def test_it_sets_client_authority_principal(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert ( "client_authority:{authority}".format(authority=auth_client.authority) in principals )
def test_it_sets_client_authority_principal(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert ( "client_authority:{authority}".format(authority=auth_client.authority) in principals )
def test_it_sets_auth_client_principal(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert ( "client:{client_id}@{authority}".format( client_id=auth_client.id, authority=auth_client.authority ) in principals )
def test_it_sets_auth_client_principal(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert ( "client:{client_id}@{authority}".format( client_id=auth_client.id, authority=auth_client.authority ) in principals )
def check(username, password, request): """ Return list of appropriate principals or None if authentication is unsuccessful. Validate the basic auth credentials from the request by matching them to an auth_client record in the DB. If an HTTP ``X-Forwarded-User`` header is present in the request, this represents the intent to authenticate "on behalf of" a user within the auth_client's authority. If this header is present, the user indicated by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and be within the auth_client's authority, or authentication will fail. :param username: username parsed out of Authorization header (Basic) :param password: password parsed out of Authorization header (Basic) :returns: additional principals for the auth_client or None :rtype: list or None """ client_id = username client_secret = password # validate that the credentials in BasicAuth header # match an AuthClient record in the db client = util.verify_auth_client(client_id, client_secret, request.db) if client is None: return None forwarded_userid = AuthClientPolicy._forwarded_userid(request) if ( forwarded_userid is None ): # No forwarded user; set principals for basic auth_client return util.principals_for_auth_client(client) user_service = request.find_service(name="user") try: user = user_service.fetch(forwarded_userid) except ValueError: # raised if userid is invalid format return None # invalid user, so we are failing here if user and user.authority == client.authority: return util.principals_for_auth_client_user(user, client) return None
def check(username, password, request): """ Return list of appropriate principals or None if authentication is unsuccessful. Validate the basic auth credentials from the request by matching them to an auth_client record in the DB. If an HTTP ``X-Forwarded-User`` header is present in the request, this represents the intent to authenticate "on behalf of" a user within the auth_client's authority. If this header is present, the user indicated by its value (a :py:attr:`h.models.user.User.userid`) _must_ exist and be within the auth_client's authority, or authentication will fail. :param username: username parsed out of Authorization header (Basic) :param password: password parsed out of Authorization header (Basic) :returns: additional principals for the auth_client or None :rtype: list or None """ client_id = username client_secret = password # validate that the credentials in BasicAuth header # match an AuthClient record in the db client = util.verify_auth_client(client_id, client_secret, request.db) if client is None: return None forwarded_userid = AuthClientPolicy._forwarded_userid(request) if ( forwarded_userid is None ): # No forwarded user; set principals for basic auth_client return util.principals_for_auth_client(client) user_service = request.find_service(name="user") try: user = user_service.fetch(forwarded_userid) except ValueError: # raised if userid is invalid format return None # invalid user, so we are failing here if user and user.authority == client.authority: return util.principals_for_auth_client_user(user, client) return None
def test_it_returns_principals_as_list(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert isinstance(principals, list)
def test_it_does_not_set_user_role(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert role.User not in principals
def test_it_sets_authclient_role(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert role.AuthClient in principals
def test_it_returns_principals_as_list(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert isinstance(principals, list)
def test_it_does_not_set_user_role(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert role.User not in principals
def test_it_sets_authclient_role(self, auth_client): principals = util.principals_for_auth_client(auth_client) assert role.AuthClient in principals