def test_pre_social_login_matched_login(self):
"""
https://bugzil.la/1063830, happy path
A user tries to sign in with GitHub, but their GitHub email matches
an existing Persona-backed MDN account. They follow the prompt to login
with Persona, and the accounts are connected.
"""
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account,
user=github_account.user)
request = self.rf.get('/')
session = self.client.session
session['sociallogin_provider'] = 'github'
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
# Set up an matching Persona SocialLogin for request
persona_account = SocialAccount.objects.create(
user=github_account.user,
provider='persona',
uid=github_account.user.email)
persona_login = SocialLogin(account=persona_account)
# Verify the social_login receiver over-writes the provider
# stored in the session
self.adapter.pre_social_login(request, persona_login)
session = request.session
eq_(session['sociallogin_provider'], 'persona')
def test_pre_social_login_error_for_unmatched_login(self):
""" https://bugzil.la/1063830 """
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account)
request = self.rf.get('/')
session = self.client.session
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
messages = self.get_messages(request)
# Set up an un-matching Persona SocialLogin for request
persona_account = SocialAccount(user=User(),
provider='persona',
uid='*****@*****.**')
persona_login = SocialLogin(account=persona_account)
self.assertRaises(ImmediateHttpResponse, self.adapter.pre_social_login,
request, persona_login)
queued_messages = list(messages)
eq_(len(queued_messages), 1)
eq_(django_messages.ERROR, queued_messages[0].level)
def test_pre_social_login_same_provider(self):
"""
pre_social_login passes if existing provider is the same.
I'm not sure what the real-world counterpart of this is. Logging
in with a different GitHub account? Needed for branch coverage.
"""
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account,
user=github_account.user)
request = self.rf.get('/')
session = self.client.session
session['sociallogin_provider'] = 'github'
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
# Set up an un-matching GitHub SocialLogin for request
github2_account = SocialAccount(user=self.user_model(),
provider='github',
uid=github_account.uid + '2')
github2_login = SocialLogin(account=github2_account)
self.adapter.pre_social_login(request, github2_login)
eq_(request.session['sociallogin_provider'], 'github')
def test_pre_social_login_error_for_unmatched_login(self):
"""
When we suspect the signup form is used as a connection form, abort.
https://bugzil.la/1063830
"""
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account,
user=github_account.user)
request = self.rf.get('/')
session = self.client.session
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
messages = self.get_messages(request)
# Set up an un-matching alternate SocialLogin for request
other_account = SocialAccount(user=self.user_model(),
provider='other',
uid='*****@*****.**')
other_login = SocialLogin(account=other_account)
self.assertRaises(ImmediateHttpResponse, self.adapter.pre_social_login,
request, other_login)
queued_messages = list(messages)
eq_(len(queued_messages), 1)
eq_(django_messages.ERROR, queued_messages[0].level)
def test_pre_social_login_error_for_unmatched_login(self):
""" https://bugzil.la/1063830 """
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account)
request = RequestFactory().get('/')
session = self.client.session
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
# django 1.4 RequestFactory requests can't be used to test views that
# call messages.add (https://code.djangoproject.com/ticket/17971)
# FIXME: HACK from http://stackoverflow.com/q/11938164/571420
messages = FallbackStorage(request)
request._messages = messages
# Set up an un-matching Persona SocialLogin for request
persona_account = SocialAccount(user=User(),
provider='persona',
uid='*****@*****.**')
persona_login = SocialLogin(account=persona_account)
assert_raises(ImmediateHttpResponse, self.adapter.pre_social_login,
request, persona_login)
for m in messages:
eq_(django_messages.ERROR, m.level)
def complete_login(self, request, app, token, **kwargs):
resp = requests.get(self.profile_url,
params={ 'access_token': token.token,
'alt': 'json' })
extra_data = resp.json()
