def test_unauthenticated_userid_returns_userid_from_token(self, fake_token, pyramid_request):
policy = TokenAuthenticationPolicy()
pyramid_request.auth_token = fake_token
result = policy.unauthenticated_userid(pyramid_request)
assert result == "acct:[email protected]"
def test_unauthenticated_userid_returns_userid_from_token(self, pyramid_request):
policy = TokenAuthenticationPolicy()
pyramid_request.auth_token = 'valid123'
result = policy.unauthenticated_userid(pyramid_request)
assert result == 'acct:[email protected]'
def test_unauthenticated_userid_returns_none_if_token_invalid(self, pyramid_request, token_service):
policy = TokenAuthenticationPolicy()
token_service.validate.return_value = None
pyramid_request.auth_token = 'abcd123'
result = policy.unauthenticated_userid(pyramid_request)
assert result is None
def test_unauthenticated_userid_returns_none_if_token_invalid(self, pyramid_request):
policy = TokenAuthenticationPolicy()
token = DummyToken(valid=False)
pyramid_request.auth_token = token
result = policy.unauthenticated_userid(pyramid_request)
assert result is None
def test_unauthenticated_userid_returns_none_if_token_invalid(
self, pyramid_request):
policy = TokenAuthenticationPolicy()
token = DummyToken(valid=False)
pyramid_request.auth_token = token
result = policy.unauthenticated_userid(pyramid_request)
assert result is None
def test_authenticated_userid_uses_callback(self, pyramid_request):
def callback(userid, request):
return None
policy = TokenAuthenticationPolicy(callback=callback)
pyramid_request.auth_token = 'valid123'
result = policy.authenticated_userid(pyramid_request)
assert result is None
def test_unauthenticated_userid_returns_none_if_neither_token_valid(self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.unauthenticated_userid(request)
assert result is None
def test_unauthenticated_userid_returns_userid_from_jwt_as_fallback(self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = 'acct:[email protected]'
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.unauthenticated_userid(request)
assert result == 'acct:[email protected]'
def test_unauthenticated_userid_returns_userid_from_api_token_if_present(self, jwt, api_token, pyramid_request):
policy = TokenAuthenticationPolicy()
api_token.return_value = 'acct:[email protected]'
jwt.return_value = 'acct:[email protected]'
pyramid_request.headers = {'Authorization': 'Bearer f00ba12'}
result = policy.unauthenticated_userid(pyramid_request)
assert result == 'acct:[email protected]'
def test_unauthenticated_userid_returns_none_for_invalid_query_param_token(self, pyramid_request):
"""When the path is `/ws` but the token is invalid, it should still return None."""
policy = TokenAuthenticationPolicy()
pyramid_request.GET['access_token'] = 'expired'
pyramid_request.path = '/ws'
result = policy.unauthenticated_userid(pyramid_request)
assert result is None
def test_effective_principals_uses_callback(self, fake_token, pyramid_request):
def callback(userid, request):
return [userid + ".foo", "group:donkeys"]
policy = TokenAuthenticationPolicy(callback=callback)
pyramid_request.auth_token = fake_token
result = policy.effective_principals(pyramid_request)
assert set(result) > set(["acct:[email protected]", "acct:[email protected]", "group:donkeys"])
def test_unauthenticated_userid_returns_userid_from_jwt_as_fallback(
self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = 'acct:[email protected]'
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.unauthenticated_userid(request)
assert result == 'acct:[email protected]'
def test_unauthenticated_userid_passes_token_to_extractor_functions(self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
policy.unauthenticated_userid(request)
api_token.assert_called_once_with('f00ba12')
jwt.assert_called_once_with('f00ba12', request)
def test_unauthenticated_userid_returns_none_if_neither_token_valid(
self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.unauthenticated_userid(request)
assert result is None
def test_unauthenticated_userid_returns_userid_from_query_params_token(self, pyramid_request):
"""When the path is `/ws` then we look into the query string parameters as well."""
policy = TokenAuthenticationPolicy()
pyramid_request.GET['access_token'] = 'valid123'
pyramid_request.path = '/ws'
result = policy.unauthenticated_userid(pyramid_request)
assert result == 'acct:[email protected]'
def test_authenticated_userid_uses_callback(self, jwt, api_token):
def callback(userid, request):
return None
policy = TokenAuthenticationPolicy(callback=callback)
api_token.return_value = 'acct:[email protected]'
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.authenticated_userid(request)
assert result is None
def test_effective_principals_uses_callback(self, pyramid_request):
def callback(userid, request):
return [userid + '.foo', 'group:donkeys']
policy = TokenAuthenticationPolicy(callback=callback)
pyramid_request.auth_token = 'valid123'
result = policy.effective_principals(pyramid_request)
assert set(result) > set(['acct:[email protected]',
'acct:[email protected]',
'group:donkeys'])
def test_unauthenticated_userid_passes_token_to_extractor_functions(
self, jwt, api_token):
policy = TokenAuthenticationPolicy()
api_token.return_value = None
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
policy.unauthenticated_userid(request)
api_token.assert_called_once_with('f00ba12')
jwt.assert_called_once_with('f00ba12', request)
def test_authenticated_userid_uses_callback(self, jwt, api_token):
def callback(userid, request):
return None
policy = TokenAuthenticationPolicy(callback=callback)
api_token.return_value = 'acct:[email protected]'
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.authenticated_userid(request)
assert result is None
def test_unauthenticated_userid_skips_query_param_for_non_ws_requests(self, pyramid_request):
"""
When we have a valid token in the `access_token` query param, but it's
not a request to /ws, then we should ignore this access token.
