class TestAuthzDiscovery(object): """Tests to check whether the authorization controls are found correctly.""" def setUp(self): self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_global_acl_collection_and_secured_apps(self): mw = RepozeWhatMiddleware() # Checking that the global ACL collection was picked: from tests.fixtures.sampledjango.authz import control eq_(control, mw.acl_collection) # Checking that the app-specific controls were picked: from tests.fixtures.sampledjango.app1.authz import control as control1 from tests.fixtures.sampledjango.app2.authz import control as control2 ok_(control1 in mw.acl_collection._acls) ok_(control2 in mw.acl_collection._acls) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 1) eq_(self.log_fixture.handler.messages['info'][0], ("The following applications are secured: " "tests.fixtures.sampledjango.app1, " "tests.fixtures.sampledjango.app2") )
class TestAuthorizationDeniedInView(object): """ Authorization denied in the views must be dealt with properly. This is the test case for RepozeWhatMiddleware.process_exception() """ def setUp(self): self.middleware = RepozeWhatMiddleware() self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_authorization_denied_with_custom_handler(self): """ When authorization is denied with a custom handler, it must be used """ request = Request({'PATH_INFO': "/"}, make_user(None)) exception = _AuthorizationDenial( "Nothing", lambda request, message: "No! %s" % message ) response = self.middleware.process_exception(request, exception) eq_(response, "No! Nothing") # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_(self.log_fixture.handler.messages['warning'][0], "Authorization denied to %s in the view at /: Nothing" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 0) def test_authorization_denied_without_custom_handler(self): """ When authorization is denied with no custom handler, the default one must be used. """ request = Request({}, make_user(None)) exception = _AuthorizationDenial("You can't be here", None) response = self.middleware.process_exception(request, exception) eq_(response.status_code, 401) # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_(self.log_fixture.handler.messages['warning'][0], "Authorization denied to %s in the view at /: You can't be here" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Using the default denial handler") def test_another_exception(self): """process_exception() must do nothing if not given a denial handler.""" request = Request({}, make_user(None)) exception = Exception() response = self.middleware.process_exception(request, exception) eq_(response, None)
class TestAuthorizationDeniedInView(object): """ Authorization denied in the views must be dealt with properly. This is the test case for RepozeWhatMiddleware.process_exception() """ def setUp(self): self.middleware = RepozeWhatMiddleware() self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_authorization_denied_with_custom_handler(self): """ When authorization is denied with a custom handler, it must be used """ request = Request({'PATH_INFO': "/"}, make_user(None)) exception = _AuthorizationDenial( "Nothing", lambda request, message: "No! %s" % message) response = self.middleware.process_exception(request, exception) eq_(response, "No! Nothing") # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_( self.log_fixture.handler.messages['warning'][0], "Authorization denied to %s in the view at /: Nothing" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 0) def test_authorization_denied_without_custom_handler(self): """ When authorization is denied with no custom handler, the default one must be used. """ request = Request({}, make_user(None)) exception = _AuthorizationDenial("You can't be here", None) response = self.middleware.process_exception(request, exception) eq_(response.status_code, 401) # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_( self.log_fixture.handler.messages['warning'][0], "Authorization denied to %s in the view at /: You can't be here" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Using the default denial handler") def test_another_exception(self): """process_exception() must do nothing if not given a denial handler.""" request = Request({}, make_user(None)) exception = Exception() response = self.middleware.process_exception(request, exception) eq_(response, None)
class TestAuthzDiscovery(object): """Tests to check whether the authorization controls are found correctly.""" def setUp(self): self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_global_acl_collection_and_secured_apps(self): mw = RepozeWhatMiddleware() # Checking that the global ACL collection was picked: from tests.fixtures.sampledjango.authz import control eq_(control, mw.acl_collection) # Checking that the app-specific controls were picked: from tests.fixtures.sampledjango.app1.authz import control as control1 from tests.fixtures.sampledjango.app2.authz import control as control2 ok_(control1 in mw.acl_collection._acls) ok_(control2 in mw.acl_collection._acls) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 1) eq_(self.log_fixture.handler.messages['info'][0], ("The following applications are secured: " "tests.fixtures.sampledjango.app1, " "tests.fixtures.sampledjango.app2"))
