def handle_authorization(self, environ, start_response): """Handles the response if the user is not authorized to access this URL. The authorization check is based on the 'login' setting for this handler, configured by the supplied url_map. Args: environ: An environ dict for the current request as defined in PEP-333. start_response: A function with semantics defined in PEP-333. Returns: An iterable over strings containing the body of an HTTP response, if the authorization check fails or the login UI must be displayed. None if the user is authorized to access the resource. """ admin_only = self._url_map.login == appinfo.LOGIN_ADMIN requires_login = self._url_map.login == appinfo.LOGIN_REQUIRED or admin_only auth_fail_action = self._url_map.auth_fail_action cookies = environ.get('HTTP_COOKIE') email_addr, admin, _ = login.get_user_info(cookies) # AppScale: Here we check to see if our secret hash is in the header which # authenticates that the task was created from an AppScale deployment and # not an unauthorized party. if (constants.FAKE_IS_ADMIN_HEADER in environ and self._secret_hash == environ[constants.FAKE_IS_ADMIN_HEADER]): admin = True if constants.FAKE_LOGGED_IN_HEADER in environ: email_addr = 'Fake User' # admin has an effect only with login: admin (not login: required). if requires_login and not email_addr and not (admin and admin_only): if auth_fail_action == appinfo.AUTH_FAIL_ACTION_REDIRECT: logging.debug('login required, redirecting user') return login.login_redirect( wsgiref.util.application_uri(environ), wsgiref.util.request_uri(environ), start_response) elif auth_fail_action == appinfo.AUTH_FAIL_ACTION_UNAUTHORIZED: logging.debug('login required, user unauthorized') start_response('401 Not authorized', [('Content-Type', 'text/html'), ('Cache-Control', 'no-cache')]) return ['Login required to view page.'] elif admin_only and not admin: logging.debug('admin required, user unauthorized') start_response('401 Not authorized', [('Content-Type', 'text/html'), ('Cache-Control', 'no-cache')]) return [ 'Current logged in user %s is not ' 'authorized to view this page.' % email_addr ] # Authorization check succeeded return None
def handle_authorization(self, environ, start_response): """Handles the response if the user is not authorized to access this URL. The authorization check is based on the 'login' setting for this handler, configured by the supplied url_map. Args: environ: An environ dict for the current request as defined in PEP-333. start_response: A function with semantics defined in PEP-333. Returns: An iterable over strings containing the body of an HTTP response, if the authorization check fails or the login UI must be displayed. None if the user is authorized to access the resource. """ admin_only = self._url_map.login == appinfo.LOGIN_ADMIN requires_login = self._url_map.login == appinfo.LOGIN_REQUIRED or admin_only auth_fail_action = self._url_map.auth_fail_action cookies = environ.get('HTTP_COOKIE') email_addr, admin, _ = login.get_user_info(cookies) # AppScale: Here we check to see if our secret hash is in the header which # authenticates that the task was created from an AppScale deployment and # not an unauthorized party. if (constants.FAKE_IS_ADMIN_HEADER in environ and self._secret_hash == environ[constants.FAKE_IS_ADMIN_HEADER]): admin = True if constants.FAKE_LOGGED_IN_HEADER in environ: email_addr = 'Fake User' # admin has an effect only with login: admin (not login: required). if requires_login and not email_addr and not (admin and admin_only): if auth_fail_action == appinfo.AUTH_FAIL_ACTION_REDIRECT: logging.debug('login required, redirecting user') return login.login_redirect(wsgiref.util.application_uri(environ), wsgiref.util.request_uri(environ), start_response) elif auth_fail_action == appinfo.AUTH_FAIL_ACTION_UNAUTHORIZED: logging.debug('login required, user unauthorized') start_response('401 Not authorized', [('Content-Type', 'text/html'), ('Cache-Control', 'no-cache')]) return ['Login required to view page.'] elif admin_only and not admin: logging.debug('admin required, user unauthorized') start_response('401 Not authorized', [('Content-Type', 'text/html'), ('Cache-Control', 'no-cache')]) return ['Current logged in user %s is not ' 'authorized to view this page.' % email_addr] # Authorization check succeeded return None
def handle_authorization(self, environ, start_response): """Handles the response if the user is not authorized to access this URL. The authorization check is based on the 'login' setting for this handler, configured by the supplied url_map. Args: environ: An environ dict for the current request as defined in PEP-333. start_response: A function with semantics defined in PEP-333. Returns: An iterable over strings containing the body of an HTTP response, if the authorization check fails or the login UI must be displayed. None if the user is authorized to access the resource. """ admin_only = self._url_map.login == appinfo.LOGIN_ADMIN requires_login = self._url_map.login == appinfo.LOGIN_REQUIRED or admin_only auth_fail_action = self._url_map.auth_fail_action cookies = environ.get("HTTP_COOKIE") email_addr, admin, _ = login.get_user_info(cookies) if constants.FAKE_IS_ADMIN_HEADER in environ: admin = True if constants.FAKE_LOGGED_IN_HEADER in environ: email_addr = "Fake User" # admin has an effect only with login: admin (not login: required). if requires_login and not email_addr and not (admin and admin_only): if auth_fail_action == appinfo.AUTH_FAIL_ACTION_REDIRECT: logging.debug("login required, redirecting user") return login.login_redirect( wsgiref.util.application_uri(environ), wsgiref.util.request_uri(environ), start_response ) elif auth_fail_action == appinfo.AUTH_FAIL_ACTION_UNAUTHORIZED: logging.debug("login required, user unauthorized") start_response("401 Not authorized", [("Content-Type", "text/html"), ("Cache-Control", "no-cache")]) return ["Login required to view page."] elif admin_only and not admin: logging.debug("admin required, user unauthorized") start_response("401 Not authorized", [("Content-Type", "text/html"), ("Cache-Control", "no-cache")]) return ["Current logged in user %s is not " "authorized to view this page." % email_addr] # Authorization check succeeded return None
def test_basic(self): """Tests that redirects are written back to the user.""" application_url = 'http://foo.com:1234' continue_url = ('http://foo.com:1234/my/album/of/pictures?' 'with=some&query=parameters') expected_location = ( 'http://foo.com:1234/_ah/login?continue=' 'http%3A//foo.com%3A1234' '/my/album/of/pictures%3Fwith%3Dsome%26query%3Dparameters') def start_response(status, headers, exc_info=None): self.assertTrue(status.startswith('302')) headers = dict(headers) self.assertEqual({'Location': expected_location}, headers) self.assertEqual(None, exc_info) body = login.login_redirect(application_url, continue_url, start_response) self.assertEqual('', ''.join(body))