# extra_data is something of the form:
#
# {u'family_name': u'Penners', u'name': u'Raymond Penners',
# u'picture': u'https://lh5.googleusercontent.com/-GOFYGBVOdBQ/AAAAAAAAAAI/AAAAAAAAAGM/WzRfPkv4xbo/photo.jpg',
# u'locale': u'nl', u'gender': u'male',
# u'email': u'*****@*****.**',
# u'link': u'https://plus.google.com/108204268033311374519',
# u'given_name': u'Raymond', u'id': u'108204268033311374519',
# u'verified_email': True}
#
# TODO: We could use verified_email to bypass allauth email verification
uid = str(extra_data['id'])
user = get_adapter() \
.populate_new_user(email=extra_data.get('email'),
last_name=extra_data.get('family_name'),
first_name=extra_data.get('given_name'))
email_addresses = []
email = user_email(user)
if email and extra_data.get('verified_email'):
email_addresses.append(EmailAddress(email=email,
verified=True,
primary=True))
account = SocialAccount(extra_data=extra_data,
uid=uid,
provider=self.provider_id,
user=user)
return SocialLogin(account,
email_addresses=email_addresses)
def test_staff_social_adaptor_staff(self):
"""
Test a regular staff login
"""
request = RequestFactory()
request.site = self.site
adaptor = StaffUserSocialAdapter(request=request)
user = get_user_model().objects.create_user(
username='******',
email='*****@*****.**',
password='******',
is_staff=True,
)
sociallogin = SocialLogin(user=user)
group = Group.objects.filter().first()
perm = Permission.objects.filter().first()
user.groups.add(group)
user.user_permissions.add(perm)
self.assertFalse(adaptor.is_open_for_signup(request, sociallogin))
adaptor.add_perms(user)
self.assertTrue(user.groups.all().exists())
self.assertTrue(user.user_permissions.all().exists())
user.delete()
def test_staff_social_adaptor_new_user(self):
"""
Test a new user getting an invite to admin site
"""
request = RequestFactory()
request.site = self.site
adaptor = StaffUserSocialAdapter(request=request)
user = get_user_model()(username='******',
email='*****@*****.**',
password='******')
sociallogin = SocialLogin(user=user)
group = Group.objects.filter().first()
perm = Permission.objects.filter().first()
self.assertFalse(user.pk)
self.assertFalse(adaptor.is_open_for_signup(request, sociallogin))
invite = Invite.objects.create(email=user.email,
user=self.user,
site=self.site)
invite.groups.add(group)
invite.permissions.add(perm)
adaptor.add_perms(user)
invite.refresh_from_db()
self.assertTrue(invite.is_accepted)
self.assertTrue(user.groups.all().exists())
self.assertTrue(user.user_permissions.all().exists())
user.delete()
invite.delete()
def complete_login(self, request, app, token):
resp = requests.get(self.profile_url, {
'access_token': token.token,
'alt': 'json'
})
extra_data = resp.json
# extra_data is something of the form:
#
# {u'family_name': u'Penners', u'name': u'Raymond Penners',
# u'picture': u'https://lh5.googleusercontent.com/-GOFYGBVOdBQ/AAAAAAAAAAI/AAAAAAAAAGM/WzRfPkv4xbo/photo.jpg',
# u'locale': u'nl', u'gender': u'male',
# u'email': u'*****@*****.**',
# u'link': u'https://plus.google.com/108204268033311374519',
# u'given_name': u'Raymond', u'id': u'108204268033311374519',
# u'verified_email': True}
#
# TODO: We could use verified_email to bypass allauth email verification
uid = str(extra_data['id'])
user = User(email=extra_data.get('email', ''),
last_name=extra_data.get('family_name', ''),
first_name=extra_data.get('given_name', ''))
account = SocialAccount(extra_data=extra_data,
uid=uid,
provider=self.provider_id,
user=user)
return SocialLogin(account)
def complete_login(self, request, app, token, **kwargs):
userob = kwargs["user"]
extra = kwargs["extra"]
extra_info = []
for item in extra:
item_serial = item.__dict__['display_name']
extra_info.append(item_serial)
#extra = serializers.serialize("json", extra)
logging.debug(extra_info)
#extra = json.dumps(extra)
# auth = ('bearer', token.token)
# resp = requests.get(self.profile_url,
# params={ 'oauth_token': token.token })
#extra_data = resp.json()
# uid = str(extra_data['id'])
user = get_adapter() \
.populate_new_user(name=userob.name,
username=userob.name,
email=userob.name)
account = SocialAccount(user=user,
uid=userob.id,
extra_data=extra_info,
provider=self.provider_id)
return SocialLogin(account)
def sociallogin_from_response(self, request, response, **kwargs):
"""Custom sociallogin from user for person and company models."""
