[Checkins] SVN: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/ Revert another lump of r97359. We only really need to deal with user
Stefan H. Holek
stefan at epy.co.at
Tue Mar 3 03:44:15 EST 2009
Log message for revision 97430:
Revert another lump of r97359. We only really need to deal with user
extraction, so let's skip on enumeration and decoration.
Changed:
U Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py
U Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py
U Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/utils.py
-=-
Modified: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py 2009-03-02 19:34:23 UTC (rev 97429)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py 2009-03-03 08:44:14 UTC (rev 97430)
@@ -87,7 +87,6 @@
from utils import createKeywords
from utils import classImplements
from utils import splitmasq
-from utils import joinmasq
security = ModuleSecurityInfo(
'Products.PluggableAuthService.PluggableAuthService' )
@@ -243,10 +242,6 @@
user = self._findUser(plugins, user_id, login, request=request)
- # Masquerading may reset the user
- if user is None:
- continue
-
if aq_base( user ) is emergency_user:
if is_top:
@@ -604,29 +599,40 @@
try:
# Masquerading: Authenticate auth_user
+ auth_user_credentials = credentials.copy()
+
login = credentials.get('login', '')
- auth_user_id, role_user_id = splitmasq( login )
- if role_user_id is not None:
- credentials['login'] = auth_user_id
- try:
- uid_and_info = auth.authenticateCredentials(
- credentials )
- finally:
- # Masquerading: Restore credentials
- if role_user_id is not None:
- credentials['login'] = login
+ auth_user_login, role_user_login = splitmasq( login )
+ if role_user_login is not None:
+ auth_user_credentials['login'] = auth_user_login
+
+ uid_and_info = auth.authenticateCredentials(
+ auth_user_credentials )
+
if uid_and_info is None:
continue
user_id, info = uid_and_info
- # Masquerading: Decorate id and login with masquerading info
- if role_user_id is not None:
- user_id = joinmasq( user_id, role_user_id )
- info = joinmasq( info, role_user_id )
+ if role_user_login is not None:
+ # Masquerading: Check if auth_user is allowed to masquerade
+ if self._canMasquerade( plugins, user_id, info, request ):
+ logger.info('Masquerading allowed: %s', login)
+ else:
+ logger.warn('Masquerading denied: %s', login)
+ continue
+
+ # Masquerading: Return role_user
+ role_user_info = self._verifyUser( plugins, login=role_user_login )
+
+ if role_user_info is None:
+ continue
+
+ user_id, info = role_user_info['id'], role_user_info['login']
+
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'AuthenticationPlugin %s error' % (
authenticator_id, )
@@ -752,29 +758,6 @@
if user_id == self._emergency_user.getUserName():
return self._emergency_user
- # Masquerading: Lookup role_user
- saved_id = user_id
-
- auth_user_id, role_user_id = splitmasq( user_id )
- if role_user_id is not None:
- user_id = role_user_id
-
- auth_user_login, role_user_login = splitmasq( name )
- if role_user_login is not None:
- name = role_user_login
-
- # Masquerading: Check if auth_user is eligible for masquerading
- if role_user_id is not None:
- if self._canMasquerade( plugins
- , auth_user_id
- , auth_user_login
- , request
- ):
- logger.info('Masquerading allowed: %s' % (saved_id,))
- else:
- logger.warn('Masquerading denied: %s' % (saved_id,))
- return None
-
# See if the user can be retrieved from the cache
view_name = createViewName('_findUser', user_id)
keywords = createKeywords(user_id=user_id, name=name)
@@ -828,15 +811,6 @@
# plugin enumerators.
return None
- # Masquerading: Lookup role_user
- auth_user_id, role_user_id = splitmasq( user_id )
- if role_user_id is not None:
- user_id = role_user_id
-
- auth_user_login, role_user_login = splitmasq( login )
- if role_user_login is not None:
- login = role_user_login
-
criteria = {'exact_match': True}
if user_id is not None:
Modified: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py 2009-03-02 19:34:23 UTC (rev 97429)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py 2009-03-03 08:44:14 UTC (rev 97430)
@@ -19,7 +19,6 @@
from Products.PluggableAuthService.interfaces.plugins import IExtractionPlugin
from Products.PluggableAuthService.utils import splitmasq
-from Products.PluggableAuthService.utils import joinmasq
from AccessControl.SecurityManagement import getSecurityManager
from AccessControl.Permissions import view as View
@@ -52,40 +51,16 @@
self.assertEqual(splitmasq(''), ('', None))
-class JoinMasqTests(unittest.TestCase):
-
- def testSimpleIds(self):
- self.assertEqual(joinmasq('barney', 'betty'), 'barney/betty')
-
- def testFirstIdNone(self):
- self.assertEqual(joinmasq(None, 'betty'), None)
-
- def testSecondIdNone(self):
- self.assertEqual(joinmasq('barney', None), 'barney')
-
- def testBothIdsNone(self):
- self.assertEqual(joinmasq(None, None), None)
-
- def testFirstIdEmpty(self):
- self.assertEqual(joinmasq('', 'betty'), '')
-
- def testSecondIdEmpty(self):
- self.assertEqual(joinmasq('barney', ''), 'barney')
-
- def testBothIdsEmpty(self):
- self.assertEqual(joinmasq('', ''), '')
-
-
class MasqueradingTests(pastc.PASTestCase):
def afterSetUp(self):
self.pas = self.folder.acl_users
# Create a masquerading user
- self.pas.users.addUser('fred', 'fred', 'r0ck')
- self.pas.roles.assignRoleToPrincipal('Manager', 'fred')
+ self.pas.users.addUser('fred_id', 'fred', 'r0ck')
+ self.pas.roles.assignRoleToPrincipal('Manager', 'fred_id')
# Create a masqueraded user
- self.pas.users.addUser('wilma', 'wilma', 'geheim')
- self.pas.roles.assignRoleToPrincipal(pastc.user_role, 'wilma')
+ self.pas.users.addUser('wilma_id', 'wilma', 'geheim')
+ self.pas.roles.assignRoleToPrincipal(pastc.user_role, 'wilma_id')
# Create a protected document
self.folder.manage_addDTMLMethod('doc', file='the document')
self.doc = self.folder.doc
@@ -97,44 +72,27 @@
request = self.app.REQUEST
request._auth = 'Basic %s' % pastc.mkauth('fred/wilma', 'r0ck')
- user_id, info = self.pas._extractUserIds(request, self.pas.plugins)[0]
- self.assertEqual(user_id, 'fred/wilma')
- self.assertEqual(info, 'fred/wilma')
+ uids = self.pas._extractUserIds(request, self.pas.plugins)
+ self.assertEqual(len(uids), 1)
- def test__findUser(self):
- # User decoration does not find the real user name but uses the
- # passed-in value. This is ok as PAS always passes a useful name.