class TestCanAccess(object): """Tests for the can_access() function.""" def setUp(self): # Let's set up the environment for this mock request: mw = RepozeWhatMiddleware() self.request = Request({'PATH_INFO': "/"}, make_user(None)) mw.process_view(self.request, None, None, None) # Let's enabled logging after the middleware has been set: self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_no_authz_decision_made(self): """Authorization would be granted if no decision was made.""" ok_(can_access("/app2/nothing", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app2/nothing" % repr(self.request.user)) def test_authz_granted(self): """Authorization would be granted if it's granted!.""" ok_(can_access("/app1/blog", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app1/blog" % repr(self.request.user)) def test_authz_denied(self): """Authorization would be denied if it's denied!.""" assert_false(can_access("/app1/admin", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization would be denied on ingress to %s at /app1/admin" % repr(self.request.user)) def test_non_existing_path(self): """ Django's Resolver404 exception must be raised if the path doesn't exist. """ assert_raises(Resolver404, can_access, "/app1/non-existing", self.request) def test_authz_granted_with_view_resolved(self): """ The view shouldn't be resolved if we are passing the view by hand. """ positional_args = () named_args = {} ok_( can_access("/app1/blog", self.request, mock_view, positional_args, named_args)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app1/blog" % repr(self.request.user)) def test_authz_denied_with_view_resolved(self): """ The view shouldn't be resolved if we are passing the view by hand. """ positional_args = () named_args = {} assert_false( can_access("/app1/admin", self.request, mock_view, positional_args, named_args)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization would be denied on ingress to %s at /app1/admin" % repr(self.request.user))
class TestAuthorizationEnforcement(object): """Tests for the process_view() routine.""" def setUp(self): self.middleware = RepozeWhatMiddleware() self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_environment_is_setup(self): """The WSGI environment must be set up before processing the view.""" environ = {'PATH_INFO': "/app2/nothing"} request = Request(environ, make_user(None)) self.middleware.process_view(request, object(), (), {}) ok_("repoze.what.credentials" in request.environ) def test_no_authz_decision_made(self): """Nothing must be done if no decision was made.""" environ = {'PATH_INFO': "/app2/nothing"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "No authorization decision made on ingress at /app2/nothing") def test_authz_granted(self): """When authorization is granted nothing must be done.""" environ = {'PATH_INFO': "/app1/blog"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) eq_(len(self.log_fixture.handler.messages['info']), 1) eq_( self.log_fixture.handler.messages['info'][0], "Authorization granted to %s on ingress at /app1/blog" % repr(request.user)) def test_authorization_denied_without_custom_denial_handler(self): """ When authorization is denied without a custom denial handler, the default one must be user. """ environ = {'PATH_INFO': "/app2/secret"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) ok_(isinstance(response, HttpResponse)) # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_( self.log_fixture.handler.messages['warning'][0], "Authorization denied on ingress to %s at /app2/secret: %s" % (repr(request.user), "This is a secret")) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "No custom denial handler defined; using the default one") def test_authorization_denied_with_custom_denial_handler(self): """ Authorization must be denied with a custom denial handler, if available. """ environ = {'PATH_INFO': "/app1/admin"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, "No! Get out!") # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_( self.log_fixture.handler.messages['warning'][0], "Authorization denied on ingress to %s at /app1/admin: Get out!" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 0) def test_middleware_skips_media_dir(self): """The middleware must do nothing in the media directory.""" environ = {'PATH_INFO': "/media/photo.jpg"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) # The environment must not have been set up for repoze.what: ok_("repoze.what.credentials" not in request.environ) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 0) eq_(len(self.log_fixture.handler.messages['warning']), 0) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization checks disabled for media file at /media/photo.jpg") def test_middleware_skips_media_admin_dir(self): """The middleware must do nothing in the media admin directory.""" environ = {'PATH_INFO': "/admin-media/photo"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) # The environment must not have been set up for repoze.what: ok_("repoze.what.credentials" not in request.environ) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 0) eq_(len(self.log_fixture.handler.messages['warning']), 0) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_( self.log_fixture.handler.messages['debug'][0], "Authorization checks disabled for media file at /admin-media/photo" )