from allauth.socialaccount.models import SocialLogin, SocialAccount
adapter = SocialAccountAdapter()
uid = self.extract_uid(response)
extra_data = self.extract_extra_data(response)
common_fields = self.extract_common_fields(response)
socialaccount = SocialAccount(extra_data=extra_data,
uid=uid,
provider=self.id)
email_addresses = self.extract_email_addresses(response)
self.cleanup_email_addresses(common_fields.get('email'),
email_addresses)
sociallogin = SocialLogin(account=socialaccount,
email_addresses=email_addresses)
# user = sociallogin.user = adapter.new_user(request, sociallogin)
from .serializers import RegisterSerializer
data = RegisterSerializer().validate_account_type(account_type=extra_data['account_type'])
if 'C' in data.keys():
user = sociallogin.user = Company()
user.user_type = User.COMPANY
else:
user = sociallogin.user = Person()
user.set_unusable_password()
adapter.populate_user(request, sociallogin, common_fields)
return sociallogin, response
def sociallogin_from_response(self, request, response):
"""
Instantiates and populates a `SocialLogin` model based on the data
retrieved in `response`. The method does NOT save the model to the
DB.
Data for `SocialLogin` will be extracted from `response` with the
help of the `.extract_uid()`, `.extract_extra_data()`,
`.extract_common_fields()`, and `.extract_email_addresses()`
methods.
:param request: a Django `HttpRequest` object.
:param response: object retrieved via the callback response of the
social auth provider.
:return: A populated instance of the `SocialLogin` model (unsaved).
"""
# NOTE: Avoid loading models at top due to registry boot...
from allauth.socialaccount.models import SocialLogin, SocialAccount
adapter = get_adapter(request)
uid = self.extract_uid(response)
extra_data = self.extract_extra_data(response)
common_fields = self.extract_common_fields(response)
socialaccount = SocialAccount(extra_data=extra_data,
uid=uid,
provider=self.id)
email_addresses = self.extract_email_addresses(response)
self.cleanup_email_addresses(common_fields.get('email'),
email_addresses)
sociallogin = SocialLogin(account=socialaccount,
email_addresses=email_addresses)
user = sociallogin.user = adapter.new_user(request, sociallogin)
user.set_unusable_password()
adapter.populate_user(request, sociallogin, common_fields)
return sociallogin
def test_pre_social_login_overwrites_session_var(self):
"""
When a user logs in a second time, second login wins the session.
https://bugzil.la/1055870
"""
# Set up a pre-existing "Alternate" sign-in session
request = self.rf.get('/')
session = self.client.session
session['sociallogin_provider'] = 'alternate'
session.save()
request.session = session
# Set up a in-process GitHub SocialLogin (unsaved)
account = SocialAccount.objects.get(user__username='******')
assert account.provider == 'github'
sociallogin = SocialLogin(account=account)
# Verify the social_login receiver over-writes the provider
# stored in the session
self.adapter.pre_social_login(request, sociallogin)
eq_(
account.provider, request.session['sociallogin_provider'],
"receiver should have over-written sociallogin_provider "
"session variable")
def sociallogin_from_response(self, request, response):
"""
COPIED FROM
https://github.com/pennersr/django-allauth/blob/5b1cbf485fa363ccb87513545e3b98f3c3bd81fa/allauth/socialaccount/providers/base.py#L52
TO PASS SocialApp TO EXTRACT METHODS PER
https://github.com/pennersr/django-allauth/issues/1297
"""
