From 4fa427bc745b43c655b08df2375458053c221741 Mon Sep 17 00:00:00 2001 From: Umair Khan Date: Fri, 7 Oct 2016 16:38:01 +0500 Subject: [PATCH] auth_backends: Add backend tests for subdomains logic. Fixes: #1870 --- zerver/tests/test_auth_backends.py | 112 +++++++++++++++++++++++++++-- 1 file changed, 107 insertions(+), 5 deletions(-) diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index a1b168c663..32f9e4bbe4 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -80,6 +80,12 @@ class AuthBackendTest(TestCase): good_kwargs=dict(use_dummy_backend=True), bad_kwargs=dict(use_dummy_backend=False)) + def setup_subdomain(self, user_profile): + # type: (UserProfile) -> None + realm = user_profile.realm + realm.subdomain = 'zulip' + realm.save() + def test_email_auth_backend(self): # type: () -> None email = "hamlet@zulip.com" @@ -87,10 +93,35 @@ class AuthBackendTest(TestCase): password = "testpassword" user_profile.set_password(password) user_profile.save() + self.setup_subdomain(user_profile) + self.verify_backend(EmailAuthBackend(), bad_kwargs=dict(password=''), good_kwargs=dict(password=password)) + # Subdomain is ignored when feature is not enabled + self.verify_backend(EmailAuthBackend(), + good_kwargs=dict(password=password, + realm_subdomain='acme', + return_data=dict())) + + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + self.verify_backend(EmailAuthBackend(), + good_kwargs=dict(password=password, + realm_subdomain='zulip', + return_data=dict()), + bad_kwargs=dict(password=password, + realm_subdomain='acme', + return_data=dict())) + # Things work normally in the event that we're using a + # non-subdomain login page, even if subdomains are enabled + self.verify_backend(EmailAuthBackend(), + bad_kwargs=dict(password="wrong"), + good_kwargs=dict(password=password)) + + def test_email_auth_backend_disabled_password_auth(self): # type: () -> None email = u"hamlet@zulip.com" @@ -108,9 +139,25 @@ class AuthBackendTest(TestCase): backend = GoogleMobileOauth2Backend() payload = dict(email_verified=True, email=email) + user_profile = get_user_profile_by_email(email) + self.setup_subdomain(user_profile) + with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload): self.verify_backend(backend) + # With REALMS_HAVE_SUBDOMAINS off, subdomain is ignored + with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload): + self.verify_backend(backend, + good_kwargs=dict(realm_subdomain='acme')) + + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload): + self.verify_backend(backend, + good_kwargs=dict(realm_subdomain="zulip"), + bad_kwargs=dict(realm_subdomain='acme')) + # Verify valid_attestation parameter is set correctly unverified_payload = dict(email_verified=False) with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=unverified_payload): @@ -131,6 +178,9 @@ class AuthBackendTest(TestCase): # type: () -> None email = "hamlet@zulip.com" password = "test_password" + user_profile = get_user_profile_by_email(email) + self.setup_subdomain(user_profile) + backend = ZulipLDAPAuthBackend() # Test LDAP auth fails when LDAP server rejects password @@ -148,28 +198,80 @@ class AuthBackendTest(TestCase): return_value=dict(full_name=['Hamlet'])): self.verify_backend(backend, good_kwargs=dict(password=password)) + with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'), \ + mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements'), \ + mock.patch('django_auth_ldap.backend._LDAPUser._get_user_attrs', + return_value=dict(full_name=['Hamlet'])): + self.verify_backend(backend, good_kwargs=dict(password=password, + realm_subdomain='acme')) + + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'), \ + mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements'), \ + mock.patch('django_auth_ldap.backend._LDAPUser._get_user_attrs', + return_value=dict(full_name=['Hamlet'])): + self.verify_backend(backend, + bad_kwargs=dict(password=password, + realm_subdomain='acme'), + good_kwargs=dict(password=password, + realm_subdomain='zulip')) + def test_devauth_backend(self): # type: () -> None self.verify_backend(DevAuthBackend()) def test_remote_user_backend(self): # type: () -> None - self.verify_backend(ZulipRemoteUserBackend()) + self.setup_subdomain(get_user_profile_by_email(u'hamlet@zulip.com')) + self.verify_backend(ZulipRemoteUserBackend(), + good_kwargs=dict(realm_subdomain='acme')) + + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + self.verify_backend(ZulipRemoteUserBackend(), + good_kwargs=dict(realm_subdomain='zulip'), + bad_kwargs=dict(realm_subdomain='acme')) def test_remote_user_backend_sso_append_domain(self): # type: () -> None + self.setup_subdomain(get_user_profile_by_email(u'hamlet@zulip.com')) with self.settings(SSO_APPEND_DOMAIN='zulip.com'): self.verify_backend(ZulipRemoteUserBackend(), - email_to_username=email_to_username) + email_to_username=email_to_username, + good_kwargs=dict(realm_subdomain='acme')) + + + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + with self.settings(SSO_APPEND_DOMAIN='zulip.com'): + self.verify_backend(ZulipRemoteUserBackend(), + email_to_username=email_to_username, + good_kwargs=dict(realm_subdomain='zulip'), + bad_kwargs=dict(realm_subdomain='acme')) def test_github_backend(self): # type: () -> None email = 'hamlet@zulip.com' - good_kwargs = dict(response=dict(email=email), return_data=dict()) - bad_kwargs = dict() # type: Dict[str, str] + self.setup_subdomain(get_user_profile_by_email(email)) + good_kwargs = dict(response=dict(email=email), return_data=dict(), + realm_subdomain='acme') self.verify_backend(GitHubAuthBackend(), good_kwargs=good_kwargs, - bad_kwargs=bad_kwargs) + bad_kwargs=dict()) + with self.settings(REALMS_HAVE_SUBDOMAINS=True): + # With subdomains, authenticating with the right subdomain + # works; using the wrong subdomain doesn't + good_kwargs = dict(response=dict(email=email), return_data=dict(), + realm_subdomain='zulip') + bad_kwargs = dict(response=dict(email=email), return_data=dict(), + realm_subdomain='acme') + self.verify_backend(GitHubAuthBackend(), + good_kwargs=good_kwargs, + bad_kwargs=bad_kwargs) class GitHubAuthBackendTest(ZulipTestCase): def setUp(self):