async def get_user(self, token):
cache_key = self.get_user_cache_key(token['id'])
store = cache.get_memory_cache()
try:
return store[cache_key]
except KeyError:
pass
user_id = token.get('id')
if user_id is None:
return
user_data = await utils.find_user(username=user_id)
user = GuillotinaUser(user_id=user_data['username'],
properties=user_data['data'])
user.password = user_data['password']
# in oauth context, user can choose to only grant subset of all
# available. In this context, we give them access to everything
# on the container
self.apply_scope(
user, {
'allowed_scopes': user_data['allowed_scopes'],
'scope': user_data['allowed_scopes'],
})
store[cache_key] = user
return user
async def validate(self, token):
"""Return the user from the token."""
if token.get('type') != 'bearer':
return None
if '.' not in token.get('token', ''):
# quick way to check if actually might be jwt
return None
try:
try:
validated_jwt = jwt.decode(
token['token'],
app_settings['jwt']['secret'],
algorithms=[app_settings['jwt']['algorithm']])
except jwt.exceptions.ExpiredSignatureError:
logger.warn("Token Expired")
raise HTTPUnauthorized()
except jwt.InvalidIssuedAtError:
logger.warn("Back to the future")
validated_jwt = jwt.decode(
token['token'],
app_settings['jwt']['secret'],
algorithms=[app_settings['jwt']['algorithm']],
options=NON_IAT_VERIFY)
user = GuillotinaUser(self.request)
user.name = validated_jwt['fullname']
user.id = validated_jwt['sub']
return user
except jwt.exceptions.DecodeError:
pass
return None
async def test_inherit(container_requester):
async with container_requester as requester:
response, status = await requester(
"POST", "/db/guillotina/", data=json.dumps({"@type": "Item", "id": "testing"})
)
assert status == 201
response, status = await requester(
"POST",
"/db/guillotina/@sharing",
data=json.dumps(
{"prinrole": [{"principal": "user1", "role": "guillotina.Reader", "setting": "Allow"}]}
),
)
assert status == 200
response, status = await requester(
"POST",
"/db/guillotina/testing/@sharing",
data=json.dumps({"perminhe": [{"permission": "guillotina.ViewContent", "setting": "Deny"}]}),
)
assert status == 200
response, status = await requester("GET", "/db/guillotina/testing/@all_permissions")
assert status == 200
container = await utils.get_container(requester=requester)
content = await container.async_get("testing")
user = GuillotinaUser("user1")
utils.login(user=user)
policy = get_security_policy()
assert policy.check_permission("guillotina.ViewContent", container)
assert not policy.check_permission("guillotina.ViewContent", content)
response, status = await requester("GET", "/db/guillotina/testing")
assert status == 401
response, status = await requester(
"POST",
"/db/guillotina/testing/@sharing",
data=json.dumps(
{
"roleperm": [
{
"permission": "guillotina.ViewContent",
"role": "guillotina.Manager",
"setting": "Allow",
}
]
}
),
)
assert status == 200
response, status = await requester("GET", "/db/guillotina/testing")
assert status == 200
def login_user(request, user_data):
"""Logs user in to guillotina so the job has the correct access
"""
if 'id' in user_data:
user = GuillotinaUser(
user_id=user_data['id'],
groups=user_data.get('groups', []),
roles={name: Allow
for name in user_data['roles']})
user.data = user_data.get('data', {})
set_authenticated_user(user)
else:
set_authenticated_user(None)
if user_data.get('Authorization'):
# leave in for b/w compat, remove at later date
request.headers['Authorization'] = user_data['Authorization']
for name, value in (user_data.get('headers') or {}).items():
request.headers[name] = value
def login_user(request, user_data):
"""Logs user in to guillotina so the job has the correct access
"""
if "id" in user_data:
user = GuillotinaUser(
user_id=user_data["id"],
groups=user_data.get("groups", []),
roles={name: Allow
for name in user_data["roles"]},
)
user.data = user_data.get("data", {})
set_authenticated_user(user)
else:
set_authenticated_user(None)
if user_data.get("Authorization"):
# leave in for b/w compat, remove at later date
request.headers["Authorization"] = user_data["Authorization"]
for name, value in (user_data.get("headers") or {}).items():
request.headers[name] = value
async def test_allowsingle(container_requester):
async with container_requester as requester:
response, status = await requester(
"POST", "/db/guillotina/", data=json.dumps({"@type": "Item", "id": "testing"})
)
assert status == 201
response, status = await requester(
"POST",
"/db/guillotina/@sharing",
data=json.dumps(
{
"prinperm": [
{
"principal": "group1",
"permission": "guillotina.AccessContent",
"setting": "AllowSingle",
}
]
}
),
)
assert status == 200
response, status = await requester(
"POST",
"/db/guillotina/testing/@sharing",
data=json.dumps(
{
"prinperm": [
{"principal": "group2", "permission": "guillotina.AccessContent", "setting": "Allow"}
