def test_callback(self):
# Exchange temporary credentials for permanent credentials
# Mock the exchange of the code for an access token
_prepare_mock_oauth2_handshake_response()
user = UserFactory()
# Fake a request context for the callback
with self.app.app.test_request_context(
path="/oauth/callback/mock2/",
query_string="code=mock_code&state=mock_state"
):
# make sure the user is logged in
authenticate(user=self.user, access_token=None, response=None)
session = get_session()
session.data['oauth_states'] = {
self.provider.short_name: {
'state': 'mock_state',
},
}
session.save()
# do the key exchange
self.provider.auth_callback(user=user)
account = ExternalAccount.find_one()
assert_equal(account.oauth_key, 'mock_access_token')
assert_equal(account.provider_id, 'mock_provider_id')
def test_callback(self):
# Exchange temporary credentials for permanent credentials
# Mock the exchange of the code for an access token
_prepare_mock_oauth2_handshake_response()
user = UserFactory()
# Fake a request context for the callback
with self.app.app.test_request_context(
path="/oauth/callback/mock2/",
query_string="code=mock_code&state=mock_state"):
# make sure the user is logged in
authenticate(user=self.user, access_token=None, response=None)
session.data['oauth_states'] = {
self.provider.short_name: {
'state': 'mock_state',
},
}
session.save()
# do the key exchange
self.provider.auth_callback(user=user)
account = ExternalAccount.find_one()
assert_equal(account.oauth_key, 'mock_access_token')
assert_equal(account.provider_id, 'mock_provider_id')
def migrate_to_external_account(user_settings_document):
user_info = utils.get_user_info(access_key=user_settings_document['access_key'], secret_key=user_settings_document['secret_key'])
user = User.load(user_settings_document['owner'])
if not user_info:
return (None, None, None)
new = False
try:
external_account = ExternalAccount.find_one(Q('provider_id', 'eq', user_info.id))
logger.info('Duplicate account use found: s3usersettings {0} with id {1}'.format(user_settings_document['_id'], user._id))
except NoResultsFound:
new = True
external_account = ExternalAccount(
provider=PROVIDER,
provider_name=PROVIDER_NAME,
provider_id=user_info.id,
oauth_key=user_settings_document['access_key'],
oauth_secret=user_settings_document['secret_key'],
display_name=user_info.display_name,
)
external_account.save()
user.external_accounts.append(external_account)
user.save()
return external_account, user, new
def migrate_to_external_account(user_settings_document):
user_info = utils.get_user_info(
access_key=user_settings_document['access_key'],
secret_key=user_settings_document['secret_key'])
user = User.load(user_settings_document['owner'])
if not user_info:
return (None, None, None)
new = False
try:
external_account = ExternalAccount.find_one(
Q('provider_id', 'eq', user_info.id))
logger.info(
'Duplicate account use found: s3usersettings {0} with id {1}'.
format(user_settings_document['_id'], user._id))
except NoResultsFound:
new = True
external_account = ExternalAccount(
provider=PROVIDER,
provider_name=PROVIDER_NAME,
provider_id=user_info.id,
oauth_key=user_settings_document['access_key'],
oauth_secret=user_settings_document['secret_key'],
display_name=user_info.display_name,
)
external_account.save()
user.external_accounts.append(external_account)
user.save()
return external_account, user, new
def s3_add_user_account(auth, **kwargs):
"""Verifies new external account credentials and adds to user's list"""
try:
access_key = request.json['access_key']
secret_key = request.json['secret_key']
except KeyError:
raise HTTPError(httplib.BAD_REQUEST)
if not (access_key and secret_key):
return {
'message': 'All the fields above are required.'
}, httplib.BAD_REQUEST
user_info = utils.get_user_info(access_key, secret_key)
if not user_info:
return {
'message':
('Unable to access account.\n'
'Check to make sure that the above credentials are valid, '
'and that they have permission to list buckets.')
