About
++ Flask-Security is an opinionated Flask extension which adds basic + security and authentication features to your Flask apps quickly + and easily. Flask-Social can also be used to add "social" or OAuth + login and connection management. +
+Useful Links
+ + \ No newline at end of file diff --git a/docs/_templates/sidebarlogo.html b/docs/_templates/sidebarlogo.html new file mode 100644 index 0000000..2686677 --- /dev/null +++ b/docs/_templates/sidebarlogo.html @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/docs/api.rst b/docs/api.rst new file mode 100644 index 0000000..efad2ef --- /dev/null +++ b/docs/api.rst @@ -0,0 +1,57 @@ +API +=== + +Core +---- +.. autoclass:: flask_security.core.Security + :members: + +.. data:: flask_security.core.current_user + + A proxy for the current user. + + +Protecting Views +---------------- +.. autofunction:: flask_security.decorators.login_required + +.. autofunction:: flask_security.decorators.roles_required + +.. autofunction:: flask_security.decorators.roles_accepted + +.. autofunction:: flask_security.decorators.http_auth_required + +.. autofunction:: flask_security.decorators.auth_token_required + + +User Object Helpers +------------------- +.. autoclass:: flask_security.core.UserMixin + :members: + +.. autoclass:: flask_security.core.RoleMixin + :members: + +.. autoclass:: flask_security.core.AnonymousUser + :members: + + +Datastores +---------- +.. autoclass:: flask_security.datastore.UserDatastore + :members: + +.. autoclass:: flask_security.datastore.SQLAlchemyUserDatastore + :members: + :inherited-members: + +.. autoclass:: flask_security.datastore.MongoEngineUserDatastore + :members: + :inherited-members: + + +Signals +------- +See the documentation for the signals provided by the Flask-Login and +Flask-Principal extensions. Flask-Security does not provide any additional +signals. \ No newline at end of file diff --git a/docs/conf.py b/docs/conf.py index 1d9c6ec..4432360 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -18,7 +18,6 @@ import sys, os # documentation root, use os.path.abspath to make it absolute, like shown here. sys.path.insert(0, os.path.abspath('..')) sys.path.append(os.path.abspath('_themes')) -#from setup import __version__ # -- General configuration ----------------------------------------------------- @@ -50,7 +49,7 @@ copyright = u'2012, Matt Wright' # built documents. # # The short X.Y version. -version = '1.2.3' +version = '1.3.0-dev' # The full version, including alpha/beta/rc tags. release = version @@ -93,14 +92,16 @@ pygments_style = 'sphinx' # The theme to use for HTML and HTML Help pages. Major themes that come with # Sphinx are currently 'default' and 'sphinxdoc'. -html_theme = 'flask_small' +html_theme = 'flask' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. html_theme_options = { - 'github_fork': 'mattupstate/flask-security', - 'index_logo': False + #'github_fork': 'mattupstate/flask-security', + #'index_logo': False + 'touch_icon': 'touch-icon.png', + 'index_logo': 'logo-full.png' } # Add any paths that contain custom themes here, relative to this directory. @@ -136,7 +137,11 @@ html_static_path = ['_static'] #html_use_smartypants = True # Custom sidebar templates, maps document names to template names. -#html_sidebars = {} +html_sidebars = { + 'index': ['sidebarintro.html', 'sourcelink.html', 'searchbox.html'], + '**': ['sidebarlogo.html', 'localtoc.html', 'relations.html', + 'sourcelink.html', 'searchbox.html'] +} # Additional templates that should be rendered to pages, maps page names to # template names. diff --git a/docs/configuration.rst b/docs/configuration.rst new file mode 100644 index 0000000..ab28904 --- /dev/null +++ b/docs/configuration.rst @@ -0,0 +1,170 @@ +Configuration +============= + +The following configuration values are used by Flask-Security: + +Core +-------------- + +.. tabularcolumns:: |p{6.5cm}|p{8.5cm}| + +======================================== ======================================= +``SECURITY_BLUEPRINT_NAME`` Specifies the name for the + Flask-Security blueprint. Defaults to + ``security``. +``SECURITY_URL_PREFIX`` Specifies the URL prefix for the + Flask-Security blueprint. Defaults to + ``None``. +``SECURITY_FLASH_MESSAGES`` Specifies wether or not to flash + messages during security procedures. + Defaults to ``True``. +``SECURITY_PASSWORD_HASH`` Specifies the password hash algorith to + use when encrypting and decrypting + passwords. Recommended values for + production systems are ``bcrypt``, + ``sha512_crypt``, or ``pbkdf2_sha512``. + Defaults to ``plaintext``. +``SECURITY_PASSWORD_SALT`` Specifies the HMAC salt. This is only + used if the password hash type is set + to something other than plain text. + Defaults to ``None``. +``SECURITY_EMAIL_SENDER`` Specifies the email address to send + emails as. Defaults to + ``no-reply@localhost``. +``SECURITY_TOKEN_AUTHENTICATION_KEY`` Specifies the query sting parameter to + read when using token authentication. + Defaults to ``auth_token``. +``SECURITY_TOKEN_AUTHENTICATION_HEADER`` Specifies the HTTP header to read when + using token authentication. Defaults to + ``Authentication-Token``. +``SECURITY_DEFAULT_HTTP_AUTH_REALM`` Specifies the default authentication + realm when using basic HTTP auth. + Defaults to ``Login Required`` +======================================== ======================================= + + +URLs and Views +-------------- + +.. tabularcolumns:: |p{6.5cm}|p{8.5cm}| + +=============================== ================================================ +``SECURITY_LOGIN_URL`` Specifies the login URL. Defaults to ``/login``. +``SECURITY_LOGOUT_URL`` Specifies the logout URL. Defaults to + ``/logout``. +``SECURITY_REGISTER_URL`` Specifies the register URL. Defaults to + ``/register``. +``SECURITY_RESET_URL`` Specifies the password reset URL. Defaults to + ``/reset``. +``SECURITY_CONFIRM_URL`` Specifies the email confirmation URL. Defaults + to ``/confirm``. +``SECURITY_POST_LOGIN_VIEW`` Specifies the default view to redirect to after + a user logs in. This value can be set to a URL + or an endpoint name. Defaults to ``/``. +``SECURITY_POST_LOGOUT_VIEW`` Specifies the default view to redirect to after + a user logs out. This value can be set to a URL + or an endpoint name. Defaults to ``/``. +``SECURITY_CONFIRM_ERROR_VIEW`` Specifies the view to redirect to if a + confirmation error occurs. This value can be set + to a URL or an endpoint name. If this value is + ``None`` the user is presented the default view + to resend a confirmation link. Defaults to + ``None``. +``SECURITY_POST_REGISTER_VIEW`` Specifies the view to redirect to after a user + successfully registers. This value can be set to + a URL or an endpoint name. If this value is + ``None`` the user is redirected to the value of + ``SECURITY_POST_LOGIN_VIEW``. Defaults to + ``None``. +``SECURITY_POST_CONFIRM_VIEW`` Specifies the view to redirect to after a user + successfully confirms their email. This value + can be set to a URL or an endpoint name. If this + value is ``None`` the user is redirected to the + value of ``SECURITY_POST_LOGIN_VIEW``. Defaults + to ``None``. +``SECURITY_POST_RESET_VIEW`` Specifies the view to redirect to after a user + successfully resets their password. This value + can be set to a URL or an endpoint name. If this + value is ``None`` the user is redirected to the + value of ``SECURITY_POST_LOGIN_VIEW``. Defaults to + ``None``. +``SECURITY_UNAUTHORIZED_VIEW`` Specifies the view to redirect to if a user + attempts to access a URL/endpoint that they do + not have permission to access. If this value is + ``None`` the user is presented with a default + HTTP 403 response. Defaults to ``None``. +=============================== ================================================ + + +Feature Flags +------------- + +.. tabularcolumns:: |p{6.5cm}|p{8.5cm}| + +========================= ====================================================== +``SECURITY_CONFIRMABLE`` Specifies