valitydev/redash
14
0
Fork 0
mirror of https://github.com/valitydev/redash.git synced 2024-11-06 17:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b390cd2e3d
redash/tests/test_authentication.py

163 lines
7.1 KiB
Python
Raw Normal View History

Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
import time
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
from flask import request
Tests for authentication functions
2014-03-02 13:41:38 +00:00
from mock import patch
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
Tests for authentication functions
2014-03-02 13:41:38 +00:00
from tests import BaseTestCase
Update tests
2014-09-21 07:11:03 +00:00
from redash import models
Allow existing users sign in with Google Apps even if they are not in domain list.
2016-03-14 09:19:23 +00:00
from redash.authentication.google_oauth import create_and_login_user, verify_profile
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
from redash.authentication import api_key_load_user_from_request, hmac_load_user_from_request, sign
Feature: optional api key only authentication
2015-03-10 15:51:17 +00:00
from redash.wsgi import app
class TestApiKeyAuthentication(BaseTestCase):
#
# This is a bad way to write these tests, but the way Flask works doesn't make it easy to write them properly...
#
def setUp(self):
super(TestApiKeyAuthentication, self).setUp()
auth tests wip
2016-11-28 14:41:29 +00:00
self.api_key = '10'
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
self.query = self.factory.create_query(api_key=self.api_key)
auth tests wip
2016-11-28 14:41:29 +00:00
models.db.session.flush()
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
self.query_url = '/{}/api/queries/{}'.format(self.factory.org.slug, self.query.id)
self.queries_url = '/{}/api/queries'.format(self.factory.org.slug)
Feature: optional api key only authentication
2015-03-10 15:51:17 +00:00
def test_no_api_key(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.query_url)
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNone(api_key_load_user_from_request(request))
Feature: optional api key only authentication
2015-03-10 15:51:17 +00:00
def test_wrong_api_key(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.query_url, query_string={'api_key': 'whatever'})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNone(api_key_load_user_from_request(request))
Feature: optional api key only authentication
2015-03-10 15:51:17 +00:00
def test_correct_api_key(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.query_url, query_string={'api_key': self.api_key})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNotNone(api_key_load_user_from_request(request))
Feature: optional api key only authentication
2015-03-10 15:51:17 +00:00
def test_no_query_id(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.queries_url, query_string={'api_key': self.api_key})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNone(api_key_load_user_from_request(request))
Tests for authentication functions
2014-03-02 13:41:38 +00:00
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
def test_user_api_key(self):
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
user = self.factory.create_user(api_key="user_key")
auth tests wip
2016-11-28 14:41:29 +00:00
models.db.session.flush()
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.queries_url, query_string={'api_key': user.api_key})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertEqual(user.id, api_key_load_user_from_request(request).id)
Close #564: support setting API key in headers
2015-10-11 08:54:21 +00:00
def test_api_key_header(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.query_url, headers={'Authorization': "Key {}".format(self.api_key)})
Close #564: support setting API key in headers
2015-10-11 08:54:21 +00:00
self.assertIsNotNone(api_key_load_user_from_request(request))
def test_api_key_header_with_wrong_key(self):
with app.test_client() as c:
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
rv = c.get(self.query_url, headers={'Authorization': "Key oops"})
Close #564: support setting API key in headers
2015-10-11 08:54:21 +00:00
self.assertIsNone(api_key_load_user_from_request(request))
Change multi-org implementation: To avoid complications with how Google Auth works, when enabling organization multi-tenancy on a single instance, each organization becomes a "sub folder" instead of a sub-domain.
2016-01-03 14:05:29 +00:00
def test_api_key_for_wrong_org(self):
other_user = self.factory.create_admin(org=self.factory.create_org())
with app.test_client() as c:
rv = c.get(self.query_url, headers={'Authorization': "Key {}".format(other_user.api_key)})
self.assertEqual(404, rv.status_code)
Close #564: support setting API key in headers
2015-10-11 08:54:21 +00:00
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
class TestHMACAuthentication(BaseTestCase):
#
# This is a bad way to write these tests, but the way Flask works doesn't make it easy to write them properly...
#
def setUp(self):
super(TestHMACAuthentication, self).setUp()
auth tests wip
2016-11-28 14:41:29 +00:00
self.api_key = '10'
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
self.query = self.factory.create_query(api_key=self.api_key)
auth tests wip
2016-11-28 14:41:29 +00:00
models.db.session.flush()
Feature: running queries (tasks) monitor - Refactored tasks module into a package. - Add new admins screens (running queries & outdated queries).
