Navigation

repoze.who-testutil API

Authentication middleware

class repoze.who.plugins.testutil.AuthenticationForgerMiddleware(app, identifiers, authenticators, challengers, mdproviders, classifier, challenge_decider, log_stream=None, log_level=20, remote_user_key='REMOTE_USER')

PluggableAuthenticationMiddleware proxy to forge authentication, without bypassing identification.

__init__(app, identifiers, authenticators, challengers, mdproviders, classifier, challenge_decider, log_stream=None, log_level=20, remote_user_key='REMOTE_USER')

Setup authentication in an easy to forge way.

All the arguments received will be passed as is to repoze.who.middleware.PluggableAuthenticationMiddleware, with one instance of AuthenticationForgerPlugin in:

  • identifiers. This instance will be inserted in the first position of the list.
  • authenticators. Any authenticator passed will be ignored; such an instance will be the only authenticator defined.
  • challengers. Any challenger passed will be ignored; such an instance will be the only challenger defined.

Internally, it will also set remote_user_key to 'repoze.who.testutil.userid', so that you can use the standard 'REMOTE_USER' in your tests.

The metadata providers won’t be modified.

Middleware makers

repoze.who.plugins.testutil.make_middleware(skip_authentication=False, *args, **kwargs)

Return the requested authentication middleware.

Parameters:

args and kwargs are the positional and named arguments, respectively, to be passed to the relevant authentication middleware.

repoze.who.plugins.testutil.make_middleware_with_config(app, global_conf, config_file, log_file=None, log_level=None, skip_authentication=False)

Proxy repoze.who.config.make_middleware_with_config() to skip authentication when required.

If skip_authentication evaluates to True, then the returned middleware will be an instance of AuthenticationForgerMiddleware.

repoze.who plugins

class repoze.who.plugins.testutil.AuthenticationForgerPlugin(fake_user_key='REMOTE_USER', remote_user_key='repoze.who.testutil.userid')

repoze.who plugin to forge authentication easily and bypass repoze.who challenges.

This plugin enables you to write identifier and challenger-independent tests. As a result, your protected areas will be easier to test:

  1. To forge authentication, without bypassing identification (i.e., running MD providers), you can use the following WebTest-powered test:

    def test_authorization_granted(self):
    '''The right subject must get what she requested'''
    environ = {'REMOTE_USER': 'manager'}
    resp = self.app.get('/admin/', extra_environ=environ, status=200)
    assert 'some text' in resp.body

    As you can see, this is an identifier-independent way to forge authentication.

  2. To check that authorization was denied, in a challenger-independent way, you can use:

    def test_authorization_denied_anonymous(self):
    '''Anonymous users must get a 401 page'''
    self.app.get('/admin/', status=401)

def test_authorization_denied_authenticated(self):
    '''Authenticated users must get a 403 page'''
    environ = {'REMOTE_USER': 'editor'}
    self.app.get('/admin/', extra_environ=environ, status=403)
__init__(fake_user_key='REMOTE_USER', remote_user_key='repoze.who.testutil.userid')
Parameters:
  • fake_user_key (str) – The key for the item in the environ which will contain the forged user Id.
  • remote_user_key (str) – The actual “external” remote_user_key used by repoze.who.
identify(environ)

Pre-authenticate using the user Id found in the relevant environ item, if any.

The user Id. found will be put into identity['fake-userid'], for authenticate().

remember(environ, identity)

Do nothing

forget(environ, identity)

Do nothing

authenticate(environ, identity)

Turn the value in identity['fake-userid'] into the remote user’s name.

Finally, it removes identity['fake-userid'] so that it won’t reach the WSGI application.

challenge(environ, status, app_headers, forget_headers)

Return a 401 page unconditionally.

Table Of Contents

Previous topic

Test authentication independently

Next topic

repoze.who-testutil releases

This Page

Navigation

© Copyright 2009, The Repoze Project. Last updated on Aug 17, 2010. Created using Sphinx 1.0.2.