]
}
),
)
assert status == 200
container = await utils.get_container(requester=requester)
content = await container.async_get("testing")
user = GuillotinaUser("user1")
user._groups = ["group1", "group2"]
utils.login(user=user)
policy = get_security_policy(user)
assert policy.check_permission("guillotina.AccessContent", container)
assert policy.check_permission("guillotina.AccessContent", content)
user = GuillotinaUser("user2")
user._groups = ["group1"]
utils.login(user=user)
policy = get_security_policy(user)
assert policy.check_permission("guillotina.AccessContent", container)
assert not policy.check_permission("guillotina.AccessContent", content)
async def test_allowsingle(container_requester):
async with container_requester as requester:
response, status = await requester('POST',
'/db/guillotina/',
data=json.dumps({
'@type': 'Item',
'id': 'testing'
}))
assert status == 201
response, status = await requester('POST',
'/db/guillotina/@sharing',
data=json.dumps({
'prinperm': [{
'principal':
'group1',
'permission':
'guillotina.AccessContent',
'setting':
'AllowSingle'
}]
}))
assert status == 200
response, status = await requester('POST',
'/db/guillotina/testing/@sharing',
data=json.dumps({
'prinperm': [{
'principal': 'group2',
'permission':
'guillotina.AccessContent',
'setting': 'Allow'
}]
}))
assert status == 200
container = await utils.get_container(requester=requester)
content = await container.async_get('testing')
user = GuillotinaUser('user1')
user._groups = ['group1', 'group2']
utils.login(user=user)
policy = get_security_policy(user)
assert policy.check_permission('guillotina.AccessContent', container)
assert policy.check_permission('guillotina.AccessContent', content)
user = GuillotinaUser('user2')
user._groups = ['group1']
utils.login(user=user)
policy = get_security_policy(user)
assert policy.check_permission('guillotina.AccessContent', container)
assert not policy.check_permission('guillotina.AccessContent', content)
def login_user(request, user_data):
request.security = Interaction(request)
participation = GuillotinaParticipation(request)
participation.interaction = None
if 'id' in user_data:
user = GuillotinaUser(request)
user.id = user_data['id']
user._groups = user_data.get('groups', [])
user._roles = user_data.get('roles', [])
user.data = user_data.get('data', {})
participation.principal = user
request._cache_user = user
request.security.add(participation)
request.security.invalidate_cache()
request._cache_groups = {}
if user_data.get('Authorization'):
request.headers['Authorization'] = user_data['Authorization']
async def test_allowsingle2(container_requester):
async with container_requester as requester:
response, status = await requester("POST",
"/db/guillotina/",
data=json.dumps({
"@type": "Folder",
"id": "testing"
}))
assert status == 201
response, status = await requester("POST",
"/db/guillotina/testing/",
data=json.dumps({
"@type": "Item",
"id": "test1"
}))
assert status == 201
response, status = await requester("POST",
"/db/guillotina/testing/",
data=json.dumps({
"@type": "Item",
"id": "test2"
}))
assert status == 201
response, status = await requester(
"POST",
"/db/guillotina/@sharing",
data=json.dumps({
"prinperm": [{
"principal": "group1",
"permission": "guillotina.AccessContent",
"setting": "AllowSingle",
}]
}),
)
assert status == 200
response, status = await requester(
"POST",
"/db/guillotina/testing/@sharing",
data=json.dumps({
"prinperm": [
{
"principal": "group2",
"permission": "guillotina.AccessContent",
"setting": "Allow"
},
{
"principal": "group1",
"permission": "guillotina.ViewContent",
"setting": "AllowSingle",
},
]
}),
)
assert status == 200
response, status = await requester(
"POST",
"/db/guillotina/testing/test1/@sharing",
data=json.dumps({
"prinperm": [{
"principal": "group3",
"permission": "guillotina.ViewContent",
"setting": "Allow"
}]
}),
)
assert status == 200
response, status = await requester(
"POST",
"/db/guillotina/testing/test2/@sharing",
data=json.dumps({
"prinrole": [{
"principal": "group2",
"role": "guillotina.Reader",
"setting": "Allow"
}],
"roleperm": [{
"role": "guillotina.Reader",
"permission": "guillotina.ViewContent",
"setting": "Allow",
}],
}),
)
assert status == 200
container = await utils.get_container(requester=requester)
content = await container.async_get("testing")
user = GuillotinaUser("user1")
user._groups = ["group2", "group1"]
utils.login(user=user)
policy = get_security_policy()
assert policy.check_permission("guillotina.AccessContent", container)
assert policy.check_permission("guillotina.AccessContent", content)
user = GuillotinaUser("user2")
user._groups = ["group1"]
utils.login(user=user)
policy = get_security_policy(user)
assert policy.check_permission("guillotina.AccessContent", container)