- user = self.pas._findUser(self.pas.plugins, 'fred/wilma', 'SomeValue')
- self.assertEqual(user.getId(), 'wilma')
- self.assertEqual(user.getUserName(), 'SomeValue')
- self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
+ user_id, info = uids[0]
+ self.assertEqual(user_id, 'wilma_id')
+ self.assertEqual(info, 'wilma')
- def test__findUser_masquerading_denied(self):
- user = self.pas._findUser(self.pas.plugins, 'wilma/fred')
- self.assertEqual(user, None)
+ def test__extractUserIds_masquerading_denied(self):
+ request = self.app.REQUEST
+ request._auth = 'Basic %s' % pastc.mkauth('wilma/fred', 'geheim')
- def test__verifyUser_by_login(self):
- info = self.pas._verifyUser(self.pas.plugins, login='fred/wilma')
- self.assertEqual(info['id'], 'wilma')
- self.assertEqual(info['login'], 'wilma')
+ uids = self.pas._extractUserIds(request, self.pas.plugins)
+ self.assertEqual(len(uids), 0)
- def test__verifyUser_by_id(self):
- info = self.pas._verifyUser(self.pas.plugins, user_id='fred/wilma')
- self.assertEqual(info['id'], 'wilma')
- self.assertEqual(info['login'], 'wilma')
+ def test__extractUserIds_bad_role_user(self):
+ request = self.app.REQUEST
+ request._auth = 'Basic %s' % pastc.mkauth('fred/betty', 'r0ck')
- def test_getUser(self):
- user = self.pas.getUser('fred/wilma')
- self.assertEqual(user.getId(), 'wilma')
- self.assertEqual(user.getUserName(), 'wilma')
- self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
+ uids = self.pas._extractUserIds(request, self.pas.plugins)
+ self.assertEqual(len(uids), 0)
- def test_getUserById(self):
- user = self.pas.getUserById('fred/wilma')
- self.assertEqual(user.getId(), 'wilma')
- self.assertEqual(user.getUserName(), 'wilma')
- self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
-
def test_validate(self):
# Rig the request so it looks like we traversed to doc
request = self.app.REQUEST
@@ -145,13 +103,13 @@
user = self.pas.validate(request)
self.failIf(user is None)
- self.assertEqual(user.getId(), 'wilma')
+ self.assertEqual(user.getId(), 'wilma_id')
self.assertEqual(user.getUserName(), 'wilma')
self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
user = getSecurityManager().getUser()
self.failIf(user is None)
- self.assertEqual(user.getId(), 'wilma')
+ self.assertEqual(user.getId(), 'wilma_id')
self.assertEqual(user.getUserName(), 'wilma')
self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
@@ -172,11 +130,27 @@
self.assertEqual(user.getUserName(), 'Anonymous User')
self.assertEqual(user.getRoles(), ('Anonymous',))
+ def test_validate_bad_role_user(self):
+ # Rig the request so it looks like we traversed to doc
+ request = self.app.REQUEST
+ request['PUBLISHED'] = self.doc
+ request['PARENTS'] = [self.folder, self.app]
+ request.steps = list(self.doc.getPhysicalPath())
+ request._auth = 'Basic %s' % pastc.mkauth('fred/betty', 'r0ck')
+ user = self.pas.validate(request)
+ self.assertEqual(user, None)
+
+ user = getSecurityManager().getUser()
+ self.failIf(user is None)
+ self.assertEqual(user.getId(), None)
+ self.assertEqual(user.getUserName(), 'Anonymous User')
+ self.assertEqual(user.getRoles(), ('Anonymous',))
+
+
def test_suite():
return unittest.TestSuite((
unittest.makeSuite(SplitMasqTests),
- unittest.makeSuite(JoinMasqTests),
unittest.makeSuite(MasqueradingTests),
))
Modified: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/utils.py
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/utils.py 2009-03-02 19:34:23 UTC (rev 97429)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/utils.py 2009-03-03 08:44:14 UTC (rev 97430)
@@ -222,8 +222,3 @@
return tuple(split)
return (user_id, None)
-def joinmasq( auth_user_id, role_user_id ):
- if not auth_user_id or not role_user_id:
- return auth_user_id
- return _MASQ.join((auth_user_id, role_user_id))
-
More information about the Checkins
mailing list