if users are required to confirm their email + address when registering a new account. If this value + is `True` Flask-Security creates an endpoint to handle + confirmations and requests to resend confirmation + instructions. The URL for this endpoint is specified + by the ``SECURITY_CONFIRM_URL`` configuration option. + Defaults to ``False``. +``SECURITY_REGISTERABLE`` Specifies if Flask-Security should create a user + registration endpoint. The URL for this endpoint is + specified by the ``SECURITY_REGISTER_URL`` + configuration option. Defaults to ``False``. +``SECURITY_RECOVERABLE`` Specifies if Flask-Security should create a password + reset/recover endpoint. The URL for this endpoint is + specified by the ``SECURITY_RESET_URL`` configuration + option. Defaults to ``False``. +``SECURITY_TRACKABLE`` Specifies if Flask-Security should track basic user + login statistics. If set to ``True`` ensure your + models have the required fields/attribues. Defaults to + ``False`` +``SECURITY_PASSWORDLESS`` Specifies if Flask-Security should enable the + passwordless login feature. If set to ``True`` users + are not required to enter a password to login but are + sent an email with a login link. This feature is + experimental and should be used with caution. Defaults + to ``False``. +========================= ====================================================== + + +Miscellaneous +------------- + +.. tabularcolumns:: |p{6.5cm}|p{8.5cm}| + +======================================= ======================================== +``SECURITY_CONFIRM_EMAIL_WITHIN`` Specifies the amount of time a user has + before their confirmation link expires. + Always pluralized the time unit for this + value. Defaults to ``5 days``. +``SECURITY_RESET_PASSWORD_WITHIN`` Specifies the amount of time a user has + before their password reset link + expires. Always pluralized the time unit + for this value. Defaults to ``5 days``. +``SECURITY_LOGIN_WITHIN`` Specifies the amount of time a user has + before a login link expires. This is + only used when the passwordless login + feature is enabled. Always pluralized + the time unit for this value. Defaults + to ``1 days``. +``SECURITY_LOGIN_WITHOUT_CONFIRMATION`` Specifies if a user may login before + confirming their email when the value + of ``SECURITY_CONFIRMABLE`` is set to + ``True``. Defaults to ``False``. +``SECURITY_CONFIRM_SALT`` Specifies the salt value when generating + confirmation links/tokens. Defaults to + ``confirm-salt``. +``SECURITY_RESET_SALT`` Specifies the salt value when generating + password reset links/tokens. Defaults to + ``reset-salt``. +``SECURITY_LOGIN_SALT`` Specifies the salt value when generating + login links/tokens. Defaults to + ``login-salt``. +``SECURITY_REMEMBER_SALT`` Specifies the salt value when generating + remember tokens. Remember tokens are + used instead of user ID's as it is more + secure. Defaults to ``remember-salt``. +======================================= ======================================== diff --git a/docs/contents.rst.inc b/docs/contents.rst.inc new file mode 100644 index 0000000..c905e06 --- /dev/null +++ b/docs/contents.rst.inc @@ -0,0 +1,13 @@ +Contents +-------- + +.. toctree:: + :maxdepth: 1 + + features + configuration + quickstart + models + customizing + api + changelog \ No newline at end of file diff --git a/docs/customizing.rst b/docs/customizing.rst new file mode 100644 index 0000000..d10a522 --- /dev/null +++ b/docs/customizing.rst @@ -0,0 +1,96 @@ +Customizing Views +================= + +Flask-Security bootstraps your application with various views for handling its +configured features to get you up and running as quick as possible. However, +you'll probably want to change the way these views look to be more in line with +your application's visual design. + + +Views +----- + +Flask-Security is packaged with a default template for each view it presents to +a user. Templates are located within a subfolder named ``security``. The +following is a list of view templates: + +* `security/forgot_password.html` +* `security/login_user.html` +* `security/register_user.html` +* `security/reset_password.html` +* `security/send_confirmation.html` +* `security/send_login.html` + +Overriding these templates is simple: + +1. Create a folder named ``security`` within your application's templates folder +2. Create a template with the same name for the template you wish to override + +Each template is passed a template context object that includes the following, +including the objects/values that are passed to the template by the main +Flask application context processory: + +* `` }}){kind=logo}
+{{ content }}
diff --git a/flask_security/__init__.py b/flask_security/__init__.py index b0be50d..756d89a 100644 --- a/flask_security/__init__.py +++ b/flask_security/__init__.py @@ -10,477 +10,14 @@ :license: MIT, see LICENSE for more details. """ -from functools import wraps - -from flask import current_app, Blueprint, flash, redirect, request, \ - session, url_for - -from flask.ext.login import AnonymousUser as AnonymousUserBase, \ - UserMixin as BaseUserMixin, LoginManager, login_required, login_user, \ - logout_user, current_user, login_url - -from flask.ext.principal import Identity, Principal, RoleNeed, UserNeed, \ - Permission, AnonymousIdentity, identity_changed, identity_loaded - -from flask.ext.wtf import Form, TextField, PasswordField, SubmitField, \ - HiddenField, Required, BooleanField - -from passlib.context import CryptContext - -from werkzeug.local import LocalProxy - - -class User(object): - """User model""" - - -class Role(object): - """Role model""" - -URL_PREFIX_KEY = 'SECURITY_URL_PREFIX' -AUTH_PROVIDER_KEY = 'SECURITY_AUTH_PROVIDER' -PASSWORD_HASH_KEY = 'SECURITY_PASSWORD_HASH' -USER_DATASTORE_KEY = 'SECURITY_USER_DATASTORE' -LOGIN_FORM_KEY = 'SECURITY_LOGIN_FORM' -AUTH_URL_KEY = 'SECURITY_AUTH_URL' -LOGOUT_URL_KEY = 'SECURITY_LOGOUT_URL' -LOGIN_VIEW_KEY = 'SECURITY_LOGIN_VIEW' -POST_LOGIN_KEY = 'SECURITY_POST_LOGIN' -POST_LOGOUT_KEY = 'SECURITY_POST_LOGOUT' -FLASH_MESSAGES_KEY = 'SECURITY_FLASH_MESSAGES' - -DEBUG_LOGIN = 'User %s logged in. Redirecting to: %s' -ERROR_LOGIN = 'Unsuccessful authentication attempt: %s. Redirecting to: %s' -DEBUG_LOGOUT = 'User logged out, redirecting to: %s' -FLASH_INACTIVE = 'Inactive user' -FLASH_PERMISSIONS = 'You do not have permission to view this resource.' - -#: Default Flask-Security configuration -default_config = { - URL_PREFIX_KEY: None, - FLASH_MESSAGES_KEY: True, - PASSWORD_HASH_KEY: 'plaintext', - USER_DATASTORE_KEY: 'user_datastore', - AUTH_PROVIDER_KEY: 'flask.ext.security.AuthenticationProvider', - LOGIN_FORM_KEY: 'flask.ext.security.LoginForm', - AUTH_URL_KEY: '/auth', - LOGOUT_URL_KEY: '/logout', - LOGIN_VIEW_KEY: '/login', - POST_LOGIN_KEY: '/', - POST_LOGOUT_KEY: '/', -} - - -class BadCredentialsError(Exception): - """Raised when an authentication attempt fails due to an error with the - provided credentials. - """ - - -class AuthenticationError(Exception): - """Raised when an authentication attempt fails due to invalid configuration - or an unknown reason. - """ - - -class UserNotFoundError(Exception): - """Raised by a user datastore when there is an attempt to find a user by - their identifier, often username or email, and the user is not found. - """ - - -class RoleNotFoundError(Exception): - """Raised by a user datastore when there is an attempt to find a role and - the role cannot be found. - """ - - -class UserIdNotFoundError(Exception): - """Raised by a user datastore when there is an attempt to find a user by - ID and the user is not found. - """ - - -class UserDatastoreError(Exception): - """Raised when a user datastore experiences an unexpected error - """ - - -class UserCreationError(Exception): - """Raised when an error occurs when creating a user - """ - - -class RoleCreationError(Exception): - """Raised when an error occurs when creating a role - """ - - -#: App logger for