def punch(request):
if request.method == "POST":
try:
nump = int(request.POST['num_punches'])
except ValueError:
return HttpResponse(json.dumps({'error': 'float'}),
content_type="application/json")
settings = SESSION.get_settings(request.session)
if nump > settings.get("punches_employee"):
return HttpResponse(json.dumps({
'error': 'over',
'limit': nump
}),
content_type="application/json")
store = SESSION.get_store(request.session)
data = {
"store_location_id":\
SESSION.get_active_store_location_id(request.session),
"store_id":store.objectId,
"store_name":str(store.get('store_name')),
"punch_code":str(request.POST['punch_code']),
"num_punches":nump,
}
# Check if the user is an employee
employee = request.session.get("employee")
if employee:
data['employee_id'] = employee.objectId
res = cloud_call("punch", data)
if 'error' not in res:
res['patron_name'] = res['result']
# always make sure to get the latest session since the session
# will be saved on return!!!
request.session.clear()
request.session.update(SessionStore(request.session.session_key))
return HttpResponse(json.dumps(res),
content_type="application/json")
else:
if res['error'] == "PATRON_NOT_FOUND":
request.session.clear()
request.session.update(
SessionStore(request.session.session_key))
return HttpResponse(json.dumps({"error":\
"PATRON_NOT_FOUND"}),
content_type="application/json")
# always make sure to get the latest session since the session
# will be saved on return!!!
request.session.clear()
request.session.update(SessionStore(request.session.session_key))
return HttpResponse(json.dumps({'error': 'error'}),
content_type="application/json")
def get_decoded_data(self):
try:
session_data = SessionStore().decode(self.session_data)
except:
session_data = {}
finally:
return session_data
def test_user_with_multiple_teams_is_redirected_home_on_successful_signin(
self):
user = UserAuth.objects.create_user(username='******',
password='******')
teams = [
Profile.objects.create(slug='team1'),
Profile.objects.create(slug='team2')
]
for team in teams:
team.members.add(user.profile)
assert_equal(user.profile.teams.all().count(), 2)
url = reverse('app-signin')
user_data = {
'username': '******',
'password': '******',
}
request = self.factory.post(url, data=user_data)
request.user = AnonymousUser()
request.session = SessionStore('session')
response = signin_view(request)
assert_equal(response.status_code, 302)
assert_equal(response.url, reverse('app-user-profile'))
def make_request(self, method, url, data={}, ajax=False, user=None):
"""
Create a mock request object that supports messaging and session
handling.
"""
factory = RequestFactory()
f = getattr(factory, method)
request = f(url, data)
request.session = SessionStore()
request.META['HTTP_HOST'] = '127.0.0.1'
request._messages = FallbackStorage(request)
# ajax
if ajax:
request.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
# user
if user:
request.user = user
request.user_profile = self.get_user_profile(request.user)
# changelog
request.changelog = ChangeLogManager(request)
return request
def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
db_alias = schema_editor.connection.alias
from django.contrib.sessions.backends.cache import KEY_PREFIX, SessionStore
from django.core.cache import cache
AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
User = apps.get_model("authentik_core", "user")
session_keys = cache.keys(KEY_PREFIX + "*")
for key in session_keys:
key = key.replace(KEY_PREFIX, "")
store = SessionStore(key)
data = store.load()
if data == {} or "_auth_user_id" not in data:
continue
if (
AuthenticatedSession.objects.using(db_alias)
.filter(session_key=key)
.exists()
):
continue
users = User.objects.using(db_alias).filter(pk=data.get("_auth_user_id"))
if not users.exists():
continue
AuthenticatedSession.objects.using(db_alias).create(
session_key=key,
user=users.first(),
expires=data.get("_session_expiry", now()),
)
def pytest_request(rf, method, url, user=None, data=None, token=None):
"""
: Test 를 위한 request 생성하는 함수
- rf 설명: https://pytest-django.readthedocs.io/en/latest/helpers.html#rf-requestfactory
"""
content_type = 'application/json'
caller = getattr(rf, method)
request = caller(path=url, data=data, content_type=content_type)
if not hasattr(request, 'session'):
setattr(request, 'session', SessionStore())
# todo: Oauth2.0 test 로직 구현 해야함
force_authenticate(request=request, user=user, token=token)
request.user = user
# 실제 호출하는 url 에 대한 view 정보를 가져옴
_url = url.split('?') # 쿼리 파라미터를 url 에서 빼줘야함
resolver_match = resolve(_url[0])
test_func, test_args, test_kwargs = resolver_match
request.resolver_match = resolver_match
response = test_func(request, *test_args, **test_kwargs)
return response
def terminate(request):
"""
Flags the looping thread in the pull view to exit.
