示例#1
0
    def test_authenticate_invalid_user(self):
        def error(*args):
            raise ValueError("Invalid Signature")

        self.replacer.replace("nexus.token_utils.validate_token", error)
        client = Client(self.config)
        self.assertFalse(client.authenticate_user("this is a bad token"))
示例#2
0
    def test_authenticate_valid_user(self):
        username = "******"

        def auth(*args, **kwargs):
            return username

        self.replacer.replace("nexus.token_utils.validate_token", auth)
        client = Client(self.config)
        self.assertEqual(username, client.authenticate_user("this is a good token"))
示例#3
0
    def test_get_access_token(self):
        from nexus.token_utils import DictObj

        expected_expiry = datetime.datetime.utcnow() + datetime.timedelta(minutes=5)
        expected_expiry = time.mktime(expected_expiry.timetuple())
        result = {"access_token": 1234567, "refresh_token": 7654321, "expires_in": 5 * 60}

        def dummy_get_access_token(client_id, client_secret, auth_code, auth_uri):
            self.assertEqual("my token", auth_code)
            self.assertEqual(self.config["api_key"], client_id)
            self.assertEqual(self.config["api_secret"], client_secret)
            return DictObj(result)

        self.replacer.replace("nexus.client.token_utils.request_access_token", dummy_get_access_token)
        client = Client(self.config)
        access_token, refresh_token, expiry = client.get_access_token_from_code("my token")
        self.assertEqual(1234567, access_token)
        self.assertEqual(7654321, refresh_token)
        self.assertEqual(expected_expiry, expiry)
示例#4
0
    def test_full_authenticate_user(self):
        import rsa

        pubkey, privkey = rsa.newkeys(512)

        def get_cert(*args, **kwargs):
            return namedtuple("Request", ["content"])(json.dumps({"pubkey": pubkey.save_pkcs1()}))

        self.replacer.replace("requests.get", get_cert)
        token = "un=test|SigningSubject=https://graph.api.globusonline.org/goauth/keys/test1|expiry={0}"
        expires = datetime.datetime.utcnow() + datetime.timedelta(minutes=5)
        token = token.format(time.mktime(expires.timetuple()))
        sig = rsa.sign(token, privkey, "SHA-1")
        hex_sig = binascii.hexlify(sig)
        token = "{0}|sig={1}".format(token, hex_sig)
        client = Client(self.config)
        self.assertTrue(client.authenticate_user(token))
        sig = sig + "f"
        hex_sig = binascii.hexlify(sig)
        token = "{0}|sig={1}".format(token, hex_sig)
        self.assertFalse(client.authenticate_user(token))
示例#5
0
import os.path
from getpass import getpass
from nexus import Client

# First instantiate a client object either with a dictionary or with a yaml file
pwd = os.path.dirname(__file__)
client = Client(config_file=os.path.join(pwd, 'sample.yml'))
# Generate a url for the end user to use to authorize this client/authenticate.
url = client.generate_request_url()
print "Please authenticate using the following url"
print url
token = raw_input("Please copy the resulting code here: ")
# At this point the end user needs to authenticate with the supplied url.  The
# easiest way to do this is: curl -k --user test:test1 "<supplied_url>".  The
# result will contain the token in the "code" field.  Paste that here.

# Validate the token:
user = client.authenticate_user(token)
if user is not None:
    print "Yup, you are {0}".format(user)
else:
    print "That is not a valid authorization code"


#Get an access key for yourself using rsa:
print client.request_client_credential(user, lambda: getpass("Private Key Password"))

print "Get a request token using rsa authentication"
print client.rsa_get_request_token(user, lambda: getpass("Private Key Password"))
示例#6
0
 def test_generate_request_url(self):
     client = Client(self.config)
     expected = "https://graph.api.globusonline.org/goauth/authorize?response_type=code&client_id=I+am+not+a+key"
     self.assertEqual(expected, client.generate_request_url())
示例#7
0
class OAuth2Middleware(AuthenticationMiddleware):
    """
    Two Legged OAuth authenticator. 
    
