0001-api-allow-unknown-NameID-on-categories-and-formdefs-.patch
tests/test_api.py | ||
---|---|---|
111 | 111 |
output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403) |
112 | 112 |
assert output.json['err_desc'] == 'no user specified' |
113 | 113 | |
114 |
def test_get_user_from_api_query_string_error_unknown_nameid(): |
|
115 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
|
116 |
query = 'format=json&orig=coucou&algo=sha1&NameID=xxx×tamp=' + timestamp |
|
117 |
signature = urllib.quote( |
|
118 |
base64.b64encode( |
|
119 |
hmac.new('1234', |
|
120 |
query, |
|
121 |
hashlib.sha1).digest())) |
|
122 |
output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403) |
|
123 |
assert output.json['err_desc'] == 'unknown NameID' |
|
124 | ||
114 | 125 |
def test_get_user_from_api_query_string_error_missing_email_valid_endpoint(): |
115 | 126 |
# check it's ok to sign an URL without specifiying an user if the endpoint |
116 | 127 |
# works fine without user. |
... | ... | |
123 | 134 |
hashlib.sha1).digest())) |
124 | 135 |
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature)) |
125 | 136 |
assert output.json == {'data': []} |
137 |
output = get_app(pub).get('/json?%s&signature=%s' % (query, signature)) |
|
138 |
assert output.json == [] |
|
139 | ||
140 |
def test_get_user_from_api_query_string_error_unknown_nameid_valid_endpoint(): |
|
141 |
# check the categories and forms endpoints accept an unknown NameID |
|
142 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
|
143 |
query = 'format=json&NameID=xxx&orig=coucou&algo=sha1×tamp=' + timestamp |
|
144 |
signature = urllib.quote( |
|
145 |
base64.b64encode( |
|
146 |
hmac.new('1234', |
|
147 |
query, |
|
148 |
hashlib.sha1).digest())) |
|
149 |
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature)) |
|
150 |
assert output.json == {'data': []} |
|
151 |
output = get_app(pub).get('/json?%s&signature=%s' % (query, signature)) |
|
152 |
assert output.json == [] |
|
126 | 153 | |
127 | 154 |
def test_get_user_from_api_query_string_error_success_sha1(local_user): |
128 | 155 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z' |
wcs/api.py | ||
---|---|---|
26 | 26 | |
27 | 27 |
from quixote import get_request, get_publisher, get_response |
28 | 28 |
from quixote.directory import Directory |
29 |
from qommon.errors import AccessForbiddenError, QueryError, TraversalError |
|
29 |
from qommon.errors import (AccessForbiddenError, QueryError, TraversalError, |
|
30 |
UnknownNameIdAccessForbiddenError) |
|
30 | 31 | |
31 | 32 |
from wcs.formdef import FormDef |
32 | 33 |
from wcs.roles import Role |
... | ... | |
92 | 93 |
if users: |
93 | 94 |
user = users[0] |
94 | 95 |
else: |
95 |
raise AccessForbiddenError('unknown NameID') |
|
96 |
raise UnknownNameIdAccessForbiddenError('unknown NameID')
|
|
96 | 97 | |
97 | 98 |
return user |
98 | 99 |
wcs/forms/root.py | ||
---|---|---|
1202 | 1202 |
return r.getvalue() |
1203 | 1203 | |
1204 | 1204 |
def json(self): |
1205 |
from wcs.api import is_url_signed, get_user_from_api_query_string |
|
1206 |
user = get_user_from_api_query_string() or get_request().user |
|
1205 |
from wcs.api import (is_url_signed, get_user_from_api_query_string, |
|
1206 |
UnknownNameIdAccessForbiddenError) |
|
1207 |
try: |
|
1208 |
user = get_user_from_api_query_string() or get_request().user |
|
1209 |
except UnknownNameIdAccessForbiddenError: |
|
1210 |
# if authenticating the user via the query string failed, return |
|
1211 |
# results for the anonymous case; user is set to 'False' as a |
|
1212 |
# signed URL with a None user is considered like an appropriate |
|
1213 |
# webservice call. |
|
1214 |
user = False |
|
1207 | 1215 |
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) |
1208 | 1216 | |
1209 | 1217 |
list_forms = [] |
... | ... | |
1292 | 1300 |
return r.getvalue() |
1293 | 1301 | |
1294 | 1302 |
def categories_json(self): |
1295 |
from wcs.api import get_user_from_api_query_string |
|
1296 |
user = get_user_from_api_query_string() or get_request().user |
|
1303 |
from wcs.api import get_user_from_api_query_string, UnknownNameIdAccessForbiddenError |
|
1304 |
try: |
|
1305 |
user = get_user_from_api_query_string() or get_request().user |
|
1306 |
except UnknownNameIdAccessForbiddenError: |
|
1307 |
# the name id was unknown, return the categories for anonymous |
|
1308 |
# users. |
|
1309 |
user = None |
|
1297 | 1310 |
list_categories = [] |
1298 | 1311 |
charset = get_publisher().site_charset |
1299 | 1312 |
categories = self.get_categories(user) |
wcs/qommon/errors.py | ||
---|---|---|
39 | 39 |
location_hint = self.location_hint) |
40 | 40 | |
41 | 41 | |
42 |
class UnknownNameIdAccessForbiddenError(AccessForbiddenError): |
|
43 |
pass |
|
44 | ||
45 | ||
42 | 46 |
class AccessUnauthorizedError(AccessForbiddenError): |
43 | 47 |
def render(self): |
44 | 48 |
session = quixote.get_session() |
45 |
- |