Ignore:
Timestamp:
22/05/09 10:11:16 (11 years ago)
Author:
pjkersha
Message:

Completed AuthorizationMiddleware? unit tests ndg.security.test.unit.wsgi.authz:

  • Test 8, 'test08AccessDeniedForAdminQueryArg' tries out the use case for a URI which can display additional content for users with admin privileges. The caller needs to be able to display the correct content according to whether the user has admin rights or not:
    1. the caller invokes /securedURI?admin=1
    2. if the user has admin, rights the PDP will grant access and the PEP will deliver this URI.
    3. if the user doesn't have admin rights, a special overloaded PEP result handler class detects that access was denied for the admin URI and redirects the user to a modified URI subtracting the admin flag. The application code can then deliver the appropriate content minus admin privileges.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/unit/wsgi/authz/test_authz.py

    r5329 r5330  
    1515import unittest 
    1616import os 
    17 import sys 
    18 import getpass 
    19 import re 
    20 import base64 
    21 import urllib2 
     17from urlparse import urlunsplit 
    2218 
    2319from os.path import expandvars as xpdVars 
     
    2824import paste.fixture 
    2925from paste.deploy import loadapp 
    30 from ndg.security.server.wsgi.authz import PEPFilterConfigError 
    31  
     26from ndg.security.server.wsgi import NDGSecurityMiddlewareBase 
     27from ndg.security.server.wsgi.authz import PEPFilterConfigError, \ 
     28    PEPResultHandlerMiddleware 
     29from ndg.security.common.authz.msi import Response 
     30 
     31class RedirectFollowingAccessDenied(PEPResultHandlerMiddleware): 
     32     
     33    @NDGSecurityMiddlewareBase.initCall 
     34    def __call__(self, environ, start_response): 
     35         
     36        queryString = environ.get('QUERY_STRING', '') 
     37        if 'admin=1' in queryString: 
     38            # User has been rejected access to a URI requiring admin rights, 
     39            # try redirect to the same URI minus the admin query arg, this 
     40            # request will pass because admin rights aren't needed 
     41            queryArgs = queryString.split('&') 
     42            queryList = [arg for arg in queryArgs if arg != 'admin=1'] 
     43            editedQuery = '&'.join(queryList) 
     44            redirectURI = urlunsplit(('', '', self.pathInfo, editedQuery, '')) 
     45            return self.redirect(redirectURI) 
     46        else: 
     47            return super(RedirectFollowingAccessDenied, self).__call__( 
     48                                                            environ, 
     49                                                            start_response) 
     50         
    3251class TestAuthZMiddleware(object): 
    3352    '''Test Application for the Authentication handler to protect''' 
     
    145164                                extra_environ=extra_environ, 
    146165                                status=403) 
    147         self.assert_( 
    148                 "Insufficient privileges to access the resource" in response) 
     166        self.failIf( 
     167            "Insufficient privileges to access the resource" not in response) 
    149168        print response 
    150169         
     
    159178                                extra_environ=extra_environ, 
    160179                                status=200) 
     180        self.failIf(TestAuthZMiddleware.response not in response) 
     181        print response 
     182 
     183    def test07AccessGrantedForSecuredURI(self): 
     184         
     185        # User is logged in and has credentials for access to a URI secured 
     186        # by the policy file 
     187        extra_environ={'beaker.session.ndg.security': 
     188                       BeakerSessionStub(username='testuser')} 
     189         
     190        response = self.app.get('/test_accessGrantedToSecuredURI', 
     191                                extra_environ=extra_environ, 
     192                                status=200) 
    161193        self.assert_(TestAuthZMiddleware.response in response) 
     194        print response 
     195 
     196    def test08AccessDeniedForAdminQueryArg(self): 
     197         
     198        # User is logged in but doesn't have the required credentials for  
     199        # access 
     200        extra_environ={'beaker.session.ndg.security': 
     201                       BeakerSessionStub(username='testuser')} 
     202         
     203        # Try this URI with the query arg admin=1.  This will be picked up 
     204        # by the policy as a request requiring admin rights.  The request is 
     205        # denied as the user doesn't have these rights but this then calls 
     206        # into play the PEP result handler defined in this module, 
     207        # RedirectFollowingAccessDenied.  This class reinvokes the request 
     208        # but without the admin query argument.  Access is then granted for 
     209        # the redirected request 
     210        response = self.app.get('/test_accessGrantedToSecuredURI', 
     211                                params={'admin': 1}, 
     212                                extra_environ=extra_environ, 
     213                                status=302) 
     214        try: 
     215            redirectResponse = response.follow(extra_environ=extra_environ) 
     216        except paste.fixture.AppError, e: 
     217            self.failIf(TestAuthZMiddleware.response not in response) 
    162218        print response 
    163219 
Note: See TracChangeset for help on using the changeset viewer.