# NOTE: Avoid loading models at top due to registry boot...
from allauth.socialaccount.models import SocialLogin, SocialAccount
adapter = get_adapter()
app = self.get_app(request)
uid = self.extract_uid(response, app)
extra_data = self.extract_extra_data(response, app)
common_fields = self.extract_common_fields(response, app)
socialaccount = SocialAccount(extra_data=extra_data,
uid=uid,
provider=self.id)
email_addresses = self.extract_email_addresses(response, app)
self.cleanup_email_addresses(common_fields.get('email'),
email_addresses)
sociallogin = SocialLogin(account=socialaccount,
email_addresses=email_addresses)
user = sociallogin.user = adapter.new_user(request, sociallogin)
user.set_unusable_password()
adapter.populate_user(request, sociallogin, common_fields)
return sociallogin
def test_pre_social_login_banned_user(self):
"""A banned user is not allowed to login."""
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account,
user=github_account.user)
request = self.rf.get('/')
session = self.client.session
session['sociallogin_provider'] = 'github'
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
request.user = AnonymousUser()
request.LANGUAGE_CODE = 'en-US'
# Ban the user
banned_by = User.objects.get(username='******')
UserBan.objects.create(user=github_account.user,
by=banned_by,
reason='Banned by unit test.')
with pytest.raises(ImmediateHttpResponse) as e_info:
self.adapter.pre_social_login(request, github_login)
resp = e_info.value.response
assert 'Banned by unit test.' in resp.content
assert not resp.has_header('Vary')
never_cache = 'no-cache, no-store, must-revalidate, max-age=0'
assert resp['Cache-Control'] == never_cache
def test_auto_activiate_if_qualified_after_signup(self, mock_vouched):
"""Users qualified after sign-up should be auto-activated on sign-in"""
mock_vouched.return_value = False
sociallogin = SocialLogin(user=self.user)
self.user.is_active = True
user_signed_up.send(sender=self.user.__class__,
request=None,
user=self.user)
self.assertEqual(False, self.user.is_active)
pre_social_login.send(sender=SocialLogin,
request=None,
sociallogin=sociallogin)
self.assertEqual(False, self.user.is_active)
profile = UserProfile.objects.get_profile(self.user)
self.assertEqual(True, profile.invite_pending)
mock_vouched.return_value = True
pre_social_login.send(sender=SocialLogin,
request=None,
sociallogin=sociallogin)
self.assertEqual(True, self.user.is_active)
profile = UserProfile.objects.get_profile(self.user)
self.assertEqual(False, profile.invite_pending)
def test_pre_social_login_matched_login(self):
"""
When we detected a legacy Persona account, advise recovery of account.
A user tries to sign in with GitHub, but their GitHub email matches
an existing MDN account backed by Persona. They are prompted to
recover the existing account.
https://bugzil.la/1063830, happy path
"""
# Set up a session-only GitHub SocialLogin
# These are created at the start of the signup process, and saved on
# profile completion.
github_account = SocialAccount.objects.get(user__username='******')
github_login = SocialLogin(account=github_account,
user=github_account.user)
# Setup existing Persona SocialLogin for the same email
SocialAccount.objects.create(user=github_account.user,
provider='persona',
uid=github_account.user.email)
request = self.rf.get('/')
session = self.client.session
session['sociallogin_provider'] = 'github'
session['socialaccount_sociallogin'] = github_login.serialize()
session.save()
request.session = session
# Verify the social_login receiver over-writes the provider
# stored in the session
self.adapter.pre_social_login(request, github_login)
session = request.session
eq_(session['sociallogin_provider'], 'github')
def test_pre_social_login_banned_user(self):
"""A banned user is not allowed to login."""