This simply deletes the CometSession bound to this instance.
"""
if request.method == "GET":
t = parser.parse(request.GET["timestamp"])
timestamp = str(t.hour).zfill(2) + ":" +\
str(t.minute).zfill(2) + ":" + str(t.second).zfill(2)
uid = request.GET['uid']
try:
scomet = CometSession.objects.get(session_key=\
request.session.session_key,
timestamp=timestamp, uid=uid)
scomet.delete()
except CometSession.DoesNotExist:
pass # do nothing
# make sure that the latest session data is saved!
request.session.clear()
request.session.update(SessionStore(\
request.session.session_key))
return HttpResponse("ok")
return HttpResponse("")
def decrypt(self, eid):
"""
Return the SessionStore to which the encrypted identifier is
pointing. Raises ValueError if the identifier is invalid.
"""
try:
session_id = cipher.decrypt(ub64decode(eid),
self.ciphertext_length)
except (TypeError, ValueError):
pass
else:
session_id = session_id[self.random_prefix_bytes:]
session_id = ub64encode(session_id)
session = SessionStore(session_key=session_id)
if session.get('encrypted_id') == eid:
# circular import
from .models import RevokedToken
# revoke to prevent replay attacks
if RevokedToken.add(eid):
del session['encrypted_id']
session.save()
return session
raise ValueError('Invalid session id')
def setUpTestData(cls):
cls.user = get_user_model().objects.create(username='******')
request = RequestFactory().get('/')
request.session = SessionStore()
request.user = AnonymousUser()
cls.backend = MojeidOidcBackend()
cls.backend.request = request
def get_view_handler_request(self,
view,
user,
handler_name,
method,
url,
data={},
ajax=False):
factory = RequestFactory()
f = getattr(factory, method)
# create request with session store
request = f(url, data)
request.session = SessionStore()
request.META['HTTP_HOST'] = '127.0.0.1'
request._messages = FallbackStorage(request)
# user
if user and user.id:
self.login(request, user)
# ajax
if ajax:
request.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
# user, profile and backend
request.user = user
request.user_profile = self.get_user_profile(request.user)
request.backend = Backend()
# changelog
request.changelog = ChangeLogManager(request)
return request
def test_encrypt_decrypt(self):
session = SessionStore()
session['test'] = 'in-test'
session.save()
eid = sessionrefcipher.encrypt(session)
sess = sessionrefcipher.decrypt(eid)
self.assertEqual(sess.get('test'), 'in-test')
def init_request():
request = HttpRequest()
request.method = 'GET'
request.session = SessionStore()
request.session.create()
request._messages = BaseStorage(request)
request.entree_user = AnonymousUser()
return request
def test_unique_encrypted_are_generated_after_revocation(self):
session = SessionStore()
session['test'] = 'in-test'
session.save()
eid1 = sessionrefcipher.encrypt(session)
session = sessionrefcipher.decrypt(eid1)
eid2 = sessionrefcipher.encrypt(session)
self.assertNotEqual(eid1, eid2)
def delete(request, employee_id):
"""
This will also remove the employee from the ACL,
delete the employee object and also delete the Parse.User object
if and only if it has no pointer to a Store or a Patron.