convenience -logger = LocalProxy(lambda: current_app.logger) - -#: Authentication provider -auth_provider = LocalProxy(lambda: current_app.auth_provider) - -#: Login manager -login_manager = LocalProxy(lambda: current_app.login_manager) - -#: Password encyption context -pwd_context = LocalProxy(lambda: current_app.pwd_context) - -#: User datastore -user_datastore = LocalProxy(lambda: getattr(current_app, - current_app.config[USER_DATASTORE_KEY])) - - -def roles_required(*args): - """View decorator which specifies that a user must have all the specified - roles. Example:: - - @app.route('/dashboard') - @roles_required('admin', 'editor') - def dashboard(): - return 'Dashboard' - - The current user must have both the `admin` role and `editor` role in order - to view the page. - - :param args: The required roles. - """ - roles = args - perm = Permission(*[RoleNeed(role) for role in roles]) - - def wrapper(fn): - @wraps(fn) - def decorated_view(*args, **kwargs): - if not current_user.is_authenticated(): - return redirect( - login_url(current_app.config[LOGIN_VIEW_KEY], request.url)) - - if perm.can(): - return fn(*args, **kwargs) - - logger.debug('Identity does not provide all of the ' - 'following roles: %s' % [r for r in roles]) - - do_flash(FLASH_PERMISSIONS, 'error') - return redirect(request.referrer or '/') - return decorated_view - return wrapper - - -def roles_accepted(*args): - """View decorator which specifies that a user must have at least one of the - specified roles. Example:: - - @app.route('/create_post') - @roles_accepted('editor', 'author') - def create_post(): - return 'Create Post' - - The current user must have either the `editor` role or `author` role in - order to view the page. - - :param args: The possible roles. - """ - roles = args - perms = [Permission(RoleNeed(role)) for role in roles] - - def wrapper(fn): - @wraps(fn) - def decorated_view(*args, **kwargs): - if not current_user.is_authenticated(): - return redirect( - login_url(current_app.config[LOGIN_VIEW_KEY], request.url)) - - for perm in perms: - if perm.can(): - return fn(*args, **kwargs) - - logger.debug('Identity does not provide at least one of ' - 'the following roles: %s' % [r for r in roles]) - - do_flash(FLASH_PERMISSIONS, 'error') - return redirect(request.referrer or '/') - return decorated_view - return wrapper - - -class RoleMixin(object): - """Mixin for `Role` model definitions""" - def __eq__(self, other): - return self.name == other or self.name == getattr(other, 'name', None) - - def __ne__(self, other): - return self.name != other and self.name != getattr(other, 'name', None) - - def __str__(self): - return 'Unauthorized
+The server could not verify that you are authorized to access the URL + requested. You either supplied the wrong credentials (e.g. a bad password), + or your browser doesn't understand how to supply the credentials required.
+ """ + + +def _get_unauthorized_response(text=None, headers=None): + text = text or _default_unauthorized_html + headers = headers or {} + return Response(text, 401, headers) + + +def _get_unauthorized_view(): + cv = utils.get_url(utils.config_value('UNAUTHORIZED_VIEW')) + utils.do_flash(*utils.get_message('UNAUTHORIZED')) + return redirect(cv or request.referrer or '/') + + +def _check_token(): + header_key = _security.token_authentication_header + args_key = _security.token_authentication_key + header_token = request.headers.get(header_key, None) + token = request.args.get(args_key, header_token) + serializer = _security.remember_token_serializer + + try: + data = serializer.loads(token) + except: + return False + + user = _security.datastore.find_user(id=data[0]) + + if utils.md5(user.password) == data[1]: + app = current_app._get_current_object() + identity_changed.send(app, identity=Identity(user.id)) + return True + + +def _check_http_auth(): + auth = request.authorization or dict(username=None, password=None) + user = _security.datastore.find_user(email=auth.username) + + if user and utils.verify_password(auth.password, user.password): + app = current_app._get_current_object() + identity_changed.send(app, identity=Identity(user.id)) + return True + + return False + + +def http_auth_required(realm): + """Decorator that protects endpoints using Basic HTTP authentication. + The username should be set to the user's email address. + + :param realm: optional realm name""" + + def decorator(fn): + @wraps(fn) + def wrapper(*args, **kwargs): + if _check_http_auth(): + return fn(*args, **kwargs) + r = _security.default_http_auth_realm if callable(realm) else realm + h = {'WWW-Authenticate': 'Basic realm="%s"' % r} + return _get_unauthorized_response(headers=h) + return wrapper + + if callable(realm): + return decorator(realm) + return decorator + + +def auth_token_required(fn): + """Decorator that protects endpoints using token authentication. The token + should be added to the request by the client by using a query string + variable with a name equal to the configuration value of + `SECURITY_TOKEN_AUTHENTICATION_KEY` or in a request header named that of + the configuration value of `SECURITY_TOKEN_AUTHENTICATION_HEADER` + """ + + @wraps(fn) + def decorated(*args, **kwargs): + if _check_token(): + return fn(*args, **kwargs) + return _get_unauthorized_response() + return decorated + + +def roles_required(*roles): + """Decorator which specifies that a user must have all the specified roles. + Example:: + + @app.route('/dashboard') + @roles_required('admin', 'editor') + def dashboard(): + return 'Dashboard' + + The current user must have both the `admin` role and `editor` role in order + to view the page. + + :param args: The required roles. + """ + def wrapper(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + perms = [Permission(RoleNeed(role)) for role in roles] + for perm in perms: + if not perm.can(): + return _get_unauthorized_view() + return fn(*args, **kwargs) + return decorated_view + return wrapper + + +def roles_accepted(*roles): + """Decorator which specifies that a user must have at least one of the + specified roles. Example:: + + @app.route('/create_post') + @roles_accepted('editor', 'author') + def create_post(): + return 'Create Post' + + The current user must have either the `editor` role or `author` role in + order to view the page. + + :param args: The possible roles. + """ + def wrapper(fn): + @wraps(fn) + def decorated_view(*args, **kwargs): + perm = Permission(*[RoleNeed(role) for role in roles]) + if perm.can(): + return fn(*args, **kwargs) + return _get_unauthorized_view() + return decorated_view + return wrapper + + +def anonymous_user_required(f): + @wraps(f) + def wrapper(*args, **kwargs): + if current_user.is_authenticated(): + return redirect(utils.get_url(_security.post_login_view)) + return f(*args, **kwargs) + return wrapper diff --git a/flask_security/forms.py b/flask_security/forms.py new file mode 100644 index 0000000..373debc --- /dev/null +++ b/flask_security/forms.py @@ -0,0 +1,187 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.forms + ~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security forms module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +from flask import request, current_app +from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \ + SubmitField, HiddenField, Required, BooleanField, EqualTo, Email, \ + ValidationError, Length +from werkzeug.local import LocalProxy + +from .confirmable import requires_confirmation +from .utils import verify_password, get_message + +# Convenient reference +_datastore = LocalProxy(lambda: current_app.extensions['security'].datastore) + +email_required = Required(message='Email not provided') + +email_validator = Email(message='Invalid email address') + +password_required = Required(message="Password not provided") + + +def unique_user_email(form, field): + if _datastore.find_user(email=field.data) is not None: + raise ValidationError(field.data + + ' is already associated with an account') + + +def valid_user_email(form, field): + form.user = _datastore.find_user(email=field.data) + if form.user is None: + raise ValidationError('Specified user does not exist') + + +class Form(BaseForm): + def __init__(self, *args, **kwargs): + kwargs.setdefault('csrf_enabled', not current_app.testing) + super(Form, self).