}, httplib.BAD_REQUEST
if not utils.can_list(access_key, secret_key):
return {
'message':
('Unable to list buckets.\n'
'Listing buckets is required permission that can be changed via IAM'
)
}, httplib.BAD_REQUEST
account = None
try:
account = ExternalAccount(
provider=SHORT_NAME,
provider_name=FULL_NAME,
oauth_key=access_key,
oauth_secret=secret_key,
provider_id=user_info.id,
display_name=user_info.display_name,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('oauth_key', 'eq', access_key)
& Q('oauth_secret', 'eq', secret_key))
assert account is not None
if account not in auth.user.external_accounts:
auth.user.external_accounts.append(account)
# Ensure S3 is enabled.
auth.user.get_or_add_addon('s3', auth=auth)
auth.user.save()
return {}
def s3_add_user_account(auth, **kwargs):
"""Verifies new external account credentials and adds to user's list"""
try:
access_key = request.json['access_key']
secret_key = request.json['secret_key']
except KeyError:
raise HTTPError(httplib.BAD_REQUEST)
if not (access_key and secret_key):
return {
'message': 'All the fields above are required.'
}, httplib.BAD_REQUEST
user_info = utils.get_user_info(access_key, secret_key)
if not user_info:
return {
'message': ('Unable to access account.\n'
'Check to make sure that the above credentials are valid, '
'and that they have permission to list buckets.')
}, httplib.BAD_REQUEST
if not utils.can_list(access_key, secret_key):
return {
'message': ('Unable to list buckets.\n'
'Listing buckets is required permission that can be changed via IAM')
}, httplib.BAD_REQUEST
account = None
try:
account = ExternalAccount(
provider=SHORT_NAME,
provider_name=FULL_NAME,
oauth_key=access_key,
oauth_secret=secret_key,
provider_id=user_info.id,
display_name=user_info.display_name,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('provider', 'eq', SHORT_NAME) &
Q('provider_id', 'eq', user_info.id)
)
assert account is not None
if account not in auth.user.external_accounts:
auth.user.external_accounts.append(account)
# Ensure S3 is enabled.
auth.user.get_or_add_addon('s3', auth=auth)
auth.user.save()
return {}
def do_migration(records):
database['googledrivenodesettings'].update({'user_settings': {
'$type': 2
}}, {'$rename': {
'user_settings': 'foreign_user_settings'
}},
multi=True)
for user_addon in records:
user = user_addon.owner
old_account = user_addon.oauth_settings
logger.info('Record found for user {}'.format(user._id))
# Create/load external account and append to user
try:
account = ExternalAccount(
provider='googledrive',
provider_name='Google Drive',
display_name=old_account.username,
oauth_key=old_account.access_token,
refresh_token=old_account.refresh_token,
provider_id=old_account.user_id,
expires_at=old_account.expires_at,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('provider', 'eq', 'googledrive')
& Q('provider_id', 'eq', old_account.user_id))
assert account is not None
user.external_accounts.append(account)
user.save()
# Remove oauth_settings from user settings object
user_addon.oauth_settings = None
user_addon.save()
logger.info('Added external account {0} to user {1}'.format(
account._id,
user._id,
))
# Add external account to authorized nodes
for node in GoogleDriveNodeSettings.find():
if node.foreign_user_settings is None:
continue
logger.info('Migrating user_settings for googledrive {}'.format(
node._id))
node.user_settings = node.foreign_user_settings
node.save()
def do_migration(records):
host = 'dataverse.harvard.edu'
for user_addon in records:
user = user_addon.owner
api_token = user_addon.api_token
logger.info('Record found for user {}'.format(user._id))
# Modified from `dataverse_add_user_account`
# Create/load external account and append to user
try:
account = ExternalAccount(
provider='dataverse',
provider_name='Dataverse',
display_name=host,
oauth_key=host,
oauth_secret=api_token,
provider_id=api_token,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('provider', 'eq', 'dataverse')
& Q('provider_id', 'eq', api_token))
assert account is not None
user.external_accounts.append(account)
user.save()
# Remove api_token from user settings object
user_addon.api_token = None
user_addon.save()
logger.info('Added external account {0} to user {1}'.format(
account._id,
user._id,
))
####### BROKEN #######
# Field user_addon needed to be user_addon._id for lookup.
#
# Add external account to authorized nodes
for node_addon in get_authorized_node_settings(user_addon):
node_addon.set_auth(account, user)
logger.info('Added external account {0} to node {1}'.format(
account._id,
node_addon.owner._id,
))
def owncloud_add_user_account(auth, **kwargs):
"""
Verifies new external account credentials and adds to user's list
This view expects `host`, `username` and `password` fields in the JSON
body of the request.
