def test_logout_clears_session(self): request = self.build_request() superuser = Superuser(request, allowed_ips=(), current_datetime=self.current_datetime) superuser.set_logged_out() assert not superuser.is_active assert not request.session.get(SESSION_KEY)
def test_login_saves_session(self): user = self.create_user('*****@*****.**', is_superuser=True) request = self.make_request() superuser = Superuser(request, allowed_ips=(), current_datetime=self.current_datetime) superuser.set_logged_in(user, current_datetime=self.current_datetime) # request.user wasn't set assert not superuser.is_active request.user = user assert superuser.is_active data = request.session.get(SESSION_KEY) assert data assert data['exp'] == (self.current_datetime + MAX_AGE).strftime('%s') assert data['idl'] == (self.current_datetime + IDLE_MAX_AGE).strftime('%s') assert len(data['tok']) == 12 assert data['uid'] == six.text_type(user.id)
def test_sso(self): user = User(is_superuser=True) request = self.make_request(user=user) # no ips = any host superuser = Superuser(request, org_id=None) superuser.set_logged_in(request.user) assert superuser.is_active is True superuser = Superuser(request, org_id=1) superuser.set_logged_in(request.user) assert superuser.is_active is False mark_sso_complete(request, 1) superuser = Superuser(request, org_id=1) superuser.set_logged_in(request.user) assert superuser.is_active is True
def test_ips(self): user = User(is_superuser=True) request = self.make_request(user=user) request.META['REMOTE_ADDR'] = '10.0.0.1' # no ips = any host superuser = Superuser(request, allowed_ips=()) superuser.set_logged_in(request.user) assert superuser.is_active is True superuser = Superuser(request, allowed_ips=('127.0.0.1',)) superuser.set_logged_in(request.user) assert superuser.is_active is False superuser = Superuser(request, allowed_ips=('10.0.0.1',)) superuser.set_logged_in(request.user) assert superuser.is_active is True
def make_request(self, user=None, auth=None, method=None): request = HttpRequest() if method: request.method = method request.META['REMOTE_ADDR'] = '127.0.0.1' request.META['SERVER_NAME'] = 'testserver' request.META['SERVER_PORT'] = 80 request.REQUEST = {} # order matters here, session -> user -> other things request.session = self.session request.auth = auth request.user = user or AnonymousUser() request.superuser = Superuser(request) request.is_superuser = lambda: request.superuser.is_active request.successful_authenticator = None return request
def process_request(self, request): # This avoids touching user session, which means we avoid # setting `Vary: Cookie` as a response header which will # break HTTP caching entirely. self.__skip_caching = request.path_info.startswith( settings.ANONYMOUS_STATIC_PREFIXES) if self.__skip_caching: return su = Superuser(request) request.superuser = su request.is_superuser = lambda: request.superuser.is_active if su.is_active: logger.info('superuser.request', extra={ 'url': request.build_absolute_uri(), 'method': request.method, 'ip_address': request.META['REMOTE_ADDR'], 'user_id': request.user.id, })
def test_idle_expired(self): request = self.build_request(idle_expires=self.current_datetime) superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False
def test_invalid_uid(self): request = self.build_request(uid=-1) superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False
def test_missing_data(self): request = self.build_request(session_data=False) superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False
def test_invalid_session_token(self): request = self.build_request(session_token="foobar") superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False
def test_missing_cookie(self): request = self.build_request(cookie_token=None) superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False
def test_valid_data(self): request = self.build_request() superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is True
def request( self, method, path, user=None, auth=None, params=None, data=None, is_sudo=None, is_superuser=None, request=None, ): if self.prefix not in path: full_path = self.prefix + path else: full_path = path # we explicitly do not allow you to override the request *and* the user # as then other checks like is_superuser would need overwritten assert not (request and (user or auth)), "use either request or auth" resolver_match = resolve(full_path) callback, callback_args, callback_kwargs = resolver_match if data: # we encode to ensure compatibility data = json.loads(json.dumps(data)) rf = APIRequestFactory() mock_request = getattr(rf, method.lower())(full_path, data or {}) # Flag to our API class that we should trust this auth passed through mock_request.__from_api_client__ = True if request: mock_request.auth = getattr(request, "auth", None) mock_request.user = request.user if is_sudo is None: mock_request.is_sudo = lambda: request.is_sudo() else: mock_request.is_sudo = lambda: is_sudo mock_request.session = request.session if is_superuser is None: mock_request.superuser = request.superuser else: mock_request.superuser = Superuser(mock_request) else: mock_request.auth = auth mock_request.user = user mock_request.is_sudo = lambda: is_sudo mock_request.session = {} mock_request.superuser = Superuser(mock_request) mock_request.is_superuser = lambda: mock_request.superuser.is_active if request: # superuser checks require access to IP mock_request.META["REMOTE_ADDR"] = request.META["REMOTE_ADDR"] force_authenticate(mock_request, user, auth) if params: mock_request.GET._mutable = True mock_request.GET.update(params) mock_request.GET._mutable = False if data: mock_request.POST._mutable = True mock_request.POST.update(data) mock_request.POST._mutable = False response = callback(mock_request, *callback_args, **callback_kwargs) if 200 <= response.status_code < 400: return response raise self.ApiError(response.status_code, response.data)
def test_is_not_active_superuser(self): request = self.build_request() request.superuser = Superuser(request, allowed_ips=()) request.superuser._is_active = False assert not is_active_superuser(request)
def test_ips(self): user = User(is_superuser=True) request = self.make_request(user=user) request.META["REMOTE_ADDR"] = "10.0.0.1" # no ips = any host superuser = Superuser(request, allowed_ips=()) superuser.set_logged_in(request.user) assert superuser.is_active is True superuser = Superuser(request, allowed_ips=("127.0.0.1", )) superuser.set_logged_in(request.user) assert superuser.is_active is False superuser = Superuser(request, allowed_ips=("10.0.0.1", )) superuser.set_logged_in(request.user) assert superuser.is_active is True
def test_invalid_cookie_token(self): request = self.build_request(cookie_token='foobar') superuser = Superuser(request, allowed_ips=()) assert superuser.is_active is False