diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2013-08-22 21:20:17 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2013-08-23 12:49:15 +0200 |
| commit | 90aa5e39bb44bbc46ec52976879c7f13cbc329e1 (patch) | |
| tree | 6a26d2404037505f60363d55397f048f47a1950f | |
| parent | Add tests for SSL auth. (diff) | |
| download | identity.gentoo.org-90aa5e39bb44bbc46ec52976879c7f13cbc329e1.tar.gz identity.gentoo.org-90aa5e39bb44bbc46ec52976879c7f13cbc329e1.tar.bz2 identity.gentoo.org-90aa5e39bb44bbc46ec52976879c7f13cbc329e1.zip | |
SSLCertAuthBackend: make request mandatory.
django.contrib.auth is prepared to call backends which don't have
matching prototype. Therefore, with mandatory 'request' the backend
simply won't be called for non-SSL requests.
| -rw-r--r-- | okupy/common/auth.py | 5 | ||||
| -rw-r--r-- | okupy/tests/unit/test_auth.py | 19 | ||||
| -rw-r--r-- | okupy/tests/vars.py | 6 |
3 files changed, 8 insertions, 22 deletions
diff --git a/okupy/common/auth.py b/okupy/common/auth.py index 0747d12..d7a7f95 100644 --- a/okupy/common/auth.py +++ b/okupy/common/auth.py @@ -15,10 +15,7 @@ class SSLCertAuthBackend(ModelBackend): It requires one of owner e-mails to match in LDAP. """ - def authenticate(self, request=None): - if request is None: - return None - + def authenticate(self, request): # it can be: SUCCESS, NONE and likely some string for failure ;) cert_verify = request.META.get('SSL_CLIENT_VERIFY', None) if cert_verify != 'SUCCESS': diff --git a/okupy/tests/unit/test_auth.py b/okupy/tests/unit/test_auth.py index 1f3eb1d..5793d53 100644 --- a/okupy/tests/unit/test_auth.py +++ b/okupy/tests/unit/test_auth.py @@ -4,7 +4,6 @@ from mockldap import MockLdap from django.conf import settings from django.contrib.auth import authenticate -from django.test.utils import override_settings from .. import vars from ...common.test_helpers import OkupyTestCase, set_request, ldap_users, set_search_seed @@ -22,32 +21,26 @@ class AuthUnitTests(OkupyTestCase): def tearDown(self): self.mockldap.stop() - @override_settings(AUTHENTICATION_BACKENDS=( - 'okupy.common.auth.SSLCertAuthBackend',)) def test_valid_certificate_authenticates_alice(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' - request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate + request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) u = authenticate(request=request) self.assertEqual(u.username, vars.LOGIN_ALICE['username']) - @override_settings(AUTHENTICATION_BACKENDS=( - 'okupy.common.auth.SSLCertAuthBackend',)) def test_second_email_authenticates_alice(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' request.META['SSL_CLIENT_RAW_CERT'] = ( - vars.test_certificate_with_two_email_addresses) + vars.TEST_CERTIFICATE_WITH_TWO_EMAIL_ADDRESSES) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('test@test.com', 'mail'))([]) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) u = authenticate(request=request) self.assertEqual(u.username, vars.LOGIN_ALICE['username']) - @override_settings(AUTHENTICATION_BACKENDS=( - 'okupy.common.auth.SSLCertAuthBackend',)) def test_no_certificate_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'NONE' @@ -55,23 +48,19 @@ class AuthUnitTests(OkupyTestCase): u = authenticate(request=request) self.assertIs(u, None) - @override_settings(AUTHENTICATION_BACKENDS=( - 'okupy.common.auth.SSLCertAuthBackend',)) def test_failed_verification_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'FAILURE' - request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate + request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) u = authenticate(request=request) self.assertIs(u, None) - @override_settings(AUTHENTICATION_BACKENDS=( - 'okupy.common.auth.SSLCertAuthBackend',)) def test_unmatched_email_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' - request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate_wrong_email + request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE_WRONG_EMAIL self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('wrong@test.com', 'mail'))([]) u = authenticate(request=request) diff --git a/okupy/tests/vars.py b/okupy/tests/vars.py index 4d0ba51..e559195 100644 --- a/okupy/tests/vars.py +++ b/okupy/tests/vars.py @@ -70,7 +70,7 @@ SIGNUP_TESTUSER = { # SSL certificates -test_certificate = '''-----BEGIN CERTIFICATE----- +TEST_CERTIFICATE = '''-----BEGIN CERTIFICATE----- MIICmzCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w @@ -87,7 +87,7 @@ kSBK5nabnbmeFs53szVk7KemFq+Ew8BdVqjejSdbTB2wsGM+IknlmYOnqfLn1osW HBbiw3zv4xb9ahmA68ChbeEyJXj6WKExD4WpAT1sDDAwlqA0fo0KSY/3E0zocs4= -----END CERTIFICATE-----''' -test_certificate_wrong_email = '''-----BEGIN CERTIFICATE----- +TEST_CERTIFICATE_WRONG_EMAIL = '''-----BEGIN CERTIFICATE----- MIICkzCCAh2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w @@ -104,7 +104,7 @@ v8NFzLjLUTJroCCMxkkCZ/9qRBFIhdHSIjH+m2vgVEfQH3ub44ncVY58WWm/A3xL 0Va/G/jNXbKVQYiUS12/BF917HDZoYmW2nbyVLXMqcbxu5gIln6C -----END CERTIFICATE-----''' -test_certificate_with_two_email_addresses = '''-----BEGIN CERTIFICATE----- +TEST_CERTIFICATE_WITH_TWO_EMAIL_ADDRESSES = '''-----BEGIN CERTIFICATE----- MIICsTCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w |