class TestAuthorizationEnforcement(object): """Tests for the process_view() routine.""" def setUp(self): self.middleware = RepozeWhatMiddleware() self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_environment_is_setup(self): """The WSGI environment must be set up before processing the view.""" environ = {'PATH_INFO': "/app2/nothing"} request = Request(environ, make_user(None)) self.middleware.process_view(request, object(), (), {}) ok_("repoze.what.credentials" in request.environ) def test_no_authz_decision_made(self): """Nothing must be done if no decision was made.""" environ = {'PATH_INFO': "/app2/nothing"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "No authorization decision made on ingress at /app2/nothing") def test_authz_granted(self): """When authorization is granted nothing must be done.""" environ = {'PATH_INFO': "/app1/blog"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) eq_(len(self.log_fixture.handler.messages['info']), 1) eq_(self.log_fixture.handler.messages['info'][0], "Authorization granted to %s on ingress at /app1/blog" % repr(request.user)) def test_authorization_denied_without_custom_denial_handler(self): """ When authorization is denied without a custom denial handler, the default one must be user. """ environ = {'PATH_INFO': "/app2/secret"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) ok_(isinstance(response, HttpResponse)) # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_(self.log_fixture.handler.messages['warning'][0], "Authorization denied on ingress to %s at /app2/secret: %s" % (repr(request.user), "This is a secret")) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "No custom denial handler defined; using the default one") def test_authorization_denied_with_custom_denial_handler(self): """ Authorization must be denied with a custom denial handler, if available. """ environ = {'PATH_INFO': "/app1/admin"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, "No! Get out!") # Checking the logs: eq_(len(self.log_fixture.handler.messages['warning']), 1) eq_(self.log_fixture.handler.messages['warning'][0], "Authorization denied on ingress to %s at /app1/admin: Get out!" % repr(request.user)) eq_(len(self.log_fixture.handler.messages['debug']), 0) def test_middleware_skips_media_dir(self): """The middleware must do nothing in the media directory.""" environ = {'PATH_INFO': "/media/photo.jpg"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) # The environment must not have been set up for repoze.what: ok_("repoze.what.credentials" not in request.environ) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 0) eq_(len(self.log_fixture.handler.messages['warning']), 0) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization checks disabled for media file at /media/photo.jpg") def test_middleware_skips_media_admin_dir(self): """The middleware must do nothing in the media admin directory.""" environ = {'PATH_INFO': "/admin-media/photo"} request = Request(environ, make_user(None)) response = self.middleware.process_view(request, object(), (), {}) eq_(response, None) # The environment must not have been set up for repoze.what: ok_("repoze.what.credentials" not in request.environ) # Checking the logs: eq_(len(self.log_fixture.handler.messages['info']), 0) eq_(len(self.log_fixture.handler.messages['warning']), 0) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization checks disabled for media file at /admin-media/photo")
class TestCanAccess(object): """Tests for the can_access() function.""" def setUp(self): # Let's set up the environment for this mock request: mw = RepozeWhatMiddleware() self.request = Request({'PATH_INFO': "/"}, make_user(None)) mw.process_view(self.request, None, None, None) # Let's enabled logging after the middleware has been set: self.log_fixture = LoggingHandlerFixture() def tearDown(self): self.log_fixture.undo() def test_no_authz_decision_made(self): """Authorization would be granted if no decision was made.""" ok_(can_access("/app2/nothing", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app2/nothing" % repr(self.request.user)) def test_authz_granted(self): """Authorization would be granted if it's granted!.""" ok_(can_access("/app1/blog", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app1/blog" % repr(self.request.user)) def test_authz_denied(self): """Authorization would be denied if it's denied!.""" assert_false(can_access("/app1/admin", self.request)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization would be denied on ingress to %s at /app1/admin" % repr(self.request.user)) def test_non_existing_path(self): """ Django's Resolver404 exception must be raised if the path doesn't exist. """ assert_raises(Resolver404, can_access, "/app1/non-existing", self.request) def test_authz_granted_with_view_resolved(self): """ The view shouldn't be resolved if we are passing the view by hand. """ positional_args = () named_args = {} ok_(can_access("/app1/blog", self.request, mock_view, positional_args, named_args)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization would be granted on ingress to %s at /app1/blog" % repr(self.request.user)) def test_authz_denied_with_view_resolved(self): """ The view shouldn't be resolved if we are passing the view by hand. """ positional_args = () named_args = {} assert_false(can_access("/app1/admin", self.request, mock_view, positional_args, named_args)) eq_(len(self.log_fixture.handler.messages['debug']), 1) eq_(self.log_fixture.handler.messages['debug'][0], "Authorization would be denied on ingress to %s at /app1/admin" % repr(self.request.user))