def test_permits_if_user_has_2fa(
self,
monkeypatch,
owners_require_2fa,
pypi_mandates_2fa,
two_factor_requirement_enabled,
two_factor_mandate_available,
two_factor_mandate_enabled,
db_request,
):
db_request.registry.settings = {
"warehouse.two_factor_requirement.enabled":
two_factor_requirement_enabled,
"warehouse.two_factor_mandate.available":
two_factor_mandate_available,
"warehouse.two_factor_mandate.enabled": two_factor_mandate_enabled,
}
user = pretend.stub(has_two_factor=True)
db_request.user = user
get_current_request = pretend.call_recorder(lambda: db_request)
monkeypatch.setattr(security_policy, "get_current_request",
get_current_request)
permits_result = Allowed("Because")
backing_policy = pretend.stub(
permits=pretend.call_recorder(lambda *a, **kw: permits_result))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
context = ProjectFactory.create(owners_require_2fa=owners_require_2fa,
pypi_mandates_2fa=pypi_mandates_2fa)
result = policy.permits(context, pretend.stub(), pretend.stub())
assert result == permits_result
def test_flashes_if_context_requires_2fa_but_not_enabled(
self, monkeypatch, db_request):
db_request.registry.settings = {
"warehouse.two_factor_mandate.enabled": False,
"warehouse.two_factor_mandate.available": True,
"warehouse.two_factor_requirement.enabled": True,
}
db_request.session.flash = pretend.call_recorder(lambda m, queue: None)
db_request.user = pretend.stub(has_two_factor=False)
get_current_request = pretend.call_recorder(lambda: db_request)
monkeypatch.setattr(security_policy, "get_current_request",
get_current_request)
permits_result = Allowed("Because")
backing_policy = pretend.stub(
permits=pretend.call_recorder(lambda *a, **kw: permits_result))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
context = ProjectFactory.create(
owners_require_2fa=False,
pypi_mandates_2fa=True,
)
result = policy.permits(context, pretend.stub(), pretend.stub())
assert result == permits_result
assert db_request.session.flash.calls == [
pretend.call(
"This project is included in PyPI's two-factor mandate "
"for critical projects. In the future, you will be unable to "
"perform this action without enabling 2FA for your account",
queue="warning",
),
]
def test_principals_allowed_by_permission(self):
principals = pretend.stub()
backing_policy = pretend.stub(principals_allowed_by_permission=pretend.
call_recorder(lambda *a: principals))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
assert (policy.principals_allowed_by_permission(
pretend.stub(), pretend.stub()) is principals)
def test_permits_no_active_request(self, monkeypatch):
get_current_request = pretend.call_recorder(lambda: None)
monkeypatch.setattr(security_policy, "get_current_request",
get_current_request)
backing_policy = pretend.stub(
permits=pretend.call_recorder(lambda *a, **kw: pretend.stub()))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub())
assert result == WarehouseDenied("")
assert result.s == "There was no active request."
def test_permits_if_non_2fa_requireable_context(self, monkeypatch):
request = pretend.stub()
get_current_request = pretend.call_recorder(lambda: request)
monkeypatch.setattr(security_policy, "get_current_request",
get_current_request)
permits_result = Allowed("Because")
backing_policy = pretend.stub(
permits=pretend.call_recorder(lambda *a, **kw: permits_result))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub())
assert result == permits_result
def test_denies_if_2fa_is_required_but_user_doesnt_have_2fa(
self,
monkeypatch,
owners_require_2fa,
pypi_mandates_2fa,
reason,
db_request,
):
db_request.registry.settings = {
"warehouse.two_factor_requirement.enabled": owners_require_2fa,
"warehouse.two_factor_mandate.enabled": pypi_mandates_2fa,
}
user = pretend.stub(has_two_factor=False)
db_request.user = user
get_current_request = pretend.call_recorder(lambda: db_request)
monkeypatch.setattr(security_policy, "get_current_request",
get_current_request)
permits_result = Allowed("Because")
backing_policy = pretend.stub(
permits=pretend.call_recorder(lambda *a, **kw: permits_result))
policy = security_policy.TwoFactorAuthorizationPolicy(
policy=backing_policy)
context = ProjectFactory.create(owners_require_2fa=owners_require_2fa,
pypi_mandates_2fa=pypi_mandates_2fa)
result = policy.permits(context, pretend.stub(), pretend.stub())
summary = {
"owners_require_2fa":
("This project requires two factor authentication to be enabled "
"for all contributors.", ),
"pypi_mandates_2fa":
("PyPI requires two factor authentication to be enabled "
"for all contributors to this project.", ),
}[reason]
assert result == WarehouseDenied(summary, reason="two_factor_required")