0001-general-allow-marking-form-as-required-a-strong-auth.patch

Frédéric Péters, 10 janvier 2017 11:04

Voir les différences: en ligne côte à côte

Subject: [PATCH] general: allow marking form as required a strong
 authentication level (#13177)

 tests/test_admin_pages.py    | 33 +++++++++++++++++++++++++++++++++
 tests/test_api.py            |  5 +++++
 tests/test_form_pages.py     | 37 +++++++++++++++++++++++++++++++++++--
 tests/test_formdef_import.py |  8 ++++++++
 wcs/admin/forms.py           |  9 +++++++++
 wcs/api.py                   |  2 ++
 wcs/backoffice/submission.py |  3 +++
 wcs/formdef.py               | 19 +++++++++++++++++++
 wcs/forms/root.py            | 25 ++++++++++++++++++++++++-
 wcs/qommon/publisher.py      | 28 ++++++++++++++++++++++++++++
 wcs/qommon/sessions.py       |  7 +++++++
 11 files changed, 173 insertions(+), 3 deletions(-)

         assert data_class.get(formdata1.id).status == 'wf-finished'
         assert data_class.get(formdata2.id).status == 'draft'
     def test_form_submitter_roles(pub):
         create_superuser(pub)
         role = create_role()
         FormDef.wipe()
         formdef = FormDef()
         formdef.name = 'form title'
         formdef.fields = []
         formdef.store()
         app = login(get_app(pub))
         resp = app.get('/backoffice/forms/1/')
         resp = resp.click(href=re.compile('^roles$'))
         resp.form['roles$element0'] = 'logged-users'
         assert not 'required_authentication_levels' in resp.body
         resp = resp.form.submit()
         assert FormDef.get(formdef.id).roles == ['logged-users']
         # add auth levels support
         if not pub.site_options.has_section('options'):
             pub.site_options.add_section('options')
         pub.site_options.set('options', 'auth-levels', 'fedict')
         with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
             pub.site_options.write(fd)
         app = login(get_app(pub))
         resp = app.get('/backoffice/forms/1/')
         resp = resp.click(href=re.compile('^roles$'))
         assert 'required_authentication_levels' in resp.body
         resp.form['required_authentication_levels$element0'].checked = True
         resp = resp.form.submit()
         assert FormDef.get(formdef.id).required_authentication_levels == ['fedict']
     def test_form_workflow_role(pub):
         create_superuser(pub)
         role = create_role()

         assert resp.json[0]['authentication_required']
         assert resp.json == resp2.json == resp3.json == resp4.json
         formdef.required_authentication_levels = ['fedict']
         formdef.store()
         resp = get_app(pub).get('/api/formdefs/')
         assert resp.json[0]['required_authentication_levels'] == ['fedict']
     def test_formdef_list_redirection(pub):
         FormDef.wipe()
         formdef = FormDef()

         login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
         # check special "logged users" role
         formdef.roles = [logged_users_role()]
         formdef.roles = [logged_users_role().id]
         formdef.store()
         user = create_user(pub)
         login(get_app(pub), username='foo', password='foo').get('/test/', status=403)
         login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
         resp = get_app(pub).get('/test/', status=302) # redirect to login
         # check "receiver" can also access the formdef
-...
         user.store()
         login(get_app(pub), username='foo', password='foo').get('/test/', status=200)
     def test_form_access_auth_level(pub):
         user = create_user(pub)
         if not pub.site_options.has_section('options'):
             pub.site_options.add_section('options')
         pub.site_options.set('options', 'auth-levels', 'fedict')
         with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
             pub.site_options.write(fd)
         formdef = create_formdef()
         get_app(pub).get('/test/', status=200)
         formdef.required_authentication_levels = ['fedict']
         formdef.roles = [logged_users_role().id]
         formdef.store()
         # an unlogged user will get a redirect to login
         resp = get_app(pub).get('/test/', status=302)
         assert '/login' in resp.location
         # a user logged in with a simple username/password tuple will get a page
         # to relogin with a stronger auth
         app = login(get_app(pub), username='foo', password='foo')
         resp = app.get('/test/')
         assert 'You need a stronger authentication level to fill this form.' in resp.body
         for session in pub.session_manager.values():
             session.saml_authn_context = 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'
             session.store()
         resp = app.get('/test/')
         assert 'You need a stronger authentication level to fill this form.' not in resp.body
         assert resp.form
     def test_form_submit(pub):
         formdef = create_formdef()
         formdef.data_class().wipe()

         formdef.backoffice_submission_roles = [role.id]
         fd2 = assert_xml_import_export_works(formdef, include_id=True)
         assert fd2.backoffice_submission_roles == formdef.backoffice_submission_roles
     def test_required_authentication_levels():
         formdef = FormDef()
         formdef.name = 'foo'
         formdef.fields = []
         formdef.required_authentication_levels = ['fedict']
         fd2 = assert_xml_import_export_works(formdef, include_id=True)
         assert fd2.required_authentication_levels == formdef.required_authentication_levels

                         'render_br': False,
                         'options': options
                     })
             auth_levels = get_publisher().get_supported_authentication_levels()
             if attribute == 'roles' and auth_levels:
                 form.add(CheckboxesWidget, 'required_authentication_levels',
                         title=_('Required authentication levels'),
                         value=self.formdef.required_authentication_levels,
                         options=auth_levels.items())
             form.add_submit('submit', _('Submit'))
             form.add_submit('cancel', _('Cancel'))
             if form.get_widget('cancel').parse():
-...
             else:
                 roles = form.get_widget('roles').parse() or []
                 setattr(self.formdef, attribute, [x for x in roles if x])
                 if form.get_widget('required_authentication_levels'):
                     self.formdef.required_authentication_levels = form.get_widget(
                             'required_authentication_levels').parse()
                 self.formdef.store()
                 return redirect('.')