# Set up a GitHub SocialLogin in the session
github_account = SocialAccount.objects.get(user__username="******")
github_login = SocialLogin(account=github_account,
user=github_account.user)
request = self.rf.get("/")
session = self.client.session
session["sociallogin_provider"] = "github"
session["socialaccount_sociallogin"] = github_login.serialize()
session.save()
request.session = session
request.user = AnonymousUser()
request.LANGUAGE_CODE = "en-US"
# Ban the user
banned_by = User.objects.get(username="******")
UserBan.objects.create(user=github_account.user,
by=banned_by,
reason="Banned by unit test.")
with pytest.raises(ImmediateHttpResponse) as e_info:
self.adapter.pre_social_login(request, github_login)
resp = e_info.value.response
assert b"Banned by unit test." in resp.content
assert not resp.has_header("Vary")
never_cache = ["no-cache", "no-store", "must-revalidate", "max-age=0"]
assert set(resp["Cache-Control"].split(", ")) == set(never_cache)
def persona_login(request):
assertion = request.POST.get('assertion', '')
audience = request.build_absolute_uri('/')
resp = requests.post('https://verifier.login.persona.org/verify', {
'assertion': assertion,
'audience': audience
})
if resp.json['status'] != 'okay':
return render_authentication_error(request)
email = resp.json['email']
user = User(email=email)
extra_data = resp.json
account = SocialAccount(uid=email,
provider=PersonaProvider.id,
extra_data=extra_data,
user=user)
# TBD: Persona e-mail addresses are verified, so we could check if
# a matching local user account already exists with an identical
# verified e-mail address and short-circuit the social login. Then
# again, this holds for all social providers that guarantee
# verified e-mail addresses, so if at all, short-circuiting should
# probably not be handled here...
login = SocialLogin(account)
login.state = SocialLogin.state_from_request(request)
return complete_social_login(request, login)
def _create_social_user(self, emails, provider, uid, token=None):
factory = RequestFactory()
request = factory.get("/me/login/callback/")
request.user = AnonymousUser()
SessionMiddleware().process_request(request)
MessageMiddleware().process_request(request)
user = User(
username=emails[0].email.split("@")[0],
first_name=emails[0].email.split("@")[0],
last_name=emails[0].email.split("@")[1],
email=emails[0].email,
)
account = SocialAccount(provider=provider, uid=uid)
if token is not None:
token = SocialToken(
token=token,
account=account,
app=SocialApp.objects.get(provider=provider),
)
sociallogin = SocialLogin(account=account,
user=user,
email_addresses=emails,
token=token)
complete_social_login(request, sociallogin)
def test_pre_social_login_matched_google_login(self):
"""
When we detected a legacy Persona account, advise recovery of account.
A user tries to sign in with Google, but their Google email matches
an existing MDN account backed by Persona. They are prompted to
recover the existing account.
Same as above, but with Google instead of GitHub
"""
# Set up a session-only Google SocialLogin
# These are created at the start of the signup process, and saved on
# profile completion.
google_account = SocialAccount.objects.get(user__username="******")
google_login = SocialLogin(account=google_account,
user=google_account.user)
# Setup existing Persona SocialLogin for the same email
SocialAccount.objects.create(user=google_account.user,
provider="persona",
uid=google_account.user.email)
request = self.rf.get("/")
session = self.client.session
session["sociallogin_provider"] = "google"
session["socialaccount_sociallogin"] = google_login.serialize()
session.save()
request.session = session
# Verify the social_login receiver over-writes the provider
# stored in the session
self.adapter.pre_social_login(request, google_login)
session = request.session
assert "google" == session["sociallogin_provider"]
def _get_sociallogin(user, provider):
"""
Returns an ready sociallogin object for the given auth provider.