2016-02-25 08:07:47 +00:00
self.path = '/{}/api/queries/{}'.format(self.query.org.slug, self.query.id)
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.expires = time.time() + 1800
def signature(self, expires):
return sign(self.query.api_key, self.path, expires)
def test_no_signature(self):
with app.test_client() as c:
rv = c.get(self.path)
self.assertIsNone(hmac_load_user_from_request(request))
def test_wrong_signature(self):
with app.test_client() as c:
rv = c.get(self.path, query_string={'signature': 'whatever', 'expires': self.expires})
self.assertIsNone(hmac_load_user_from_request(request))
def test_correct_signature(self):
with app.test_client() as c:
Feature: running queries (tasks) monitor - Refactored tasks module into a package. - Add new admins screens (running queries & outdated queries).
2016-02-25 08:07:47 +00:00
rv = c.get(self.path, query_string={'signature': self.signature(self.expires), 'expires': self.expires})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNotNone(hmac_load_user_from_request(request))
def test_no_query_id(self):
with app.test_client() as c:
Fix tests
2016-10-26 08:47:40 +00:00
rv = c.get('/{}/api/queries'.format(self.query.org.slug), query_string={'api_key': self.api_key})
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
self.assertIsNone(hmac_load_user_from_request(request))
def test_user_api_key(self):
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
user = self.factory.create_user(api_key="user_key")
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
path = '/api/queries/'
auth tests wip
2016-11-28 14:41:29 +00:00
models.db.session.flush()
Feature: support for per user api keys
2015-07-08 17:59:07 +00:00
with app.test_client() as c:
signature = sign(user.api_key, path, self.expires)
rv = c.get(path, query_string={'signature': signature, 'expires': self.expires, 'user_id': user.id})
auth tests wip
2016-11-28 14:41:29 +00:00
self.assertEqual(user, hmac_load_user_from_request(request))
Tests for authentication functions
2014-03-02 13:41:38 +00:00
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
Tests for authentication functions
2014-03-02 13:41:38 +00:00
class TestCreateAndLoginUser(BaseTestCase):
def test_logins_valid_user(self):
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
user = self.factory.create_user(email='test@example.com')
Tests for authentication functions
2014-03-02 13:41:38 +00:00
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
with patch('redash.authentication.google_oauth.login_user') as login_user_mock:
create_and_login_user(self.factory.org, user.name, user.email)
Tests for authentication functions
2014-03-02 13:41:38 +00:00
login_user_mock.assert_called_once_with(user, remember=True)
def test_creates_vaild_new_user(self):
Update tests
2014-09-21 07:11:03 +00:00
email = 'test@example.com'
name = 'Test User'
Tests for authentication functions
2014-03-02 13:41:38 +00:00
Feature: new permissions system This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
2015-12-01 13:44:08 +00:00
with patch('redash.authentication.google_oauth.login_user') as login_user_mock:
create_and_login_user(self.factory.org, name, email)
Set is_admin of user based on ADMINS list.
2014-03-03 09:53:49 +00:00
self.assertTrue(login_user_mock.called)
auth tests wip
2016-11-28 14:41:29 +00:00
user = models.User.query.filter(models.User.email == email).one()
self.assertEqual(user.email, email)
Allow existing users sign in with Google Apps even if they are not in domain list.
2016-03-14 09:19:23 +00:00
class TestVerifyProfile(BaseTestCase):
def test_no_domain_allowed_for_org(self):
profile = dict(email='arik@example.com')
self.assertFalse(verify_profile(self.factory.org, profile))
def test_domain_not_in_org_domains_list(self):
profile = dict(email='arik@example.com')
self.factory.org.settings[models.Organization.SETTING_GOOGLE_APPS_DOMAINS] = ['example.org']
self.assertFalse(verify_profile(self.factory.org, profile))
def test_domain_in_org_domains_list(self):
profile = dict(email='arik@example.com')
self.factory.org.settings[models.Organization.SETTING_GOOGLE_APPS_DOMAINS] = ['example.com']
self.assertTrue(verify_profile(self.factory.org, profile))
self.factory.org.settings[models.Organization.SETTING_GOOGLE_APPS_DOMAINS] = ['example.org', 'example.com']
self.assertTrue(verify_profile(self.factory.org, profile))
def test_org_in_public_mode_accepts_any_domain(self):
profile = dict(email='arik@example.com')
self.factory.org.settings[models.Organization.SETTING_IS_PUBLIC] = True
self.factory.org.settings[models.Organization.SETTING_GOOGLE_APPS_DOMAINS] = []
self.assertTrue(verify_profile(self.factory.org, profile))
def test_user_not_in_domain_but_account_exists(self):
profile = dict(email='arik@example.com')
self.factory.create_user(email='arik@example.com')
self.factory.org.settings[models.Organization.SETTING_GOOGLE_APPS_DOMAINS] = ['example.org']
self.assertTrue(verify_profile(self.factory.org, profile))
Reference in New Issue Copy Permalink