__init__(*args, **kwargs) + + +class EmailFormMixin(): + email = TextField("Email Address", + validators=[email_required, + email_validator]) + + +class UserEmailFormMixin(): + user = None + email = TextField("Email Address", + validators=[email_required, + email_validator, + valid_user_email]) + + +class UniqueEmailFormMixin(): + email = TextField("Email Address", + validators=[email_required, + email_validator, + unique_user_email]) + + +class PasswordFormMixin(): + password = PasswordField("Password", + validators=[password_required]) + + +class NewPasswordFormMixin(): + password = PasswordField("Password", + validators=[password_required, + Length(min=6, max=128)]) + +class PasswordConfirmFormMixin(): + password_confirm = PasswordField("Retype Password", + validators=[EqualTo('password', message="Passwords do not match")]) + + +class NextFormMixin(): + next = HiddenField() + + +class RegisterFormMixin(): + submit = SubmitField("Register") + + +class SendConfirmationForm(Form, UserEmailFormMixin): + """The default forgot password form""" + + submit = SubmitField("Resend Confirmation Instructions") + + def __init__(self, *args, **kwargs): + super(SendConfirmationForm, self).__init__(*args, **kwargs) + if request.method == 'GET': + self.email.data = request.args.get('email', None) + + def validate(self): + if not super(SendConfirmationForm, self).validate(): + return False + if self.user.confirmed_at is not None: + self.email.errors.append(get_message('ALREADY_CONFIRMED')[0]) + return False + return True + + +class ForgotPasswordForm(Form, UserEmailFormMixin): + """The default forgot password form""" + + submit = SubmitField("Recover Password") + + +class PasswordlessLoginForm(Form, UserEmailFormMixin): + """The passwordless login form""" + + submit = SubmitField("Send Login Link") + + def __init__(self, *args, **kwargs): + super(PasswordlessLoginForm, self).__init__(*args, **kwargs) + + def validate(self): + if not super(PasswordlessLoginForm, self).validate(): + return False + if not self.user.is_active(): + self.email.errors.append(get_message('DISABLED_ACCOUNT')[0]) + return False + return True + + +class LoginForm(Form, NextFormMixin): + """The default login form""" + email = TextField('Email Address') + password = PasswordField('Password') + remember = BooleanField("Remember Me") + submit = SubmitField("Login") + + def __init__(self, *args, **kwargs): + super(LoginForm, self).__init__(*args, **kwargs) + + def validate(self): + super(LoginForm, self).validate() + + if self.email.data.strip() == '': + self.email.errors.append('Email not provided') + return False + + if self.password.data.strip() == '': + self.password.errors.append('Password not provided') + return False + + self.user = _datastore.find_user(email=self.email.data) + + if self.user is None: + self.email.errors.append('Specified user does not exist') + return False + if not verify_password(self.password.data, self.user.password): + self.password.errors.append('Invalid password') + return False + if requires_confirmation(self.user): + self.email.errors.append(get_message('CONFIRMATION_REQUIRED')[0]) + return False + if not self.user.is_active(): + self.email.errors.append(get_message('DISABLED_ACCOUNT')[0]) + return False + return True + + +class ConfirmRegisterForm(Form, RegisterFormMixin, + UniqueEmailFormMixin, NewPasswordFormMixin): + def to_dict(self): + return dict(email=self.email.data, + password=self.password.data) + + +class RegisterForm(ConfirmRegisterForm, PasswordConfirmFormMixin): + pass + + +class ResetPasswordForm(Form, NewPasswordFormMixin, PasswordConfirmFormMixin): + """The default reset password form""" + + submit = SubmitField("Reset Password") diff --git a/flask_security/passwordless.py b/flask_security/passwordless.py new file mode 100644 index 0000000..7a9e001 --- /dev/null +++ b/flask_security/passwordless.py @@ -0,0 +1,58 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.passwordless + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security passwordless module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +from flask import request, current_app as app +from werkzeug.local import LocalProxy + +from .signals import login_instructions_sent +from .utils import send_mail, url_for_security, get_token_status + + +# Convenient references +_security = LocalProxy(lambda: app.extensions['security']) + +_datastore = LocalProxy(lambda: _security.datastore) + + +def send_login_instructions(user): + """Sends the login instructions email for the specified user. + + :param user: The user to send the instructions to + :param token: The login token + """ + token = generate_login_token(user) + url = url_for_security('token_login', token=token) + login_link = request.url_root[:-1] + url + + send_mail('Login Instructions', user.email, + 'login_instructions', user=user, login_link=login_link) + + login_instructions_sent.send(dict(user=user, login_token=token), + app=app._get_current_object()) + + +def generate_login_token(user): + """Generates a unique login token for the specified user. + + :param user: The user the token belongs to + """ + return _security.login_serializer.dumps([user.id]) + + +def login_token_status(token): + """Returns the expired status, invalid status, and user of a login token. + For example:: + + expired, invalid, user = login_token_status('...') + + :param token: The login token + """ + return get_token_status(token, 'login', 'LOGIN') diff --git a/flask_security/recoverable.py b/flask_security/recoverable.py new file mode 100644 index 0000000..5138680 --- /dev/null +++ b/flask_security/recoverable.py @@ -0,0 +1,80 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.recoverable + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security recoverable module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +from flask import current_app as app, request +from werkzeug.local import LocalProxy + +from .signals import password_reset, reset_password_instructions_sent +from .utils import send_mail, md5, encrypt_password, url_for_security, \ + get_token_status + + +# Convenient references +_security = LocalProxy(lambda: app.extensions['security']) + +_datastore = LocalProxy(lambda: _security.datastore) + + +def send_reset_password_instructions(user): + """Sends the reset password instructions email for the specified user. + + :param user: The user to send the instructions to + """ + token = generate_reset_password_token(user) + url = url_for_security('reset_password', token=token) + reset_link = request.url_root[:-1] + url + + send_mail('Password reset instructions', user.email, + 'reset_instructions', + user=user, reset_link=reset_link) + + reset_password_instructions_sent.send(dict(user=user, token=token), + app=app._get_current_object()) + + +def send_password_reset_notice(user): + """Sends the password reset notice email for the specified user. + + :param user: The user to send the notice to + """ + send_mail('Your password has been reset', user.email, + 'reset_notice', user=user) + + +def generate_reset_password_token(user): + """Generates a unique reset password token for the specified user. + + :param user: The user to work with + """ + data = [user.id, md5(user.password)] + return _security.reset_serializer.dumps(data) + + +def reset_password_token_status(token): + """Returns the expired status, invalid status, and user of a password reset + token. For example:: + + expired, invalid, user = reset_password_token_status('...') + + :param token: The password reset token + """ + return get_token_status(token, 'reset', 'RESET_PASSWORD') + +def update_password(user, password): + """Update the specified user's password + + :param user: The user to update_password + :param password: The unencrypted new password + """ + user.password = encrypt_password(password) + _datastore.put(user) + send_password_reset_notice(user) + password_reset.send(user, app=app._get_current_object()) diff --git a/flask_security/registerable.py b/flask_security/registerable.py new file mode 100644 index 0000000..2e29af1 --- /dev/null +++ b/flask_security/registerable.py @@ -0,0 +1,41 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.registerable + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security registerable module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +from flask import current_app as app +from werkzeug.local import LocalProxy + +from .confirmable import generate_confirmation_link +from .signals import user_registered +from .utils import do_flash, get_message, send_mail, encrypt_password + +# Convenient references +_security = LocalProxy(lambda: app.extensions['security']) + +_datastore = LocalProxy(lambda: _security.datastore) + + +def register_user(**kwargs): + confirmation_link, token = None, None + kwargs['password'] = encrypt_password(kwargs['password']) + user = _datastore.create_user(**kwargs) + _datastore.commit() + + if _security.confirmable: + confirmation_link, token = generate_confirmation_link(user) + do_flash(*get_message('CONFIRM_REGISTRATION', email=user.email)) + + user_registered.send(dict(user=user, confirm_token=token), + app=app._get_current_object()) + + send_mail('Welcome', user.email, 'welcome', + user=user, confirmation_link=confirmation_link) + + return user diff --git a/flask_security/script.py b/flask_security/script.py index 521ceb9..9c9a246 100644 --- a/flask_security/script.py +++ b/flask_security/script.py @@ -3,49 +3,68 @@ flask.ext.security.script ~~~~~~~~~~~~~~~~~~~~~~~~~ - This module contains commands for use with the Flask-Script extension + Flask-Security script module :copyright: (c) 2012 by Matt Wright. :license: MIT, see LICENSE for more details. """ +try: + import simplejson as json +except ImportError: + import json -import json import re +from flask import current_app from flask.ext.script import Command, Option +from werkzeug.local import LocalProxy -from flask.ext.security import user_datastore +from .utils import encrypt_password + + +_datastore = LocalProxy(lambda: current_app.extensions['security'].datastore) def pprint(obj): print json.dumps(obj, sort_keys=True, indent=4) +def commit(fn): + def wrapper(*args, **kwargs): + fn(*args, **kwargs) + _datastore.commit() + return wrapper + + class CreateUserCommand(Command): """Create a user""" option_list = ( - Option('-u', '--username', dest='username', default=None), Option('-e', '--email', dest='email', default=None), Option('-p', '--password', dest='password', default=None), Option('-a', '--active', dest='active', default=''), - Option('-r', '--roles', dest='roles', default=''), ) + @commit def run(self, **kwargs): # sanitize active input ai = re.sub(r'\s', '', str(kwargs['active'])) kwargs['active'] = ai.lower() in ['', 'y', 'yes', '1', 'active'] - # sanitize role input a bit - ri = re.sub(r'\s', '', kwargs['roles']) - kwargs['roles'] = [] if ri == '' else ri.split(',') + from flask_security.forms import ConfirmRegisterForm + from werkzeug.datastructures import MultiDict - user_datastore.create_user(**kwargs) + form = ConfirmRegisterForm(MultiDict(kwargs), csrf_enabled=False) - print 'User created successfully.' - kwargs['password'] = '****' - pprint(kwargs) + if form.validate(): + kwargs['password'] = encrypt_password(kwargs['password']) + _datastore.create_user(**kwargs) + print 'User created successfully.' + kwargs['password'] = '****' + pprint(kwargs) + else: + print 'Error creating user' + pprint(form.errors) class CreateRoleCommand(Command): @@ -56,8 +75,9 @@ class CreateRoleCommand(Command): Option('-d', '--desc', dest='description', default=None), ) + @commit def run(self, **kwargs): - user_datastore.create_role(**kwargs) + _datastore.create_role(**kwargs) print 'Role "%(name)s" created successfully.' % kwargs @@ -71,16 +91,18 @@ class _RoleCommand(Command): class AddRoleCommand(_RoleCommand): """Add a role to a user""" + @commit def run(self, user_identifier, role_name): - user_datastore.add_role_to_user(user_identifier, role_name) + _datastore.add_role_to_user(user_identifier, role_name) print "Role '%s' added to user '%s' successfully" % (role_name, user_identifier) class RemoveRoleCommand(_RoleCommand): """Add a role to a user""" + @commit def run(self, user_identifier, role_name): - user_datastore.remove_role_from_user(user_identifier, role_name) + _datastore.remove_role_from_user(user_identifier, role_name) print "Role '%s' removed from user '%s' successfully" % (role_name, user_identifier) @@ -93,14 +115,16 @@ class _ToggleActiveCommand(Command): class DeactivateUserCommand(_ToggleActiveCommand): """Deactive a user""" + @commit def run(self, user_identifier): - user_datastore.deactivate_user(user_identifier) + _datastore.deactivate_user(user_identifier) print "User '%s' has been deactivated" % user_identifier class ActivateUserCommand(_ToggleActiveCommand): """Deactive a user""" + @commit def run(self, user_identifier): - user_datastore.activate_user(user_identifier) + _datastore.activate_user(user_identifier) print "User '%s' has been activated" % user_identifier diff --git a/flask_security/signals.py b/flask_security/signals.py new file mode 100644 index 0000000..17aac64 --- /dev/null +++ b/flask_security/signals.py @@ -0,0 +1,27 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.signals + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security signals module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +import blinker + + +signals = blinker.Namespace() + +user_registered = signals.signal("user-registered") + +user_confirmed = signals.signal("user-confirmed") + +confirm_instructions_sent = signals.signal("confirm-instructions-sent") + +login_instructions_sent = signals.signal("login-instructions-sent") + +password_reset = signals.signal("password-reset") + +reset_password_instructions_sent = signals.signal("password-reset-instructions-sent") diff --git a/flask_security/templates/security/_macros.html b/flask_security/templates/security/_macros.html new file mode 100644 index 0000000..8575f3d --- /dev/null +++ b/flask_security/templates/security/_macros.html @@ -0,0 +1,16 @@ +{% macro render_field_with_errors(field) %} ++ {{ field.label }} {{ field(**kwargs)|safe }} + {% if field.errors %} +
-
+ {% for error in field.errors %}
+
- {{ error }} + {% endfor %} +
{{ field(**kwargs)|safe }}
+{% endmacro %} \ No newline at end of file diff --git a/flask_security/templates/security/_menu.html b/flask_security/templates/security/_menu.html new file mode 100644 index 0000000..d50b5a4 --- /dev/null +++ b/flask_security/templates/security/_menu.html @@ -0,0 +1,15 @@ +{% if security.registerable or security.recoverable or security.confirmabled %} +Menu
+-
+
- Login + {% if security.registerable %} +
- Register
- Forgot password
- Confirm account + {% endif %} +
-
+ {% for category, message in messages %}
+
- {{ message }} + {% endfor %} +
Please confirm your email through the link below:
+ + \ No newline at end of file diff --git a/flask_security/templates/security/email/confirmation_instructions.txt b/flask_security/templates/security/email/confirmation_instructions.txt new file mode 100644 index 0000000..fb435b5 --- /dev/null +++ b/flask_security/templates/security/email/confirmation_instructions.txt @@ -0,0 +1,3 @@ +Please confirm your email through the link below: + +{{ confirmation_link }} \ No newline at end of file diff --git a/flask_security/templates/security/email/login_instructions.html b/flask_security/templates/security/email/login_instructions.html new file mode 100644 index 0000000..45a7cb5 --- /dev/null +++ b/flask_security/templates/security/email/login_instructions.html @@ -0,0 +1,5 @@ +Welcome {{ user.email }}!