                             'description': formdef.description or '',
                             'keywords': formdef.keywords_list,
                             'authentication_required': authentication_required}
                 if formdef.required_authentication_levels:
                     formdict['required_authentication_levels'] = formdef.required_authentication_levels
                 formdict['redirection'] = bool(formdef.is_disabled() and
                         formdef.disabled_redirection)

         def html_top(self, *args, **kwargs):
             return html_top('submission', *args, **kwargs)
         def check_authentication_level(self):
             pass
         def check_role(self):
             if self.edit_mode:
                 return True

         workflow_options = None
         workflow_roles = None
         roles = None
         required_authentication_levels = None
         backoffice_submission_roles = None
         discussion = False
         confirmation = True
-...
             if self.workflow_options:
                 root['options'] = self.workflow_options
             if self.required_authentication_levels:
                 root['required_authentication_levels'] = self.required_authentication_levels[:]
             return json.dumps(root, indent=indent, cls=misc.JSONEncoder)
         @classmethod
-...
             if value.get('geolocations'):
                 formdef.geolocations = value.get('geolocations')
             if value.get('required_authentication_levels'):
                 formdef.required_authentication_levels = [str(x) for x in
                         value.get('required_authentication_levels')]
             return formdef
         def export_to_xml(self, include_id=False):
-...
                 element.attrib['key'] = geoloc_key
                 element.text = unicode(geoloc_label, charset)
             if self.required_authentication_levels:
                 element = ET.SubElement(root, 'required_authentication_levels')
                 for auth_level in self.required_authentication_levels:
                     ET.SubElement(element, 'method').text = unicode(auth_level)
             return root
         @classmethod
-...
                     geoloc_value = child.text.encode(charset)
                     formdef.geolocations[geoloc_key] = geoloc_value
             if tree.find('required_authentication_levels') is not None:
                 node = tree.find('required_authentication_levels')
                 formdef.required_authentication_levels = []
                 for child in node.getchildren():
                     formdef.required_authentication_levels.append(str(child.text))
             return formdef
         def get_detailed_email_form(self, formdata, url):

                (tracking code and steps).'''
             r = TemplateIO(html=True)
             r += htmltext('<div id="side">')
             if self.formdef.enable_tracking_codes:
             if self.formdef.enable_tracking_codes and data:
                 r += self.tracking_code_box(data, magictoken)
             r += self.step(step_no, page_no, log_detail, data=data)
             r += htmltext('</div> <!-- #side -->')
-...
         def create_view_form(self, *args, **kwargs):
             return self.formdef.create_view_form(*args, **kwargs)
         def check_authentication_level(self):
             if not self.formdef.required_authentication_levels:
                 return
             if get_session().get_authentication_level() in self.formdef.required_authentication_levels:
                 return
             self.html_top(self.formdef.name)
             r = TemplateIO(html=True)
             r += self.form_side(step_no=0, page_no=0)
             auth_levels = get_publisher().get_supported_authentication_levels()
             r += htmltext('<div class="errornotice">')
             r += htmltext('<p>%s</p>') % _('You need a stronger authentication level to fill this form.')
             r += htmltext('</div>')
             root_url = get_publisher().get_root_url()
             for auth_level in self.formdef.required_authentication_levels:
                 r += htmltext('<p><a class="button" href="%slogin/?forceAuthn=true">%s</a></p>') % (
                         root_url, _('Login with %s') % auth_levels[auth_level])
             return r.getvalue()
         def _q_index(self, log_detail=None):
             self.check_role()
             authentication_level_check_result = self.check_authentication_level()
             if authentication_level_check_result:
                 return authentication_level_check_result
             if self.check_disabled():
                 return redirect(self.check_disabled())

     # You should have received a copy of the GNU General Public License
     # along with this program; if not, see <http://www.gnu.org/licenses/>.
     import collections
     import cPickle
     import ConfigParser
     import imp
-...
                 default_position = '50.84;4.36'
             return default_position
         def get_supported_authentication_levels(self):
             levels = collections.OrderedDict()
             labels = {
                 'fedict': _('Belgian eID'),
                 'franceconnect': _('FranceConnect'),
+            }
             if self.get_site_option('auth-levels'):
                 for level in self.get_site_option('auth-levels').split(','):
                     level = level.strip()
                     levels[level] = labels[level]
             return levels
         def get_authentication_level_saml_contexts(self, level):
             return {
                 'fedict': [
                     # custom context, provided by authentic fedict plugin:
                     'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI',
                     # native fedict contexts:
                     'urn:be:fedict:iam:fas:citizen:eid',
                     'urn:be:fedict:iam:fas:citizen:token',
                     'urn:be:fedict:iam:fas:enterprise:eid',
                     'urn:be:fedict:iam:fas:enterprise:token'],
                 'franceconnect': [
                     'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
+                ]
             }[level]
         def get_substitution_variables(self):
             import misc
             d = {

         def get_user_object(self):
             return self.get_user()
         def get_authentication_level(self):
             for level in get_publisher().get_supported_authentication_levels():
                 contexts = get_publisher().get_authentication_level_saml_contexts(level)
                 if self.saml_authn_context in contexts:
                     return level
             return None
         def add_tempfile(self, upload):
             from wcs.qommon.form import PicklableUpload
             token = randbytes(8)
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-general-allow-marking-form-as-required-a-strong-auth.patch