    This Authentication method checks for a provided HTTP_AUTHORIZATION
    and looks up to see if this is a valid OAuth Consumer
    """

    # Authentication server
    # Create a Python Globus client
    client = Client(
        config_file=os.path.join(os.path.dirname(__file__), 'nexus/nexus.yml'))

    try:
        authsvc = "https://%s/" % client.config['server']
    except:
        authsvc = 'https://nexus.api.globusonline.org/'

    # Set the salt used for computing a session hash from the signature hash
    salt = "(African || European)?"

    def __init__(self, realm='API'):
        self.realm = realm
        self.user = None
        self.http = httplib2.Http(disable_ssl_certificate_validation=True)
        # The shortcut option will bypass token validation if we already have a django session
        self.shortcut = False

    def process_request(self, request):
        """
        Verify 2-legged oauth request. Parameters accepted as
        values in "Authorization" header, or as a GET request
        or in a POST body.
        """
        # AuthenticationMiddleware is required so that request.user exists.
        if not hasattr(request, 'user'):
            raise ImproperlyConfigured(
                "The Django remote user auth middleware requires the"
                " authentication middleware to be installed.  Edit your"
                " MIDDLEWARE_CLASSES setting to insert"
                " 'django.contrib.auth.middleware.AuthenticationMiddleware'"
                " before the RemoteUserMiddleware class.")
        try:
            if 'HTTP_AUTHORIZATION' in request.META:
                auth_header = request.META.get('HTTP_AUTHORIZATION')
            else:
                logging.debug("No authorization header found.")
                return None
            # Extract the token based on whether it is an OAuth or Bearer
            # token
            if auth_header[:6] == 'OAuth ':
                token = auth_header[6:]
            elif auth_header[:7] == 'Bearer ':
                token = auth_header[7:]
            else:
                logging.info(
                    "Authorization header did not contain OAuth or Bearer type token"
                )
                return None
            # Push the token into the META for future reference
            request.META['KBASEtoken'] = token
            if (request.user.is_authenticated() and self.shortcut):
                return

            user_id = OAuth2Middleware.client.authenticate_user(token)
            if not user_id:
                logging.error("Authentication token failed validation")
                return None
            else:
                logging.info("Validated as user " + user_id)
            token_map = {}
            for entry in token.split('|'):
                key, value = entry.split('=')
                token_map[key] = value
            profile = self.get_profile(token)
            if (profile == None):
                logging.error(
                    "Token validated, but could not retrieve user profile")
                return None
            # For now, compute a sessionid based on hashing the
            # the signature with the salt
            request.META['KBASEsessid'] = hashlib.sha256(
                token_map['sig'] + OAuth2Middleware.salt).hexdigest()
            # Add in some useful details that came in from the token validation
            request.META['KBASEprofile'] = profile
            # See if the username is already associated with any currently logged
            # in user, if so just pass over the rest
            # Raises exception if it doesn't pass
            user = authenticate(remote_user=profile['username'])
            if user:
                request.user = user
                # For now, compute a sessionid based on hashing the
                # the signature with the salt
                request.META['KBASEsessid'] = hashlib.sha256(
                    token_map['sig'] + OAuth2Middleware.salt).hexdigest()
                print pformat(request.META['KBASEsessid'])
                # Add in some useful details that came in from the token validation
                request.META['KBASEprofile'] = profile
                login(request, user)
            else:
                logging.error(
                    "Failed to return user from call to authenticate() with username "
                    + profile['username'])
        except KeyError, e:
            logging.exception("KeyError in TwoLeggedOAuthMiddleware: %s" % e)
            request.user = AnonymousUser()
        except Exception, e:
            logging.exception("Error in TwoLeggedOAuthMiddleware: %s" % e)