+ +You can log into your through the link below:
+ + \ No newline at end of file diff --git a/flask_security/templates/security/email/login_instructions.txt b/flask_security/templates/security/email/login_instructions.txt new file mode 100644 index 0000000..1364ed6 --- /dev/null +++ b/flask_security/templates/security/email/login_instructions.txt @@ -0,0 +1,5 @@ +Welcome {{ user.email }}! + +You can log into your through the link below: + +{{ login_link }} \ No newline at end of file diff --git a/flask_security/templates/security/email/reset_instructions.html b/flask_security/templates/security/email/reset_instructions.html new file mode 100644 index 0000000..fd0b48d --- /dev/null +++ b/flask_security/templates/security/email/reset_instructions.html @@ -0,0 +1 @@ +Click here to reset your password
\ No newline at end of file diff --git a/flask_security/templates/security/email/reset_instructions.txt b/flask_security/templates/security/email/reset_instructions.txt new file mode 100644 index 0000000..91ac288 --- /dev/null +++ b/flask_security/templates/security/email/reset_instructions.txt @@ -0,0 +1,3 @@ +Click the link below to reset your password: + +{{ reset_link }} \ No newline at end of file diff --git a/flask_security/templates/security/email/reset_notice.html b/flask_security/templates/security/email/reset_notice.html new file mode 100644 index 0000000..536e296 --- /dev/null +++ b/flask_security/templates/security/email/reset_notice.html @@ -0,0 +1 @@ +Your password has been reset
\ No newline at end of file diff --git a/flask_security/templates/security/email/reset_notice.txt b/flask_security/templates/security/email/reset_notice.txt new file mode 100644 index 0000000..a3fa0b4 --- /dev/null +++ b/flask_security/templates/security/email/reset_notice.txt @@ -0,0 +1 @@ +Your password has been reset \ No newline at end of file diff --git a/flask_security/templates/security/email/welcome.html b/flask_security/templates/security/email/welcome.html new file mode 100644 index 0000000..55eaed6 --- /dev/null +++ b/flask_security/templates/security/email/welcome.html @@ -0,0 +1,7 @@ +Welcome {{ user.email }}!
+ +{% if security.confirmable %} +You can confirm your email through the link below:
+ + +{% endif %} \ No newline at end of file diff --git a/flask_security/templates/security/email/welcome.txt b/flask_security/templates/security/email/welcome.txt new file mode 100644 index 0000000..fb6ee5b --- /dev/null +++ b/flask_security/templates/security/email/welcome.txt @@ -0,0 +1,7 @@ +Welcome {{ user.email }}! + +{% if security.confirmable %} +You can confirm your email through the link below: + +{{ confirmation_link }} +{% endif %} \ No newline at end of file diff --git a/flask_security/templates/security/forgot_password.html b/flask_security/templates/security/forgot_password.html new file mode 100644 index 0000000..90fcaf6 --- /dev/null +++ b/flask_security/templates/security/forgot_password.html @@ -0,0 +1,9 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Send password reset instructions
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/templates/security/login_user.html b/flask_security/templates/security/login_user.html new file mode 100644 index 0000000..d781ce0 --- /dev/null +++ b/flask_security/templates/security/login_user.html @@ -0,0 +1,12 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Login
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/templates/security/register_user.html b/flask_security/templates/security/register_user.html new file mode 100644 index 0000000..87cf9b1 --- /dev/null +++ b/flask_security/templates/security/register_user.html @@ -0,0 +1,13 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Register
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/templates/security/reset_password.html b/flask_security/templates/security/reset_password.html new file mode 100644 index 0000000..e6fc3f5 --- /dev/null +++ b/flask_security/templates/security/reset_password.html @@ -0,0 +1,10 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Reset password
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/templates/security/send_confirmation.html b/flask_security/templates/security/send_confirmation.html new file mode 100644 index 0000000..3e82840 --- /dev/null +++ b/flask_security/templates/security/send_confirmation.html @@ -0,0 +1,9 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Resend confirmation instructions
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/templates/security/send_login.html b/flask_security/templates/security/send_login.html new file mode 100644 index 0000000..15611c5 --- /dev/null +++ b/flask_security/templates/security/send_login.html @@ -0,0 +1,9 @@ +{% from "security/_macros.html" import render_field_with_errors, render_field %} +{% include "security/_messages.html" %} +Login
+ +{% include "security/_menu.html" %} \ No newline at end of file diff --git a/flask_security/utils.py b/flask_security/utils.py new file mode 100644 index 0000000..9b44408 --- /dev/null +++ b/flask_security/utils.py @@ -0,0 +1,311 @@ +# -*- coding: utf-8 -*- +""" + flask.ext.security.utils + ~~~~~~~~~~~~~~~~~~~~~~~~ + + Flask-Security utils module + + :copyright: (c) 2012 by Matt Wright. + :license: MIT, see LICENSE for more details. +""" + +import base64 +import hashlib +import hmac +from contextlib import contextmanager +from datetime import datetime, timedelta + +from flask import url_for, flash, current_app, request, session, render_template +from flask.ext.login import login_user as _login_user, \ + logout_user as _logout_user +from flask.ext.mail import Message +from flask.ext.principal import Identity, AnonymousIdentity, identity_changed +from itsdangerous import BadSignature, SignatureExpired +from werkzeug.local import LocalProxy + +from .signals import user_registered, reset_password_instructions_sent, \ + login_instructions_sent + + +# Convenient references +_security = LocalProxy(lambda: current_app.extensions['security']) + +_datastore = LocalProxy(lambda: _security.datastore) + +_pwd_context = LocalProxy(lambda: _security.pwd_context) + + +def login_user(user, remember=True): + """Performs the login and sends the appropriate signal.""" + + _login_user(user, remember) + + if _security.trackable: + old_current, new_current = user.current_login_at, datetime.utcnow() + user.last_login_at = old_current or new_current + user.current_login_at = new_current + + remote_addr = request.remote_addr or 'untrackable' + old_current, new_current = user.current_login_ip, remote_addr + user.last_login_ip = old_current or