"""
# get from the employees_approved_list in session cache
employees_approved_list = SESSION.get_employees_approved_list(\
request.session)
i_remove, employee = 0, None
for ind, m in enumerate(employees_approved_list):
if m.objectId == employee_id:
employee = m
i_remove = ind
break
if not employee:
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Employee has already been removed.'}))
employees_approved_list.pop(i_remove)
request.session['employees_approved_list'] =\
employees_approved_list
acc = Account.objects().get(Employee=employee.objectId)
if not acc: # employee may have been deleted
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Employee has already been deleted.'}))
# Always save session first whenever calling a cloud code
request.session.save()
res = cloud_call("delete_employee", {"employee_id": employee.objectId})
request.session.clear()
request.session.update(SessionStore(request.session.session_key))
if 'error' not in res:
store = SESSION.get_store(request.session)
payload = {COMET_RECEIVE_KEY_NAME: COMET_RECEIVE_KEY}
if acc.objectId in store.ACL and not store.is_owner(acc):
del store.ACL[acc.objectId]
store.update()
payload["updatedStore"] = store.jsonify()
request.session['store'] = store
# only need to pass in the objectId
deleted_employee = Employee(objectId=employee.objectId)
payload["deletedEmployee"] = deleted_employee.jsonify()
comet_receive(store.objectId, payload)
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Employee has been deleted.'}))
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Employee has already been deleted.'}))
def test_fflag_for_new_unauthorized_user():
fflag_set_part('fflag_1', 1)
middleware = FFlagMiddleware(lambda request: HttpResponse(''))
req = RequestFactory().get('/')
req.session = SessionStore()
middleware(req)
assert req.fflag_enabled('fflag_1')
def deny(request, employee_id):
""" same as delete except this uses the pending list """
# get from the employees_pending_list in session cache
employees_pending_list = SESSION.get_employees_pending_list(\
request.session)
i_remove, employee = 0, None
for ind, m in enumerate(employees_pending_list):
if m.objectId == employee_id:
employee = m
i_remove = ind
break
if not employee:
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Pending employee not found.'}))
# update session cache for employees_pending_list
employees_pending_list.pop(i_remove)
request.session['employees_pending_list'] =\
employees_pending_list
acc = Account.objects().get(Employee=employee.objectId)
if not acc: # employee may have been deleted
return redirect(reverse('employees_index')+ "?show_pending&%s" %\
urllib.urlencode({'success': 'Employee has already been denied.'}))
# Always save session first whenever calling a cloud code
request.session.save()
res = cloud_call("delete_employee", {"employee_id": employee.objectId})
request.session.clear()
request.session.update(SessionStore(request.session.session_key))
if 'error' not in res:
payload = {COMET_RECEIVE_KEY_NAME: COMET_RECEIVE_KEY}
store = SESSION.get_store(request.session)
# no need to check acl here but just in case
if acc.objectId in store.ACL and not store.is_owner(acc):
del store.ACL[acc.objectId]
store.update()
payload["updatedStore"] = store.jsonify()
request.session['store'] = store
# only need to pass in the objectId
deleted_employee = Employee(objectId=employee.objectId)
payload["deletedEmployee"] = deleted_employee.jsonify()
comet_receive(store.objectId, payload)
return redirect(reverse('employees_index')+ "?show_pending&%s" %\
urllib.urlencode({'success': 'Employee has been denied.'}))
return redirect(reverse('employees_index')+ "?%s" %\
urllib.urlencode({'success': 'Employee has already been deleted.'}))
def test_revoked_encrypted_id_raises_valueerror(self):
session = SessionStore()
session['test'] = 'in-test'
session.save()
eid1 = sessionrefcipher.encrypt(session)
session = sessionrefcipher.decrypt(eid1)
eid2 = sessionrefcipher.encrypt(session)
if eid1 == eid2:
raise SkipTest('Non-unique encrypted IDs generated')
self.assertRaises(ValueError, sessionrefcipher.decrypt, eid1)
def checkSessionToken(request):
"""
验证sessionToken
"""
session_key = request.COOKIES.get('sid', None)
session = SessionStore(session_key)
session_data = session.load()
if session_data.get('stoken', None):
session.delete()
else:
raise InvestError(3008)
def manage_admin_controls(request):
"""
To turn on god_mode:
...repunch.com/manage/admin-controls?action=god_mode&flag=1&
[email protected]&key=9p8437wk34z5ymurukdp9w34px7iuhsruhio
"""
if request.method == "GET":
params = request.GET.dict()
key = params.get("key")
action = params.get("action")
if key == ADMIN_CONTROL_KEY:
if action == "god_mode":
flag = params.get("flag")
email = params.get("email", "")
acc = Account.objects().get(email=email,
Store__ne=None,
include="Store.Subscription")
if not acc:
return HttpResponse("User with email %s not found." %\
(email,))
sub = acc.store.subscription
sub.god_mode = flag != "0"
sub.update()
payload = {
COMET_RECEIVE_KEY_NAME: COMET_RECEIVE_KEY,
"updatedSubscription": sub.jsonify(),
}
comet_receive(acc.store.objectId, payload)
# go out with the latest session in case this user is
# the one that triggered this action
request.session.clear()
request.session.update(
SessionStore(request.session.session_key))
if sub.god_mode:
on_off = "on"
else:
on_off = "off"
return HttpResponse("Successfully turned god mode "+\
"%s for user with email %s" % (on_off, email))
else:
return HttpResponse("Invalid action: %s" % (action, ))
else:
return HttpResponse("Wrong key: %s" % (key, ))
return HttpResponse("Bad Request")
def test_fflag_enabled_for_unauthorized_user(user_id, expected):
fflag_set_part_ids('fflag_1', [12])
middleware = FFlagMiddleware(lambda request: HttpResponse(''))
req = RequestFactory().get('/')
req.session = SessionStore()
req.session['FFLAG_USER_ID'] = user_id
middleware(req)
assert req.fflag_enabled('fflag_1') == expected
def test_user_login(user_data, user):
from django.contrib.auth import authenticate, login
from django.http.request import HttpRequest
from django.contrib.sessions.backends.cache import SessionStore
assert user.activate('516bb9061d58280acd0c3900e18feaf5166f02ff')
request = HttpRequest()
request.session = SessionStore()
user = authenticate(username=user_data['username'],
password=user_data['password'])
login(request, user)
assert user.is_authenticated()
def info(self, user=None, backend=None):
request = self.factory.get('/')
request.session = SessionStore()
if user:
if backend:
user.backend = '{0}.{1}'.format(backend.__module__,
backend.__class__.__name__)
auth.login(request, user)
request.user = user
info = views.Info.as_view()
return info(request)
def test_lazy_request_args(self):
