) return HttpResponseRedirect(to)
def handle(self, **options): self.service = options['service'] self.pgturl = options['pgturl'] self.verbosity = options['verbosity'] if service_allowed(self.service): try: self.stdout.write(self.style.SUCCESS("Valid service: %s" % self.service)) except AttributeError: # Django 1.8 does not have the "Success" style self.stdout.write(self.style.SQL_FIELD("Valid service: %s" % self.service)) if self.verbosity >= 1: self.format_output('Proxy allowed', proxy_allowed(self.service)) if self.pgturl: self.format_output('Proxy callback allowed', proxy_callback_allowed(self.service, self.pgturl)) self.format_output('Logout allowed', logout_allowed(self.service)) self.format_output('Logout URL', get_logout_url(self.service)) self.format_output('Callbacks', ', '.join(get_callbacks(self.service))) if self.verbosity >= 2: self.format_output('Backend', get_backend_path(self.service)) else: self.stdout.write(self.style.ERROR("Invalid service: %s" % self.service))
def test_empty_services(self): """ When no valid services are configured, ``service_allowed()`` should return ``True``. """ self.assertTrue(service_allowed('http://www.example.com'))