new_current + user.current_login_ip = new_current + + user.login_count = user.login_count + 1 if user.login_count else 1 + + _datastore.put(user) + identity_changed.send(current_app._get_current_object(), + identity=Identity(user.id)) + + +def logout_user(): + for key in ('identity.name', 'identity.auth_type'): + session.pop(key, None) + identity_changed.send(current_app._get_current_object(), + identity=AnonymousIdentity()) + _logout_user() + + +def get_hmac(password): + if _security.password_hash == 'plaintext': + return password + + if _security.password_salt is None: + raise RuntimeError('The configuration value `SECURITY_PASSWORD_SALT` ' + 'must not be None when the value of `SECURITY_PASSWORD_HASH` is ' + 'set to "%s"' % _security.password_hash) + + h = hmac.new(_security.password_salt, password, hashlib.sha512) + return base64.b64encode(h.digest()) + + +def verify_password(password, password_hash): + return _pwd_context.verify(get_hmac(password), password_hash) + + +def encrypt_password(password): + return _pwd_context.encrypt(get_hmac(password)) + + +def md5(data): + return hashlib.md5(data).hexdigest() + + +def do_flash(message, category=None): + """Flash a message depending on if the `FLASH_MESSAGES` configuration + value is set. + + :param message: The flash message + :param category: The flash message category + """ + if config_value('FLASH_MESSAGES'): + flash(message, category) + + +def get_url(endpoint_or_url): + """Returns a URL if a valid endpoint is found. Otherwise, returns the + provided value. + + :param endpoint_or_url: The endpoint name or URL to default to + """ + try: + return url_for(endpoint_or_url) + except: + return endpoint_or_url + + +def get_security_endpoint_name(endpoint): + return '%s.%s' % (_security.blueprint_name, endpoint) + + +def url_for_security(endpoint, **values): + """Return a URL for the security blueprint + + :param endpoint: the endpoint of the URL (name of the function) + :param values: the variable arguments of the URL rule + :param _external: if set to `True`, an absolute URL is generated. Server + address can be changed via `SERVER_NAME` configuration variable which + defaults to `localhost`. + :param _anchor: if provided this is added as anchor to the URL. + :param _method: if provided this explicitly specifies an HTTP method. + """ + endpoint = get_security_endpoint_name(endpoint) + return url_for(endpoint, **values) + + +def get_post_login_redirect(): + """Returns the URL to redirect to after a user logs in successfully.""" + return (get_url(request.args.get('next')) or + get_url(request.form.get('next')) or + find_redirect('SECURITY_POST_LOGIN_VIEW')) + + +def find_redirect(key): + """Returns the URL to redirect to after a user logs in successfully. + + :param key: The session or application configuration key to search for + """ + rv = (get_url(session.pop(key.lower(), None)) or + get_url(current_app.config[key.upper()] or None) or '/') + return rv + + +def get_config(app): + """Conveniently get the security configuration for the specified + application without the annoying 'SECURITY_' prefix. + + :param app: The application to inspect + """ + items = app.config.items() + prefix = 'SECURITY_' + + def strip_prefix(tup): + return (tup[0].replace('SECURITY_', ''), tup[1]) + + return dict([strip_prefix(i) for i in items if i[0].startswith(prefix)]) + + +def get_message(key, **kwargs): + rv = config_value('MSG_' + key) + return rv[0] % kwargs, rv[1] + + +def config_value(key, app=None, default=None): + """Get a Flask-Security configuration value. + + :param key: The configuration key without the prefix `SECURITY_` + :param app: An optional specific application to inspect. Defaults to Flask's + `current_app` + :param default: An optional default value if the value is not set + """ + app = app or current_app + return get_config(app).get(key.upper(), default) + + +def get_max_age(key, app=None): + now = datetime.utcnow() + expires = now + get_within_delta(key + '_WITHIN', app) + return int(expires.strftime('%s')) - int(now.strftime('%s')) + + +def get_within_delta(key, app=None): + """Get a timedelta object from the application configuration following + the internal convention of:: + +Login
", r.data) + + def test_authenticate(self): + r = self.authenticate(endpoint="/custom_login") + self.assertIn('Post Login', r.data) + + def test_logout(self): + self.authenticate(endpoint="/custom_login") + r = self.logout(endpoint="/custom_logout") + self.assertIn('Post Logout', r.data) + + def test_register_view(self): + r = self._get('/register') + self.assertIn('Register
', r.data) + + def test_register(self): + data = dict(email='dude@lp.com', + password='password', + password_confirm='password') + + r = self._post('/register', data=data, follow_redirects=True) + self.assertIn('Post Register', r.data) + + def test_register_json(self): + data = '{ "email": "dude@lp.com", "password": "password" }' + r = self._post('/register', data=data, content_type='application/json') + data = json.loads(r.data) + self.assertEquals(data['meta']['code'], 200) + + def test_register_existing_email(self): + data = dict(email='matt@lp.com', + password='password', + password_confirm='password') + r = self._post('/register', data=data, follow_redirects=True) + msg = 'matt@lp.com is already associated with an account' + self.assertIn(msg, r.data) + + def test_unauthorized(self): + self.authenticate("joe@lp.com", endpoint="/custom_auth") + r = self._get("/admin", follow_redirects=True) + msg = 'You are not allowed to access the requested resouce' + self.assertIn(msg, r.data) + + def test_default_http_auth_realm(self): + r = self._get('/http', headers={ + 'Authorization': 'Basic ' + base64.b64encode("joe@lp.com:bogus") + }) + self.assertIn('Unauthorized
