Merge pull request tobami#276 from Kami/fix_authentication_bug

tobami · web-flow · commit 33da18a4aba0 · 2020-02-18T09:12:49.000+01:00
Fix authentication helper so it works with newer versions of Django (Django 2+)
diff --git a/.travis.yml b/.travis.yml
@@ -14,7 +14,7 @@ matrix:
     - python: "3.5"
       env: DJANGO_VERSION=2.1
 install:
-  - pip install flake8
+  - pip install flake8 mock
   - pip install -q Django==$DJANGO_VERSION
   - python setup.py install
 before_script:
diff --git a/codespeed/auth.py b/codespeed/auth.py
@@ -1,4 +1,5 @@
 import logging
+import types
 from functools import wraps
 from django.contrib.auth import authenticate, login
 from django.http import HttpResponse, HttpResponseForbidden
@@ -9,6 +10,20 @@
 logger = logging.getLogger(__name__)
 
 
+def is_authenticated(request):
+    # NOTE: We do type check so we also support newer versions of Django when
+    # is_authenticated and some other methods have been properties
+    if isinstance(request.user.is_authenticated, (types.FunctionType,
+                                                  types.MethodType)):
+        return request.user.is_authenticated()
+    elif isinstance(request.user.is_authenticated, bool):
+        return request.user.is_authenticated
+    else:
+        logger.info('Got unexpected type for request.user.is_authenticated '
+                    'variable')
+        return False
+
+
 def basic_auth_required(realm='default'):
     def _helper(func):
         @wraps(func)
@@ -18,7 +33,7 @@ def _decorator(request, *args, **kwargs):
             if settings.ALLOW_ANONYMOUS_POST:
                 logger.debug('allowing anonymous post')
                 allowed = True
-            elif hasattr(request, 'user') and request.user.is_authenticated():
+            elif hasattr(request, 'user') and is_authenticated(request=request):
                 allowed = True
             elif 'HTTP_AUTHORIZATION' in request.META:
                 logger.debug('checking for http authorization header')
diff --git a/codespeed/tests/test_auth.py b/codespeed/tests/test_auth.py
@@ -0,0 +1,138 @@
+# -*- coding: utf-8 -*-
+
+import mock
+
+from django.test import TestCase, override_settings
+from django.http import HttpResponse
+from django.contrib.auth.models import AnonymousUser
+from django.test import RequestFactory
+
+from codespeed.auth import basic_auth_required
+from codespeed.views import add_result
+
+
+@override_settings(ALLOW_ANONYMOUS_POST=False)
+class AuthModuleTestCase(TestCase):
+    @override_settings(ALLOW_ANONYMOUS_POST=True)
+    def test_allow_anonymous_post_is_true(self):
+        wrapped_function = mock.Mock()
+        wrapped_function.__name__ = 'mock'
+        wrapped_function.return_value = 'success'
+
+        request = mock.Mock()
+        request.user = AnonymousUser()
+        request.META = {}
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertEqual(wrapped_function.call_count, 1)
+        self.assertEqual(res, 'success')
+
+    def test_basic_auth_required_django_pre_2_0_succesful_auth(self):
+        # request.user.is_authenticated is a method (pre Django 2.0)
+        user = mock.Mock()
+        user.is_authenticated = lambda: True
+
+        request = mock.Mock()
+        request.user = user
+
+        wrapped_function = mock.Mock()
+        wrapped_function.__name__ = 'mock'
+        wrapped_function.return_value = 'success'
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertEqual(wrapped_function.call_count, 1)
+        self.assertEqual(res, 'success')
+
+    def test_basic_auth_required_django_pre_2_0_failed_auth(self):
+        # request.user.is_authenticated is a method (pre Django 2.0)
+        user = mock.Mock()
+        user.is_authenticated = lambda: False
+
+        request = mock.Mock()
+        request.user = user
+        request.META = {}
+
+        wrapped_function = mock.Mock()
+        wrapped_function.__name__ = 'mock'
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertTrue(isinstance(res, HttpResponse))
+        self.assertEqual(res.status_code, 401)
+        self.assertEqual(wrapped_function.call_count, 0)
+
+        # Also test with actual AnonymousUser class which will have different
+        # implementation under different Django versions
+        request.user = AnonymousUser()
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertTrue(isinstance(res, HttpResponse))
+        self.assertEqual(res.status_code, 401)
+        self.assertEqual(wrapped_function.call_count, 0)
+
+    def test_basic_auth_required_django_post_2_0_successful_auth(self):
+        # request.user.is_authenticated is a property (post Django 2.0)
+        user = mock.Mock()
+        user.is_authenticated = True
+
+        request = mock.Mock()
+        request.user = user
+
+        wrapped_function = mock.Mock()
+        wrapped_function.__name__ = 'mock'
+        wrapped_function.return_value = 'success'
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertEqual(wrapped_function.call_count, 1)
+        self.assertEqual(res, 'success')
+
+    def test_basic_auth_required_django_post_2_0_failed_auth(self):
+        # request.user.is_authenticated is a property (post Django 2.0)
+        user = mock.Mock()
+        user.is_authenticated = False
+
+        request = mock.Mock()
+        request.user = user
+        request.META = {}
+
+        wrapped_function = mock.Mock()
+        wrapped_function.__name__ = 'mock'
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertTrue(isinstance(res, HttpResponse))
+        self.assertEqual(res.status_code, 401)
+        self.assertEqual(wrapped_function.call_count, 0)
+
+        # Also test with actual AnonymousUser class which will have different
+        # implementation under different Django versions
+        request.user = AnonymousUser()
+
+        res = basic_auth_required()(wrapped_function)(request=request)
+        self.assertTrue(isinstance(res, HttpResponse))
+        self.assertEqual(res.status_code, 401)
+        self.assertEqual(wrapped_function.call_count, 0)
+
+    @mock.patch('codespeed.views.save_result', mock.Mock())
+    def test_basic_auth_with_failed_auth_request_factory(self):
+        request_factory = RequestFactory()
+
+        request = request_factory.get('/timeline')
+        request.user = AnonymousUser()
+        request.method = 'POST'
+
+        response = add_result(request)
+        self.assertEqual(response.status_code, 403)
+
+    @mock.patch('codespeed.views.create_report_if_enough_data', mock.Mock())
+    @mock.patch('codespeed.views.save_result', mock.Mock(return_value=([1, 2, 3], None)))
+    def test_basic_auth_successefull_auth_request_factory(self):
+        request_factory = RequestFactory()
+
+        user = mock.Mock()
+        user.is_authenticated = True
+
+        request = request_factory.get('/result/add')
+        request.user = user
+        request.method = 'POST'
+
+        response = add_result(request)
+        self.assertEqual(response.status_code, 202)
