def test_logout_clears_session(self):
request = self.build_request()
superuser = Superuser(request, allowed_ips=(), current_datetime=self.current_datetime)
superuser.set_logged_out()
assert not superuser.is_active
assert not request.session.get(SESSION_KEY)
def test_login_saves_session(self):
user = self.create_user('*****@*****.**', is_superuser=True)
request = self.make_request()
superuser = Superuser(request, allowed_ips=(), current_datetime=self.current_datetime)
superuser.set_logged_in(user, current_datetime=self.current_datetime)
# request.user wasn't set
assert not superuser.is_active
request.user = user
assert superuser.is_active
data = request.session.get(SESSION_KEY)
assert data
assert data['exp'] == (self.current_datetime + MAX_AGE).strftime('%s')
assert data['idl'] == (self.current_datetime + IDLE_MAX_AGE).strftime('%s')
assert len(data['tok']) == 12
assert data['uid'] == six.text_type(user.id)
def test_sso(self):
user = User(is_superuser=True)
request = self.make_request(user=user)
# no ips = any host
superuser = Superuser(request, org_id=None)
superuser.set_logged_in(request.user)
assert superuser.is_active is True
superuser = Superuser(request, org_id=1)
superuser.set_logged_in(request.user)
assert superuser.is_active is False
mark_sso_complete(request, 1)
superuser = Superuser(request, org_id=1)
superuser.set_logged_in(request.user)
assert superuser.is_active is True
def test_ips(self):
user = User(is_superuser=True)
request = self.make_request(user=user)
request.META['REMOTE_ADDR'] = '10.0.0.1'
# no ips = any host
superuser = Superuser(request, allowed_ips=())
superuser.set_logged_in(request.user)
assert superuser.is_active is True
superuser = Superuser(request, allowed_ips=('127.0.0.1',))
superuser.set_logged_in(request.user)
assert superuser.is_active is False
superuser = Superuser(request, allowed_ips=('10.0.0.1',))
superuser.set_logged_in(request.user)
assert superuser.is_active is True
def make_request(self, user=None, auth=None, method=None):
request = HttpRequest()
if method:
request.method = method
request.META['REMOTE_ADDR'] = '127.0.0.1'
request.META['SERVER_NAME'] = 'testserver'
request.META['SERVER_PORT'] = 80
request.REQUEST = {}
# order matters here, session -> user -> other things
request.session = self.session
request.auth = auth
request.user = user or AnonymousUser()
request.superuser = Superuser(request)
request.is_superuser = lambda: request.superuser.is_active
request.successful_authenticator = None
return request
def process_request(self, request):
# This avoids touching user session, which means we avoid
# setting `Vary: Cookie` as a response header which will
# break HTTP caching entirely.
self.__skip_caching = request.path_info.startswith(
settings.ANONYMOUS_STATIC_PREFIXES)
if self.__skip_caching:
return
su = Superuser(request)
request.superuser = su
request.is_superuser = lambda: request.superuser.is_active
if su.is_active:
logger.info('superuser.request',
extra={
'url': request.build_absolute_uri(),
'method': request.method,
'ip_address': request.META['REMOTE_ADDR'],
'user_id': request.user.id,
})
def test_idle_expired(self):
request = self.build_request(idle_expires=self.current_datetime)
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
def test_invalid_uid(self):
request = self.build_request(uid=-1)
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
def test_missing_data(self):
request = self.build_request(session_data=False)
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
def test_invalid_session_token(self):
request = self.build_request(session_token="foobar")
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
def test_missing_cookie(self):
request = self.build_request(cookie_token=None)
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
def test_valid_data(self):
request = self.build_request()
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is True
def request(
self,
method,
path,
user=None,
auth=None,
params=None,
data=None,
is_sudo=None,
is_superuser=None,
request=None,
):
if self.prefix not in path:
full_path = self.prefix + path
else:
full_path = path
# we explicitly do not allow you to override the request *and* the user
# as then other checks like is_superuser would need overwritten
assert not (request and (user or auth)), "use either request or auth"
resolver_match = resolve(full_path)
callback, callback_args, callback_kwargs = resolver_match
if data:
# we encode to ensure compatibility
data = json.loads(json.dumps(data))
rf = APIRequestFactory()
mock_request = getattr(rf, method.lower())(full_path, data or {})
# Flag to our API class that we should trust this auth passed through
mock_request.__from_api_client__ = True
if request:
mock_request.auth = getattr(request, "auth", None)
mock_request.user = request.user
if is_sudo is None:
mock_request.is_sudo = lambda: request.is_sudo()
else:
mock_request.is_sudo = lambda: is_sudo
mock_request.session = request.session
if is_superuser is None:
mock_request.superuser = request.superuser
else:
mock_request.superuser = Superuser(mock_request)
else:
mock_request.auth = auth
mock_request.user = user
mock_request.is_sudo = lambda: is_sudo
mock_request.session = {}
mock_request.superuser = Superuser(mock_request)
mock_request.is_superuser = lambda: mock_request.superuser.is_active
if request:
# superuser checks require access to IP
mock_request.META["REMOTE_ADDR"] = request.META["REMOTE_ADDR"]
force_authenticate(mock_request, user, auth)
if params:
mock_request.GET._mutable = True
mock_request.GET.update(params)
mock_request.GET._mutable = False
if data:
mock_request.POST._mutable = True
mock_request.POST.update(data)
mock_request.POST._mutable = False
response = callback(mock_request, *callback_args, **callback_kwargs)
if 200 <= response.status_code < 400:
return response
raise self.ApiError(response.status_code, response.data)
def test_is_not_active_superuser(self):
request = self.build_request()
request.superuser = Superuser(request, allowed_ips=())
request.superuser._is_active = False
assert not is_active_superuser(request)
def test_ips(self):
user = User(is_superuser=True)
request = self.make_request(user=user)
request.META["REMOTE_ADDR"] = "10.0.0.1"
# no ips = any host
superuser = Superuser(request, allowed_ips=())
superuser.set_logged_in(request.user)
assert superuser.is_active is True
superuser = Superuser(request, allowed_ips=("127.0.0.1", ))
superuser.set_logged_in(request.user)
assert superuser.is_active is False
superuser = Superuser(request, allowed_ips=("10.0.0.1", ))
superuser.set_logged_in(request.user)
assert superuser.is_active is True
def test_sso(self):
user = User(is_superuser=True)
request = self.make_request(user=user)
# no ips = any host
superuser = Superuser(request, org_id=None)
superuser.set_logged_in(request.user)
assert superuser.is_active is True
superuser = Superuser(request, org_id=1)
superuser.set_logged_in(request.user)
assert superuser.is_active is False
mark_sso_complete(request, 1)
superuser = Superuser(request, org_id=1)
superuser.set_logged_in(request.user)
assert superuser.is_active is True
def test_invalid_cookie_token(self):
request = self.build_request(cookie_token='foobar')
superuser = Superuser(request, allowed_ips=())
assert superuser.is_active is False