# Ensure that request_args can be a lazy-evaluated dictionary.
request = self.factory.get('/')
request.user = AnonymousUser()
request.session = SessionStore()
info = browserid_info(request)
d = pq(info)
info_div = d('#browserid-info')
self.assertEqual(info_div.attr('data-request-args'),
'{"siteName": "asdf"}')
def test_backend_should_contain_error_messages_if_errors_have_been_raised(self):
request = self.factory.get('/admin/')
request.session = SessionStore()
request._messages = FallbackStorage(request)
# add some messages to filter. Add some non-error messages as well
messages.add_message(request, messages.SUCCESS, 'SUCCESS')
messages.add_message(request, messages.INFO, 'INFO')
messages.add_message(request, messages.ERROR, 'ERROR')
c = backend(request)
self.assertEqual(['ERROR'], [m.message for m in c.get('error_messages')])
def test_request(self):
user = User.objects.create_user('root', 'root')
session = SessionStore()
session.save()
request = HttpRequest()
request.user = user
request.session = session
usage.log('test', request=request, async=False)
event = Log.objects.all()[0]
self.assertEqual(event.user, user)
self.assertEqual(event.session_key, request.session.session_key)
def test_defaults(self):
request = self.factory.get('/')
request.user = AnonymousUser()
request.session = SessionStore()
info = browserid_info(request)
d = pq(info)
info_div = d('#browserid-info')
self.assertEqual(info_div.attr('data-user-email'), '')
self.assertEqual(info_div.attr('data-request-args'), '{}')
form = d('#browserid-form')
self.assertEqual(form.attr('action'), '/browserid/login/')
def test_authenticated_visiting_user(user_factory, rf, session):
"""
Check that an authenticated user creates a recognized customer visiting the site.
"""
user = user_factory()
with pytest.raises(Customer.DoesNotExist):
Customer.objects.get(pk=user.pk)
request = rf.get('/', follow=True)
request.user = user
request.session = SessionStore()
customer = Customer.objects.get_from_request(request)
assert isinstance(customer, Customer)
assert customer.is_authenticated() is True
assert customer.is_recognized() is True
assert customer.is_registered() is True
def test_login_via_form_valid(self):
data = {
'username': self.user.email,
'password': self.user_password,
}
self.request.entree_user = AnonymousUser()
self.request.method = 'POST'
self.request.POST = data
self.request.session = SessionStore()
ViewClass = csrf_exempt(LoginView.as_view())
ViewClass(self.request, origin_site=self.valid_site.pk)
assert_equals(self.request.entree_user, self.user)
def test_logout_form_valid(self):
data = {
'origin_site': self.valid_site.pk,
'next_url': '/',
}
self.request.method = 'POST'
self.request.POST = data
self.request.session = SessionStore()
ViewClass = csrf_exempt(LogoutView.as_view())
ViewClass(self.request, site_id=self.valid_site.pk)
assert_equals(self.request.entree_user.__class__, AnonymousUser)
def _create_spf_test_form(self):
s = Settings()
s.save()
form = SettingsForm(
self._create_settings_data(
s, {
'enquiry_email': '*****@*****.**',
'enquiry_from': '*****@*****.**',
'enquiry_reply': '*****@*****.**'
}))
factory = RequestFactory()
request = factory.post('/')
request.session = SessionStore()
request._messages = FallbackStorage(request)
form.configure(request, s, edit=True)
return (request, form)