"""
# Ensure that ownCloud uses https
host_url = request.json.get('host')
host = furl()
host.host = host_url.rstrip('/').replace('https://', '').replace('http://', '')
host.scheme = 'https'
username = request.json.get('username')
password = request.json.get('password')
try:
oc = owncloud.Client(host.url, verify_certs=settings.USE_SSL)
oc.login(username, password)
oc.logout()
except requests.exceptions.ConnectionError:
return {
'message': 'Invalid ownCloud server.'
}, http.BAD_REQUEST
except owncloud.owncloud.HTTPResponseError:
return {
'message': 'ownCloud Login failed.'
}, http.UNAUTHORIZED
provider = OwnCloudProvider(account=None, host=host.url,
username=username, password=password)
try:
provider.account.save()
except KeyExistsException:
# ... or get the old one
provider.account = ExternalAccount.find_one(
Q('provider', 'eq', provider.short_name) &
Q('provider_id', 'eq', '{}:{}'.format(host.url, username).lower())
)
user = auth.user
if provider.account not in user.external_accounts:
user.external_accounts.append(provider.account)
user.get_or_add_addon('owncloud', auth=auth)
user.save()
return {}
def do_migration(records):
host = 'dataverse.harvard.edu'
for user_addon in records:
user = user_addon.owner
api_token = user_addon.api_token
logger.info('Record found for user {}'.format(user._id))
# Modified from `dataverse_add_user_account`
# Create/load external account and append to user
try:
account = ExternalAccount(
provider='dataverse',
provider_name='Dataverse',
display_name=host,
oauth_key=host,
oauth_secret=api_token,
provider_id=api_token,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('provider', 'eq', 'dataverse') &
Q('provider_id', 'eq', api_token)
)
assert account is not None
user.external_accounts.append(account)
user.save()
# Remove api_token from user settings object
user_addon.api_token = None
user_addon.save()
logger.info('Added external account {0} to user {1}'.format(
account._id, user._id,
))
####### BROKEN #######
# Field user_addon needed to be user_addon._id for lookup.
#
# Add external account to authorized nodes
for node_addon in get_authorized_node_settings(user_addon):
node_addon.set_auth(account, user)
logger.info('Added external account {0} to node {1}'.format(
account._id, node_addon.owner._id,
))
def owncloud_add_user_account(auth, **kwargs):
"""
Verifies new external account credentials and adds to user's list
This view expects `host`, `username` and `password` fields in the JSON
body of the request.
"""
# Ensure that ownCloud uses https
host_url = request.json.get('host')
host = furl()
host.host = host_url.rstrip('/').replace('https://',
'').replace('http://', '')
host.scheme = 'https'
username = request.json.get('username')
password = request.json.get('password')
try:
oc = owncloud.Client(host.url, verify_certs=settings.USE_SSL)
oc.login(username, password)
oc.logout()
except requests.exceptions.ConnectionError:
return {'message': 'Invalid ownCloud server.'}, http.BAD_REQUEST
except owncloud.owncloud.HTTPResponseError:
return {'message': 'ownCloud Login failed.'}, http.UNAUTHORIZED
provider = OwnCloudProvider(account=None,
host=host.url,
username=username,
password=password)
try:
provider.account.save()
except KeyExistsException:
# ... or get the old one
provider.account = ExternalAccount.find_one(
Q('provider', 'eq', provider.short_name) &
Q('provider_id', 'eq', '{}:{}'.format(host.url, username).lower()))
user = auth.user
if provider.account not in user.external_accounts:
user.external_accounts.append(provider.account)
user.get_or_add_addon('owncloud', auth=auth)
user.save()
return {}
def do_migration(records):
database['googledrivenodesettings'].update({'user_settings': {'$type': 2}}, {'$rename': { 'user_settings': 'foreign_user_settings'}}, multi=True)
for user_addon in records:
user = user_addon.owner
old_account = user_addon.oauth_settings
logger.info('Record found for user {}'.format(user._id))
# Create/load external account and append to user
try:
account = ExternalAccount(
provider='googledrive',
provider_name='Google Drive',
display_name=old_account.username,
oauth_key=old_account.access_token,
refresh_token=old_account.refresh_token,
provider_id=old_account.user_id,