"""
socialaccount = SocialAccount(user=user, uid='1234', provider=provider)
socialaccount.extra_data = {'email': user.email}
sociallogin = SocialLogin()
sociallogin.account = socialaccount
return sociallogin
def sociallogin(client, user_model):
account = SocialAccount(provider="google")
sociallogin = SocialLogin(
account=account,
user=user_model(),
)
session = client.session
session["socialaccount_sociallogin"] = sociallogin.serialize()
session.save()
return sociallogin
def twitter_complete_login(extra_data):
uid = extra_data['id']
user = get_adapter() \
.populate_new_user(username=extra_data.get('screen_name'),
name=extra_data.get('name'))
account = SocialAccount(user=user,
uid=uid,
provider=TwitterProvider.id,
extra_data=extra_data)
return SocialLogin(account)
def test_is_auto_signup_allowed_override_for_helsinki_adfs(
settings, provider_id, expected):
settings.SOCIALACCOUNT_AUTO_SIGNUP = False
request = RequestFactory().get('/accounts/signup/')
account = SocialAccount(provider=provider_id)
sociallogin = SocialLogin(account=account)
assert get_adapter(request).is_auto_signup_allowed(request,
sociallogin) == expected
def complete_login(self, request, app, token):
client = TwitterAPI(request, app.key, app.secret,
self.request_token_url)
extra_data = client.get_user_info()
uid = extra_data['id']
user = User(username=extra_data['screen_name'], first_name=extra_data['name'])
account = SocialAccount(user=user,
uid=uid,
provider=TwitterProvider.id,
extra_data=extra_data)
return SocialLogin(account)
def complete_login(self, request, app, token, **kwargs):
resp = requests.get(self.profile_url,
params={'access_token': token.token})
extra_data = resp.json()['data']
uid = str(extra_data['login'])
user = get_adapter().populate_new_user(
username=extra_data['login'], name=extra_data.get('full_name'))
account = SocialAccount(user=user,
uid=uid,
extra_data=extra_data,
provider=self.provider_id)
return SocialLogin(account)
def complete_login(self, request, app, token):
client = LinkedInAPI(request, app.key, app.secret,
self.request_token_url)
extra_data = client.get_user_info()
uid = extra_data['id']
user = User(first_name=extra_data.get('first-name', ''),
last_name=extra_data.get('last-name', ''))
account = SocialAccount(user=user,
provider=self.provider_id,
extra_data=extra_data,
uid=uid)
return SocialLogin(account)
def test_social_account_adapter_signup(self):
"""Test that our Allauth social account adapter correctly handles signups."""
adapter = SocialAccountAdapter()
discord_login = SocialLogin(account=self.discord_account)
discord_login_role = SocialLogin(account=self.discord_account_one_role)
discord_login_not_present = SocialLogin(
account=self.discord_account_not_present)
discord_login_two_roles = SocialLogin(
account=self.discord_account_two_roles)
github_login = SocialLogin(account=self.github_account)
messages_request = self.request_factory.get("/")
messages_request._messages = BaseStorage(messages_request)
with patch("pydis_site.utils.account.reverse") as mock_reverse:
with patch("pydis_site.utils.account.redirect") as mock_redirect:
with self.assertRaises(ImmediateHttpResponse):
adapter.is_open_for_signup(messages_request, github_login)
with self.assertRaises(ImmediateHttpResponse):
adapter.is_open_for_signup(messages_request, discord_login)
with self.assertRaises(ImmediateHttpResponse):
adapter.is_open_for_signup(messages_request,
discord_login_role)
with self.assertRaises(ImmediateHttpResponse):
adapter.is_open_for_signup(messages_request,
discord_login_not_present)
self.assertTrue(
adapter.is_open_for_signup(messages_request,
discord_login_two_roles))
self.assertEqual(
len(messages_request._messages._queued_messages), 4)
self.assertEqual(mock_redirect.call_count, 4)
self.assertEqual(mock_reverse.call_count, 4)
def complete_login(self, request, app, token):
client = VimeoAPI(request, app.client_id, app.secret,
self.request_token_url)
extra_data = client.get_user_info()
uid = extra_data['id']
user = get_adapter() \
.populate_new_user(name=extra_data.get('display_name'),
username=extra_data.get('username'))
account = SocialAccount(user=user,
provider=self.provider_id,
extra_data=extra_data,
uid=uid)
return SocialLogin(account)
