def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username="******")
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = "POST"
request1.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request1.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
request1.user = john_doe
request2.POST["username"] = "******"
request2.POST["api_key"] = "invalid key"
request3.method = "POST"
request3.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request3.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
request3.user = john_doe
request3.POST["username"] = "******"
request3.POST["api_key"] = "invalid key"
# session auth should pass if since john_doe is logged in
self.assertEqual(session_auth.is_authenticated(request1), True)
# api key auth should fail because of invalid api key
self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)
# multi auth shouldn't change users if api key auth fails
# multi auth passes since session auth is valid
self.assertEqual(request3.user.username, "johndoe")
self.assertEqual(auth.is_authenticated(request3), True)
self.assertEqual(request3.user.username, "johndoe")
def test_is_authenticated(self):
auth = SessionAuthentication()
request = HttpRequest()
request.method = 'POST'
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
# No CSRF token.
request.META = {}
self.assertFalse(auth.is_authenticated(request))
# Invalid CSRF token.
request.META = {
'HTTP_X_CSRFTOKEN': 'abc123'
}
self.assertFalse(auth.is_authenticated(request))
# Not logged in.
request.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request.user = AnonymousUser()
self.assertFalse(auth.is_authenticated(request))
# Logged in.
request.user = User.objects.get(username='******')
self.assertTrue(auth.is_authenticated(request))
# Logged in (with GET & no token).
request.method = 'GET'
request.META = {}
request.user = User.objects.get(username='******')
self.assertTrue(auth.is_authenticated(request))
# Secure & wrong referrer.
class SecureRequest(HttpRequest):
def _get_scheme(self):
return 'https'
request = SecureRequest()
request.method = 'POST'
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request.META['HTTP_HOST'] = 'example.com'
request.META['HTTP_REFERER'] = ''
request.user = User.objects.get(username='******')
self.assertFalse(auth.is_authenticated(request))
# Secure & correct referrer.
request.META['HTTP_REFERER'] = 'https://example.com/'
self.assertTrue(auth.is_authenticated(request))
def test_is_authenticated(self):
auth = SessionAuthentication()
request = HttpRequest()
request.method = 'POST'
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
# No CSRF token.
request.META = {}
self.assertFalse(auth.is_authenticated(request))
# Invalid CSRF token.
request.META = {
'HTTP_X_CSRFTOKEN': 'abc123'
}
self.assertFalse(auth.is_authenticated(request))
# Not logged in.
request.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request.user = AnonymousUser()
self.assertFalse(auth.is_authenticated(request))
# Logged in.
request.user = User.objects.get(username='******')
self.assertTrue(auth.is_authenticated(request))
# Logged in (with GET & no token).
request.method = 'GET'
request.META = {}
request.user = User.objects.get(username='******')
self.assertTrue(auth.is_authenticated(request))
# Secure & wrong referrer.
class SecureRequest(HttpRequest):
def _get_scheme(self):
return 'https'
request = SecureRequest()
request.method = 'POST'
request.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request.META['HTTP_HOST'] = 'example.com'
request.META['HTTP_REFERER'] = ''
request.user = User.objects.get(username='******')
self.assertFalse(auth.is_authenticated(request))
# Secure & correct referrer.
request.META['HTTP_REFERER'] = 'https://example.com/'
self.assertTrue(auth.is_authenticated(request))
def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username='******')
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = 'POST'
request1.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request1.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request1.user = john_doe
request2.POST['username'] = '******'
request2.POST['api_key'] = 'invalid key'
request3.method = 'POST'
request3.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request3.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request3.user = john_doe
request3.POST['username'] = '******'
request3.POST['api_key'] = 'invalid key'
# session auth should pass if since john_doe is logged in
self.assertTrue(session_auth.is_authenticated(request1))
# api key auth should fail because of invalid api key
self.assertEqual(
isinstance(api_key_auth.is_authenticated(request2),
HttpUnauthorized), True)
# multi auth shouldn't change users if api key auth fails
# multi auth passes since session auth is valid
self.assertEqual(request3.user.username, 'johndoe')
self.assertTrue(auth.is_authenticated(request3))
self.assertEqual(request3.user.username, 'johndoe')
def test_is_authenticated(self):
auth = SessionAuthentication()
request = HttpRequest()
request.method = "POST"
request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
# No CSRF token.
request.META = {}
self.assertFalse(auth.is_authenticated(request))
# Invalid CSRF token.
request.META = {"HTTP_X_CSRFTOKEN": "abc123"}
self.assertFalse(auth.is_authenticated(request))
# Not logged in.
request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request.user = AnonymousUser()
self.assertFalse(auth.is_authenticated(request))
# Logged in.
request.user = User.objects.get(username="******")
self.assertEqual(auth.is_authenticated(request), True)
# Logged in (with GET & no token).
request.method = "GET"
request.META = {}
request.user = User.objects.get(username="******")
self.assertEqual(auth.is_authenticated(request), True)
# Secure & wrong referrer.
class SecureRequest(HttpRequest):
def _get_scheme(self):
return "https"
request = SecureRequest()
request.method = "POST"
request.COOKIES = {settings.CSRF_COOKIE_NAME: "abcdef1234567890abcdef1234567890"}
request.META = {"HTTP_X_CSRFTOKEN": "abcdef1234567890abcdef1234567890"}
request.META["HTTP_HOST"] = "example.com"
request.META["HTTP_REFERER"] = ""
request.user = User.objects.get(username="******")
self.assertFalse(auth.is_authenticated(request))
# Secure & correct referrer.
request.META["HTTP_REFERER"] = "https://example.com/"
self.assertEqual(auth.is_authenticated(request), True)
def is_authenticated(self, request, **kwargs): # noqa # too complex
'''
handles backends explicitly so that it can return False when
credentials are given but wrong and return Anonymous User when
credentials are not given or the session has expired (web use).