expires_at=old_account.expires_at,
)
account.save()
except KeyExistsException:
# ... or get the old one
account = ExternalAccount.find_one(
Q('provider', 'eq', 'googledrive') &
Q('provider_id', 'eq', old_account.user_id)
)
assert account is not None
user.external_accounts.append(account)
user.save()
# Remove oauth_settings from user settings object
user_addon.oauth_settings = None
user_addon.save()
logger.info('Added external account {0} to user {1}'.format(
account._id, user._id,
))
# Add external account to authorized nodes
for node in GoogleDriveNodeSettings.find():
if node.foreign_user_settings is None:
continue
logger.info('Migrating user_settings for googledrive {}'.format(node._id))
node.user_settings = node.foreign_user_settings
node.save()
def test_callback(self):
# Exchange temporary credentials for permanent credentials
# mock a successful call to the provider to exchange temp keys for
# permanent keys
httpretty.register_uri(
httpretty.POST,
'http://mock1a.com/callback',
body=(
'oauth_token=perm_token'
'&oauth_token_secret=perm_secret'
'&oauth_callback_confirmed=true'
),
)
user = UserFactory()
# Fake a request context for the callback
ctx = self.app.app.test_request_context(
path='/oauth/callback/mock1a/',
query_string='oauth_token=temp_key&oauth_verifier=mock_verifier',
)
with ctx:
# make sure the user is logged in
authenticate(user=user, access_token=None, response=None)
session = get_session()
session.data['oauth_states'] = {
self.provider.short_name: {
'token': 'temp_key',
'secret': 'temp_secret',
},
}
session.save()
# do the key exchange
self.provider.auth_callback(user=user)
account = ExternalAccount.find_one()
assert_equal(account.oauth_key, 'perm_token')
assert_equal(account.oauth_secret, 'perm_secret')
assert_equal(account.provider_id, 'mock_provider_id')
assert_equal(account.provider_name, 'Mock OAuth 1.0a Provider')
def dataverse_add_user_account(auth, **kwargs):
"""Verifies new external account credentials and adds to user's list"""
user = auth.user
provider = DataverseProvider()
host = request.json.get('host').rstrip('/')
api_token = request.json.get('api_token')
# Verify that credentials are valid
client.connect_or_error(host, api_token)
# Note: `DataverseSerializer` expects display_name to be a URL
try:
provider.account = ExternalAccount(
provider=provider.short_name,
provider_name=provider.name,
display_name=host, # no username; show host
oauth_key=host, # hijacked; now host
oauth_secret=api_token, # hijacked; now api_token
provider_id=api_token, # Change to username if Dataverse allows
)
provider.account.save()
except KeyExistsException:
# ... or get the old one
provider.account = ExternalAccount.find_one(
Q('provider', 'eq', provider.short_name) &
Q('provider_id', 'eq', api_token)
)
assert provider.account is not None
if provider.account not in user.external_accounts:
user.external_accounts.append(provider.account)
user_addon = auth.user.get_addon('dataverse')
if not user_addon:
user.add_addon('dataverse')
user.save()
# Need to ensure that the user has dataverse enabled at this point
user.get_or_add_addon('dataverse', auth=auth)
user.save()
return {}
def test_callback(self):
# Exchange temporary credentials for permanent credentials
# mock a successful call to the provider to exchange temp keys for
# permanent keys
httpretty.register_uri(
httpretty.POST,
'http://mock1a.com/callback',
body=(
'oauth_token=perm_token'
'&oauth_token_secret=perm_secret'
'&oauth_callback_confirmed=true'
),
)
user = UserFactory()
# Fake a request context for the callback
ctx = self.app.app.test_request_context(
path='/oauth/callback/mock1a/',
query_string='oauth_token=temp_key&oauth_verifier=mock_verifier',
)
with ctx:
# make sure the user is logged in
authenticate(user=user, access_token=None, response=None)
session.data['oauth_states'] = {
self.provider.short_name: {
'token': 'temp_key',
'secret': 'temp_secret',
},
}
session.save()
# do the key exchange
self.provider.auth_callback(user=user)
account = ExternalAccount.find_one()
assert_equal(account.oauth_key, 'perm_token')
assert_equal(account.oauth_secret, 'perm_secret')
assert_equal(account.provider_id, 'mock_provider_id')
assert_equal(account.provider_name, 'Mock OAuth 1.0a Provider')
