1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
Copyright 2010 Canonical Ltd. This software is licensed under the
GNU Affero General Public License version 3 (see the file LICENSE).
===============================================
Testing Authentication Requirements For Methods
===============================================
Check that authentication restrictions are enforced for given api
methods. This is done for every type of user there is in the system
and for every exposed method.
First of all import all required bits here:
>>> from lazr.restfulclient.resource import ServiceRoot
>>> from lazr.restfulclient.errors import HTTPError
>>> from lazr.restfulclient.authorize import BasicHttpAuthorizer
>>> from oauth.oauth import OAuthToken
>>> from lazr.restfulclient.authorize.oauth import OAuthAuthorizer
Test When No Credentials Are Supplied
=====================================
Check that user without any credentials (`None`) can access
methods: ``registrations.register`` and ``captchas.new``
>>> credentials = None
>>> api = ServiceRoot(credentials, 'http://localhost:8000/api/1.0')
>>> api.registrations.register
<lazr.restfulclient.resource.NamedOperation ...>
>>> api.captchas.new
<lazr.restfulclient.resource.NamedOperation ...>
But all other methods are inaccessible:
>>> methods = ['api.authentications.authenticate',
... 'api.authentications.invalidate_token',
... 'api.authentications.validate_token',
... 'api.authentications.list_tokens',
... 'api.accounts.me',
... 'api.accounts.validate_email']
>>> for method_name in methods:
... try:
... exec method_name
... except HTTPError as e:
... print("%s %s" % (method_name, e.response.status))
api.authentications.authenticate 401
api.authentications.invalidate_token 401
api.authentications.validate_token 401
api.authentications.list_tokens 401
api.accounts.me 401
api.accounts.validate_email 401
Test When Basic Auth Credentials For Normal Users Are Supplied
==============================================================
Basic Authentication credentials are only good for accessing
``authentications.authenticate`` method:
>>> authorizer = BasicHttpAuthorizer('bla', 'logdf3D')
>>> api = ServiceRoot(authorizer, 'http://localhost:8000/api/1.0')
>>> api.authentications.authenticate
<lazr.restfulclient.resource.NamedOperation ...>
But rest of ``authentications`` calls are protected
(``registrations.register`` is not protected by anything which means
that it doesn't care about ``WWW-Authenticate`` header so it is always
accessible, no matter which ahtuentication mechanism you're using).
>>> methods = ['api.authentications.list_tokens',
... 'api.accounts.me',
... 'api.accounts.validate_email']
>>> for method_name in methods:
... try:
... exec 'print(%s)' % method_name
... except HTTPError as e:
... print("%s %s" % (method_name, e.response.status))
api.authentications.list_tokens 401
api.accounts.me 401
api.accounts.validate_email 401
Test When OAuth Auth Credentials For Normal Users Are Supplied
==============================================================
After going through ``authentications.authenticate`` you'll have ``OAuth``
token and be able to access only ``accounts.me`` and
``accounts.validate_email``.
>>> token = {"token": "this-is-valid-token",
... "token_secret": "this-is-valid-token-secret",
... "consumer_key": "consumer",
... "consumer_secret": "big-secret"}
>>> oauth_token = OAuthToken(token['token'], token['token_secret'])
>>> authorizer = OAuthAuthorizer(token['consumer_key'],
... token['consumer_secret'], oauth_token)
>>> api = ServiceRoot(authorizer, 'http://localhost:8000/api/1.0')
Now only ``accounts.me`` and ``accounts.validate_email`` should be
accessible:
>>> api.accounts.me
<lazr.restfulclient.resource.NamedOperation ...>
>>> api.accounts.validate_email
<lazr.restfulclient.resource.NamedOperation ...>
Rest of the API calls should return 401 error:
>>> methods = ['api.authentications.authenticate',
... 'api.authentications.invalidate_token']
>>> for method_name in methods:
... try:
... exec method_name
... except HTTPError as e:
... print("%s %s" % (method_name, e.response.status))
api.authentications.authenticate 401
api.authentications.invalidate_token 401
Test When Basic Auth Credentials For Server API User Are Supplied
=================================================================
By providing credentials for API user you should get access to
different set of API calls:
>>> authorizer = BasicHttpAuthorizer('MyUsername', 'password')
>>> api = ServiceRoot(authorizer, 'http://localhost:8000/api/1.0')
>>> api.authentications.validate_token
<lazr.restfulclient.resource.NamedOperation ...>
>>> api.authentications.list_tokens
<lazr.restfulclient.resource.NamedOperation ...>
>>> api.authentications.invalidate_token
<lazr.restfulclient.resource.NamedOperation ...>
Rest of the methods should be inaccessible:
>>> methods = ['api.authentications.authenticate',
... 'api.accounts.me',
... 'api.accounts.validate_email']
>>> for method_name in methods:
... try:
... exec method_name
... except HTTPError as e:
... print("%s %s" % (method_name, e.response.status))
api.auathntications.authenticate 401
api.accounts.me 401
api.accounts.validate_email 401
|