assert not policy.check_permission("guillotina.AccessContent", content)
user = GuillotinaUser("user3")
user._groups = ["group1", "group2", "group3"]
user._roles = {"testing.Role1": Allow}
utils.login(user=user)
test1 = await content.async_get("test1")
test2 = await content.async_get("test2")
policy = get_security_policy(user)
assert policy.check_permission("guillotina.ViewContent", test1)
assert policy.check_permission("guillotina.ViewContent", test2)
roles = get_roles_principal(test2)
assert "guillotina.Reader" in roles
assert "guillotina.Anonymous" in roles
assert "guillotina.Authenticated" in roles
assert "testing.Role1" in roles
async def test_allowsingle2(container_requester):
async with container_requester as requester:
response, status = await requester('POST',
'/db/guillotina/',
data=json.dumps({
'@type': 'Folder',
'id': 'testing'
}))
assert status == 201
response, status = await requester('POST',
'/db/guillotina/testing/',
data=json.dumps({
'@type': 'Item',
'id': 'test1'
}))
assert status == 201
response, status = await requester('POST',
'/db/guillotina/testing/',
data=json.dumps({
'@type': 'Item',
'id': 'test2'
}))
assert status == 201
response, status = await requester('POST',
'/db/guillotina/@sharing',
data=json.dumps({
'prinperm': [{
'principal':
'group1',
'permission':
'guillotina.AccessContent',
'setting':
'AllowSingle'
}]
}))
assert status == 200
response, status = await requester('POST',
'/db/guillotina/testing/@sharing',
data=json.dumps({
'prinperm': [{
'principal': 'group2',
'permission':
'guillotina.AccessContent',
'setting': 'Allow'
}, {
'principal':
'group1',
'permission':
'guillotina.ViewContent',
'setting':
'AllowSingle'
}]
}))
assert status == 200
response, status = await requester(
'POST',
'/db/guillotina/testing/test1/@sharing',
data=json.dumps({
'prinperm': [{
'principal': 'group3',
'permission': 'guillotina.ViewContent',
'setting': 'Allow'
}]
}))
assert status == 200
response, status = await requester(
'POST',
'/db/guillotina/testing/test2/@sharing',
data=json.dumps({
'prinrole': [{
'principal': 'group2',
'role': 'guillotina.Reader',
'setting': 'Allow'
}],
'roleperm': [{
'role': 'guillotina.Reader',
'permission': 'guillotina.ViewContent',
'setting': 'Allow'
}]
}))
assert status == 200
request = utils.get_mocked_request(requester.db)
container = await utils.get_container(requester, request)
content = await container.async_get('testing')
user = GuillotinaUser(request)
user.id = 'user1'
user._groups = ['group2', 'group1']
utils.login(request, user)
assert request.security.check_permission('guillotina.AccessContent',
request.container)
assert request.security.check_permission('guillotina.AccessContent',
content)
user = GuillotinaUser(request)
user.id = 'user2'
user._groups = ['group1']
utils.login(request, user)
assert request.security.check_permission('guillotina.AccessContent',
request.container)
assert not request.security.check_permission(
'guillotina.AccessContent', content)
user = GuillotinaUser(request)
user.id = 'user3'
user._groups = ['group1', 'group2', 'group3']
utils.login(request, user)
test1 = await content.async_get('test1')
test2 = await content.async_get('test2')
assert request.security.check_permission('guillotina.ViewContent',
test1)
assert request.security.check_permission('guillotina.ViewContent',
test2)
async def test_inherit(container_requester):
async with container_requester as requester:
response, status = await requester('POST',
'/db/guillotina/',
data=json.dumps({
'@type': 'Item',
'id': 'testing'
}))
assert status == 201
response, status = await requester('POST',
'/db/guillotina/@sharing',
data=json.dumps({
'prinrole': [{
'principal': 'user1',
'role': 'guillotina.Reader',
'setting': 'Allow'
}]
}))
assert status == 200
response, status = await requester('POST',
'/db/guillotina/testing/@sharing',
data=json.dumps({
'perminhe': [{
'permission':
'guillotina.ViewContent',
'setting': 'Deny'
}]
}))
assert status == 200
response, status = await requester(
'GET', '/db/guillotina/testing/@all_permissions')
assert status == 200
request = utils.get_mocked_request(requester.db)
container = await utils.get_container(requester, request)
content = await container.async_get('testing')
user = GuillotinaUser(request)
user.id = 'user1'
utils.login(request, user)
assert request.security.check_permission('guillotina.ViewContent',
request.container)
assert not request.security.check_permission('guillotina.ViewContent',
content)
response, status = await requester('GET', '/db/guillotina/testing')
assert status == 401
response, status = await requester('POST',
'/db/guillotina/testing/@sharing',
data=json.dumps({
'roleperm': [{
'permission':
'guillotina.ViewContent',
'role':
'guillotina.Manager',
'setting': 'Allow'
}]
}))
assert status == 200
response, status = await requester('GET', '/db/guillotina/testing')
assert status == 200