"""
policy = TokenAuthenticationPolicy()
pyramid_request.GET['access_token'] = 'valid123'
pyramid_request.path = '/api'
result = policy.unauthenticated_userid(pyramid_request)
assert result is None
def test_effective_principals_uses_callback(self, jwt, api_token):
def callback(userid, request):
return [userid + '.foo', 'group:donkeys']
policy = TokenAuthenticationPolicy(callback=callback)
api_token.return_value = 'acct:[email protected]'
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.effective_principals(request)
assert set(result) > set(['acct:[email protected]',
'acct:[email protected]',
'group:donkeys'])
def test_effective_principals_uses_callback(self, pyramid_request):
def callback(userid, request):
return [userid + ".foo", "group:donkeys"]
policy = TokenAuthenticationPolicy(callback=callback)
pyramid_request.auth_token = "valid123"
result = policy.effective_principals(pyramid_request)
assert set(result) > {
"acct:[email protected]",
"acct:[email protected]",
"group:donkeys",
}
def test_effective_principals_uses_callback(self, jwt, api_token):
def callback(userid, request):
return [userid + '.foo', 'group:donkeys']
policy = TokenAuthenticationPolicy(callback=callback)
api_token.return_value = 'acct:[email protected]'
jwt.return_value = None
request = DummyRequest(headers={'Authorization': 'Bearer f00ba12'})
result = policy.effective_principals(request)
assert set(result) > set([
'acct:[email protected]', 'acct:[email protected]', 'group:donkeys'
])
def create_app(global_config, **settings):
config = configure(settings=settings)
config.add_request_method(features.Client, name='feature', reify=True)
config.set_authorization_policy(ACLAuthorizationPolicy())
policy = MultiAuthenticationPolicy([
TokenAuthenticationPolicy(callback=groupfinder),
SessionAuthenticationPolicy(callback=groupfinder),
])
config.set_authentication_policy(policy)
config.include('h.auth')
config.include('h.sentry')
config.include('h.stats')
# We have to include models and db to set up sqlalchemy metadata.
config.include('h.models')
config.include('h.db')
config.include('h.api.db')
# We have to include search to set up the `request.es` property.
config.include('h.api.search')
config.include('h.streamer')
return config.make_wsgi_app()
def test_unauthenticated_userid_is_none_if_no_token(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.unauthenticated_userid(pyramid_request) is None
def test_remember_does_nothing(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.remember(pyramid_request, "foo") == []
def test_remember_does_nothing(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.remember(pyramid_request, "foo") == []
def test_forget_does_nothing(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.forget(pyramid_request) == []
def test_remember_does_nothing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.remember(request, 'foo') == []
def policy(self):
self.session_policy = mock.Mock(spec_set=SessionAuthenticationPolicy())
self.token_policy = mock.Mock(spec_set=TokenAuthenticationPolicy())
self.policy = AuthenticationPolicy()
self.policy.session_policy = self.session_policy
self.policy.token_policy = self.token_policy
def test_forget_does_nothing(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.forget(pyramid_request) == []
def test_unauthenticated_userid_is_none_if_header_incorrectly_formatted(self, value):
policy = TokenAuthenticationPolicy()
request = DummyRequest(headers={'Authorization': value})
assert policy.unauthenticated_userid(request) is None
def test_unauthenticated_userid_is_none_if_header_missing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.unauthenticated_userid(request) is None
def test_unauthenticated_userid_is_none_if_header_missing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.unauthenticated_userid(request) is None
def test_unauthenticated_userid_is_none_if_header_incorrectly_formatted(
self, value):
policy = TokenAuthenticationPolicy()
request = DummyRequest(headers={'Authorization': value})
assert policy.unauthenticated_userid(request) is None
def test_unauthenticated_userid_is_none_if_no_token(self, pyramid_request):
policy = TokenAuthenticationPolicy()
assert policy.unauthenticated_userid(pyramid_request) is None
def test_remember_does_nothing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.remember(request, 'foo') == []
def test_forget_does_nothing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.forget(request) == []
def test_forget_does_nothing(self):
policy = TokenAuthenticationPolicy()
request = DummyRequest()
assert policy.forget(request) == []
from h.auth.policy import TokenAuthenticationPolicy
from h.auth.util import default_authority, groupfinder
from h.security import derive_key
__all__ = (
'DEFAULT_POLICY',
'WEBSOCKET_POLICY',
)
log = logging.getLogger(__name__)
PROXY_POLICY = RemoteUserAuthenticationPolicy(
environ_key='HTTP_X_FORWARDED_USER', callback=groupfinder)
TICKET_POLICY = pyramid_authsanity.AuthServicePolicy()
TOKEN_POLICY = TokenAuthenticationPolicy(callback=groupfinder)
AUTH_CLIENT_POLICY = AuthClientPolicy()
API_POLICY = APIAuthenticationPolicy(user_policy=TOKEN_POLICY,
client_policy=AUTH_CLIENT_POLICY)
DEFAULT_POLICY = AuthenticationPolicy(api_policy=API_POLICY,
fallback_policy=TICKET_POLICY)
WEBSOCKET_POLICY = TOKEN_POLICY
def includeme(config):
global DEFAULT_POLICY
global WEBSOCKET_POLICY
# Set up authsanity
def test_unauthenticated_userid_is_none_if_header_incorrectly_formatted(self, pyramid_request, value):
policy = TokenAuthenticationPolicy()
pyramid_request.headers = {'Authorization': value}
assert policy.unauthenticated_userid(pyramid_request) is None
