This repository has been archived by the owner on Jan 25, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
hook up auth verify to a session and use that for the pin (bug 805673)
- Loading branch information
Andy McKay
committed
Nov 1, 2012
1 parent
7f111a8
commit d717465
Showing
11 changed files
with
188 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,17 @@ | |||
import functools | |||
|
|||
import commonware.log | |||
|
|||
from django.core.exceptions import PermissionDenied | |||
|
|||
log = commonware.log.getLogger('w.auth') | |||
|
|||
|
|||
def user_verified(f): | |||
@functools.wraps(f) | |||
def wrapper(request, *args, **kw): | |||
if not request.session.get('uuid'): | |||
log.error('No uuid in session, not verified.') | |||
raise PermissionDenied | |||
return f(request, *args, **kw) | |||
return wrapper |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1 @@ | |||
from test import SessionTestCase |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,78 @@ | |||
from django import test | |||
from django.conf import settings | |||
from django.core.urlresolvers import reverse | |||
from django.http import HttpRequest | |||
from django.utils.importlib import import_module | |||
|
|||
import mock | |||
from nose.tools import eq_ | |||
|
|||
good_assertion = {u'status': u'okay', | |||
u'audience': u'http://some.site', | |||
u'expires': 1351707833170, | |||
u'email': u'a@a.com', | |||
u'issuer': u'login.persona.org'} | |||
|
|||
|
|||
class SessionTestCase(test.TestCase): | |||
""" | |||
A wrapper around Django tests to provide a verify method for use | |||
in testing. | |||
""" | |||
|
|||
def verify(self, uuid): | |||
# This is a rip off of the Django test client login. | |||
engine = import_module(settings.SESSION_ENGINE) | |||
|
|||
# Create a fake request to store login details. | |||
request = HttpRequest() | |||
request.session = engine.SessionStore() | |||
|
|||
request.session['uuid'] = uuid | |||
request.session.save() | |||
|
|||
# Set the cookie to represent the session. | |||
session_cookie = settings.SESSION_COOKIE_NAME | |||
self.client.cookies[session_cookie] = request.session.session_key | |||
cookie_data = { | |||
'max-age': None, | |||
'path': '/', | |||
'domain': settings.SESSION_COOKIE_DOMAIN, | |||
'secure': settings.SESSION_COOKIE_SECURE or None, | |||
'expires': None, | |||
} | |||
self.client.cookies[session_cookie].update(cookie_data) | |||
|
|||
def unverify(self): | |||
# Remove the browserid verification. | |||
del self.client.cookies[settings.SESSION_COOKIE_NAME] | |||
|
|||
|
|||
@mock.patch.object(settings, 'DOMAIN', 'web.pay') | |||
class TestAuth(SessionTestCase): | |||
|
|||
def setUp(self): | |||
self.url = reverse('auth.verify') | |||
|
|||
@mock.patch('webpay.auth.views.verify_assertion') | |||
def test_good(self, verify_assertion): | |||
verify_assertion.return_value = good_assertion | |||
eq_(self.client.post(self.url, {'assertion': 'good'}).status_code, 200) | |||
|
|||
@mock.patch('webpay.auth.views.verify_assertion') | |||
def test_session(self, verify_assertion): | |||
verify_assertion.return_value = good_assertion | |||
self.client.post(self.url, {'assertion': 'good'}) | |||
assert self.client.session['uuid'].startswith('web.pay:') | |||
|
|||
@mock.patch('webpay.auth.views.verify_assertion') | |||
def test_bad(self, verify_assertion): | |||
verify_assertion.return_value = False | |||
eq_(self.client.post(self.url, {'assertion': 'bad'}).status_code, 400) | |||
|
|||
@mock.patch('webpay.auth.views.verify_assertion') | |||
def test_session_cleaned(self, verify_assertion): | |||
self.verify('a:b') | |||
verify_assertion.return_value = False | |||
eq_(self.client.post(self.url, {'assertion': 'bad'}).status_code, 400) | |||
eq_(self.client.session.get('uuid'), None) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,21 @@ | |||
from django import test | |||
from django.conf import settings | |||
|
|||
import mock | |||
from webpay.auth.utils import get_uuid | |||
|
|||
|
|||
@mock.patch.object(settings, 'DOMAIN', 'web.pay') | |||
class TestUUID(test.TestCase): | |||
|
|||
def test_good(self): | |||
res = get_uuid('f@f.com') | |||
assert res.startswith('web.pay:') | |||
|
|||
def test_unicode(self): | |||
res = get_uuid(u'f@f.com') | |||
assert res.startswith('web.pay:') | |||
|
|||
def test_bad(self): | |||
with self.assertRaises(ValueError): | |||
get_uuid(None) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,30 @@ | |||
import hashlib | |||
|
|||
from django.conf import settings | |||
|
|||
|
|||
def get_uuid(email): | |||
""" | |||
Given an email returns the hash of the email for this site. This will be | |||
consistent for each email for this site and can be used as the uuid in | |||
solitude. Because the leakage of the email is more of a privacy concern | |||
than a security concern, we are just doing a simple sha1 hash. | |||
:email: the email to hash. | |||
""" | |||
if not isinstance(email, basestring): | |||
raise ValueError('get_uuid requires a string or unicode') | |||
hashed = hashlib.sha1() | |||
hashed.update(email) | |||
return '%s:%s' % (settings.DOMAIN, hashed.hexdigest()) | |||
|
|||
|
|||
def get_user(request): | |||
try: | |||
return request.session.get('uuid') | |||
except KeyError: | |||
raise KeyError('Attempt to access user without it being set, ' | |||
'did you use the user_verified decorator?') | |||
|
|||
def set_user(request, email): | |||
request.session['uuid'] = get_uuid(email) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters