diff options
-rw-r--r-- | server/src/leap/soledad/server/auth.py | 18 | ||||
-rw-r--r-- | server/src/leap/soledad/server/session.py | 3 | ||||
-rw-r--r-- | testing/tests/server/test_auth.py | 11 | ||||
-rw-r--r-- | testing/tests/server/test_session.py | 45 |
4 files changed, 26 insertions, 51 deletions
diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py index bcef2e7c..1f078bff 100644 --- a/server/src/leap/soledad/server/auth.py +++ b/server/src/leap/soledad/server/auth.py @@ -67,24 +67,20 @@ class TokenChecker(object): self._dbs = {} def _tokens_dbname(self): - dbname = self.TOKENS_DB_PREFIX + \ - str(int(time.time() / self.TOKENS_DB_EXPIRE)) - return dbname - - def _get_db(self, dbname): - if dbname not in self._dbs: - self._dbs[dbname] = self._server[dbname] - return self._dbs[dbname] - - def _tokens_db(self): # the tokens db rotates every 30 days, and the current db name is # "tokens_NNN", where NNN is the number of seconds since epoch # divide dby the rotate period in seconds. When rotating, old and # new tokens db coexist during a certain window of time and valid # tokens are replicated from the old db to the new one. See: # https://leap.se/code/issues/6785 + dbname = self.TOKENS_DB_PREFIX + \ + str(int(time.time() / self.TOKENS_DB_EXPIRE)) + return dbname + + def _tokens_db(self): dbname = self._tokens_dbname() - db = self._get_db(dbname) + with self._server as server: + db = server[dbname] return db def requestAvatarId(self, credentials): diff --git a/server/src/leap/soledad/server/session.py b/server/src/leap/soledad/server/session.py index a56e4e97..a2793bd3 100644 --- a/server/src/leap/soledad/server/session.py +++ b/server/src/leap/soledad/server/session.py @@ -104,6 +104,3 @@ class SoledadSession(HTTPAuthSessionWrapper): # if all checks pass, try to login with credentials return util.DeferredResource(self._login(credentials)) - - -soledadSession = SoledadSession() diff --git a/testing/tests/server/test_auth.py b/testing/tests/server/test_auth.py index 0e6baba3..5b215650 100644 --- a/testing/tests/server/test_auth.py +++ b/testing/tests/server/test_auth.py @@ -19,6 +19,8 @@ Tests for auth pieces. """ import collections +from contextlib import contextmanager + from twisted.cred.credentials import UsernamePassword from twisted.cred.error import UnauthorizedLogin from twisted.internet.defer import inlineCallbacks @@ -54,13 +56,18 @@ class DummyServer(object): return self._token +@contextmanager +def dummy_server(token): + yield collections.defaultdict(lambda: DummyServer(token)) + + class TokenCheckerTestCase(unittest.TestCase): @inlineCallbacks def test_good_creds(self): # set up a dummy server which always return a *valid* token document token = {'user_id': 'user', 'type': 'Token'} - server = collections.defaultdict(lambda: DummyServer(token)) + server = dummy_server(token) # setup the checker with the custom server checker = TokenChecker(server=server) # assert the checker *can* verify the creds @@ -72,7 +79,7 @@ class TokenCheckerTestCase(unittest.TestCase): def test_bad_creds(self): # set up a dummy server which always return an *invalid* token document token = None - server = collections.defaultdict(lambda: DummyServer(token)) + server = dummy_server(token) # setup the checker with the custom server checker = TokenChecker(server=server) # assert the checker *cannot* verify the creds diff --git a/testing/tests/server/test_session.py b/testing/tests/server/test_session.py index 7883ef4a..8131ddb3 100644 --- a/testing/tests/server/test_session.py +++ b/testing/tests/server/test_session.py @@ -17,24 +17,20 @@ """ Tests for server session entrypoint. """ -from twisted.cred.checkers import InMemoryUsernamePasswordDatabaseDontUse +from twisted.trial import unittest + from twisted.cred import portal +from twisted.cred.checkers import InMemoryUsernamePasswordDatabaseDontUse +from twisted.cred.credentials import IUsernamePassword +from twisted.web.resource import getChildForRequest +from twisted.web.static import Data +from twisted.web.test.requesthelper import DummyRequest from twisted.web.test.test_httpauth import b64encode from twisted.web.test.test_httpauth import Realm -from twisted.web.test.requesthelper import DummyRequest -from twisted.web.resource import getChildForRequest - -from twisted.web.resource import Resource - -from twisted.trial import unittest +from twisted.web._auth.wrapper import UnauthorizedResource from leap.soledad.server.session import SoledadSession -from twisted.web.static import Data -from twisted.web._auth.wrapper import UnauthorizedResource -from twisted.cred.credentials import IUsernamePassword -from twisted.cred.checkers import ANONYMOUS, AllowAnonymousAccess - class SoledadSessionTestCase(unittest.TestCase): """ @@ -168,6 +164,7 @@ class SoledadSessionTestCase(unittest.TestCase): child = getChildForRequest(self.wrapper, request) request.render(child) self.assertEqual(request.responseCode, 500) + self.assertEqual(len(self.flushLoggedErrors(UnexpectedException)), 1) def test_unexpectedLoginError(self): class UnexpectedException(Exception): @@ -184,26 +181,4 @@ class SoledadSessionTestCase(unittest.TestCase): child = self._authorizedTokenLogin(request) request.render(child) self.assertEqual(request.responseCode, 500) - - def test_anonymousAccess(self): - """ - Anonymous requests are allowed if a L{Portal} has an anonymous checker - registered. - """ - unprotectedContents = b"contents of the unprotected child resource" - - self.avatars[ANONYMOUS] = Resource() - self.avatars[ANONYMOUS].putChild( - self.childName, Data(unprotectedContents, 'text/plain')) - self.portal.registerChecker(AllowAnonymousAccess()) - - request = self.makeRequest([self.childName]) - child = getChildForRequest(self.wrapper, request) - d = request.notifyFinish() - - def cbFinished(ignored): - self.assertEqual(request.written, [unprotectedContents]) - - d.addCallback(cbFinished) - request.render(child) - return d + self.assertEqual(len(self.flushLoggedErrors(UnexpectedException)), 1) |