'''
auth_info = request.META.get('HTTP_AUTHORIZATION')
if 'HTTP_AUTHORIZATION' not in request.META:
if hasattr(request.user, 'allowed_tokens'):
tokens = request.user.allowed_tokens
session_auth = SessionAuthentication()
check = session_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
session_auth_result = False
else:
request._authentication_backend = session_auth
session_auth_result = check
else:
request.user = AnonymousUser()
session_auth_result = True
request.user.allowed_tokens = tokens
return session_auth_result
else:
if auth_info.startswith('Basic'):
basic_auth = BasicAuthentication()
check = basic_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = basic_auth
return check
if auth_info.startswith('ApiKey'):
apikey_auth = ApiKeyAuthentication()
check = apikey_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = apikey_auth
return check
def is_authenticated(self, request, **kwargs): # noqa # too complex
'''
handles backends explicitly so that it can return False when
credentials are given but wrong and return Anonymous User when
credentials are not given or the session has expired (web use).
'''
auth_info = request.META.get('HTTP_AUTHORIZATION')
if 'HTTP_AUTHORIZATION' not in request.META:
if hasattr(request.user, 'allowed_tokens'):
tokens = request.user.allowed_tokens
session_auth = SessionAuthentication()
check = session_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
session_auth_result = False
else:
request._authentication_backend = session_auth
session_auth_result = check
else:
request.user = AnonymousUser()
session_auth_result = True
request.user.allowed_tokens = tokens
return session_auth_result
else:
if auth_info.startswith('Basic'):
basic_auth = BasicAuthentication()
check = basic_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = basic_auth
return check
if auth_info.startswith('ApiKey'):
apikey_auth = ApiKeyAuthentication()
check = apikey_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return False
else:
request._authentication_backend = apikey_auth
return check
def test_apikey_and_authentication_enforce_user(self):
session_auth = SessionAuthentication()
api_key_auth = ApiKeyAuthentication()
auth = MultiAuthentication(api_key_auth, session_auth)
john_doe = User.objects.get(username='******')
request1 = HttpRequest()
request2 = HttpRequest()
request3 = HttpRequest()
request1.method = 'POST'
request1.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request1.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request1.user = john_doe
request2.POST['username'] = '******'
request2.POST['api_key'] = 'invalid key'
request3.method = 'POST'
request3.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request3.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
request3.user = john_doe
request3.POST['username'] = '******'
request3.POST['api_key'] = 'invalid key'
#session auth should pass if since john_doe is logged in
self.assertTrue(session_auth.is_authenticated(request1))
#api key auth should fail because of invalid api key
self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)
#multi auth shouldn't change users if api key auth fails
#multi auth passes since session auth is valid
self.assertEqual(request3.user.username, 'johndoe')
self.assertTrue(auth.is_authenticated(request3))
self.assertEqual(request3.user.username, 'johndoe')
def is_authenticated(self, request, **kwargs):
'''
handles backends explicitly so that it can return False when
credentials are given but wrong and return Anonymous User when
credentials are not given or the session has expired (web use).
'''
auth_info = request.META.get('HTTP_AUTHORIZATION')
if 'HTTP_AUTHORIZATION' not in request.META:
session_auth = SessionAuthentication()
check = session_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = session_auth
return(check)
else:
request.user = AnonymousUser()
return(True)
else:
if auth_info.startswith('Basic'):
basic_auth = BasicAuthentication()
check = basic_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = basic_auth
return(check)
if auth_info.startswith('ApiKey'):
apikey_auth = ApiKeyAuthentication()
check = apikey_auth.is_authenticated(request, **kwargs)
if check:
if isinstance(check, HttpUnauthorized):
return(False)
else:
request._authentication_backend = apikey_auth
return(check)
def test_is_authenticated(self):
auth = SessionAuthentication()
request = HttpRequest()
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
# No CSRF token.
request.META = {}
self.assertFalse(auth.is_authenticated(request))
# Invalid CSRF token.
request.META = {
'HTTP_X_CSRFTOKEN': 'abc123'
}
self.assertFalse(auth.is_authenticated(request))
# Not logged in.
request.META = {
'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
}
request.user = AnonymousUser()
self.assertFalse(auth.is_authenticated(request))
# Logged in.
request.user = User.objects.get(username='******')
self.assertTrue(auth.is_authenticated(request))
# Secure & wrong referrer.
os.environ["HTTPS"] = "on"
request.META['HTTP_HOST'] = 'example.com'
request.META['HTTP_REFERER'] = ''
self.assertFalse(auth.is_authenticated(request))
# Secure & correct referrer.
request.META['HTTP_REFERER'] = 'https://example.com/'
self.assertTrue(auth.is_authenticated(request))
os.environ["HTTPS"] = "off"