', r.data) + self.assertIn('WWW-Authenticate', r.headers) + self.assertEquals('Basic realm="Custom Realm"', + r.headers['WWW-Authenticate']) + + +class BadConfiguredSecurityTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_PASSWORD_HASH': 'bcrypt', + 'USER_COUNT': 1 + } + + def test_bad_configuration_raises_runtimer_error(self): + self.assertRaises(RuntimeError, self.authenticate) + + +class RegisterableTests(SecurityTest): + AUTH_CONFIG = { + 'SECURITY_REGISTERABLE': True, + 'USER_COUNT': 1 + } + + def test_register_valid_user(self): + data = dict(email='dude@lp.com', + password='password', + password_confirm='password') + self.client.post('/register', data=data, follow_redirects=True) + r = self.authenticate('dude@lp.com') + self.assertIn('Hello dude@lp.com', r.data) + + +class ConfirmableTests(SecurityTest): + AUTH_CONFIG = { + 'SECURITY_CONFIRMABLE': True, + 'SECURITY_REGISTERABLE': True, + 'USER_COUNT': 1 + } + + def test_login_before_confirmation(self): + e = 'dude@lp.com' + self.register(e) + r = self.authenticate(email=e) + self.assertIn(self.get_message('CONFIRMATION_REQUIRED'), r.data) + + def test_send_confirmation_of_already_confirmed_account(self): + e = 'dude@lp.com' + + with capture_registrations() as registrations: + self.register(e) + token = registrations[0]['confirm_token'] + + self.client.get('/confirm/' + token, follow_redirects=True) + self.logout() + r = self.client.post('/confirm', data=dict(email=e)) + self.assertIn(self.get_message('ALREADY_CONFIRMED'), r.data) + + def test_register_sends_confirmation_email(self): + e = 'dude@lp.com' + with self.app.extensions['mail'].record_messages() as outbox: + self.register(e) + self.assertEqual(len(outbox), 1) + self.assertIn(e, outbox[0].html) + + def test_confirm_email(self): + e = 'dude@lp.com' + + with capture_registrations() as registrations: + self.register(e) + token = registrations[0]['confirm_token'] + + r = self.client.get('/confirm/' + token, follow_redirects=True) + + msg = self.app.config['SECURITY_MSG_EMAIL_CONFIRMED'][0] + self.assertIn(msg, r.data) + + def test_invalid_token_when_confirming_email(self): + r = self.client.get('/confirm/bogus', follow_redirects=True) + self.assertIn('Invalid confirmation token', r.data) + + def test_send_confirmation_json(self): + r = self._post('/confirm', data='{"email": "matt@lp.com"}', + content_type='application/json') + self.assertEquals(r.status_code, 200) + + def test_send_confirmation_with_invalid_email(self): + r = self._post('/confirm', data=dict(email='bogus@bogus.com')) + self.assertIn('Specified user does not exist', r.data) + + def test_resend_confirmation(self): + e = 'dude@lp.com' + self.register(e) + r = self._post('/confirm', data={'email': e}) + + msg = self.get_message('CONFIRMATION_REQUEST', email=e) + self.assertIn(msg, r.data) + + +class ExpiredConfirmationTest(SecurityTest): + AUTH_CONFIG = { + 'SECURITY_CONFIRMABLE': True, + 'SECURITY_REGISTERABLE': True, + 'SECURITY_CONFIRM_EMAIL_WITHIN': '1 milliseconds', + 'USER_COUNT': 1 + } + + def test_expired_confirmation_token_sends_email(self): + e = 'dude@lp.com' + + with capture_registrations() as registrations: + self.register(e) + token = registrations[0]['confirm_token'] + + time.sleep(1.25) + + with self.app.extensions['mail'].record_messages() as outbox: + r = self.client.get('/confirm/' + token, follow_redirects=True) + + self.assertEqual(len(outbox), 1) + self.assertNotIn(token, outbox[0].html) + + expire_text = self.AUTH_CONFIG['SECURITY_CONFIRM_EMAIL_WITHIN'] + msg = self.app.config['SECURITY_MSG_CONFIRMATION_EXPIRED'][0] + msg = msg % dict(within=expire_text, email=e) + self.assertIn(msg, r.data) + + +class LoginWithoutImmediateConfirmTests(SecurityTest): + AUTH_CONFIG = { + 'SECURITY_CONFIRMABLE': True, + 'SECURITY_REGISTERABLE': True, + 'SECURITY_LOGIN_WITHOUT_CONFIRMATION': True, + 'USER_COUNT': 1 + } + + def test_register_valid_user_automatically_signs_in(self): + e = 'dude@lp.com' + p = 'password' + data = dict(email=e, password=p, password_confirm=p) + r = self.client.post('/register', data=data, follow_redirects=True) + self.assertIn(e, r.data) + + +class RecoverableTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_RECOVERABLE': True, + 'SECURITY_RESET_PASSWORD_ERROR_VIEW': '/', + 'SECURITY_POST_FORGOT_VIEW': '/' + } + + def test_reset_view(self): + with capture_reset_password_requests() as requests: + r = self.client.post('/reset', + data=dict(email='joe@lp.com'), + follow_redirects=True) + t = requests[0]['token'] + r = self._get('/reset/' + t) + self.assertIn('Reset password
', r.data) + + def test_forgot_post_sends_email(self): + with capture_reset_password_requests(): + with self.app.extensions['mail'].record_messages() as outbox: + self.client.post('/reset', data=dict(email='joe@lp.com')) + self.assertEqual(len(outbox), 1) + + def test_forgot_password_json(self): + r = self.client.post('/reset', data='{"email": "matt@lp.com"}', + content_type="application/json") + self.assertEquals(r.status_code, 200) + + def test_forgot_password_invalid_email(self): + r = self.client.post('/reset', + data=dict(email='larry@lp.com'), + follow_redirects=True) + self.assertIn("Specified user does not exist", r.data) + + def test_reset_password_with_valid_token(self): + with capture_reset_password_requests() as requests: + r = self.client.post('/reset', + data=dict(email='joe@lp.com'), + follow_redirects=True) + t = requests[0]['token'] + + r = self._post('/reset/' + t, data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + + r = self.logout() + r = self.authenticate('joe@lp.com', 'newpassword') + self.assertIn('Hello joe@lp.com', r.data) + + def test_reset_password_with_invalid_token(self): + r = self._post('/reset/bogus', data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + + self.assertIn(self.get_message('INVALID_RESET_PASSWORD_TOKEN'), r.data) + + +class ExpiredResetPasswordTest(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_RECOVERABLE': True, + 'SECURITY_RESET_PASSWORD_WITHIN': '1 milliseconds' + } + + def test_reset_password_with_expired_token(self): + with capture_reset_password_requests() as requests: + r = self.client.post('/reset', + data=dict(email='joe@lp.com'), + follow_redirects=True) + t = requests[0]['token'] + + time.sleep(1) + + r = self.client.post('/reset/' + t, data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + + self.assertIn('You did not reset your password within', r.data) + + +class TrackableTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_TRACKABLE': True, + 'USER_COUNT': 1 + } + + def test_did_track(self): + e = 'matt@lp.com' + self.authenticate(email=e) + self.logout() + self.authenticate(email=e) + + with self.app.test_request_context('/profile'): + user = self.app.security.datastore.find_user(email=e) + self.assertIsNotNone(user.last_login_at) + self.assertIsNotNone(user.current_login_at) + self.assertEquals('untrackable', user.last_login_ip) + self.assertEquals('untrackable', user.current_login_ip) + self.assertEquals(2, user.login_count) + + +class PasswordlessTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_PASSWORDLESS': True + } + + def test_login_request_for_inactive_user(self): + msg = self.app.config['SECURITY_MSG_DISABLED_ACCOUNT'][0] + r = self.client.post('/login', + data=dict(email='tiya@lp.com'), + follow_redirects=True) + self.assertIn(msg, r.data) + + def test_request_login_token_with_json_and_valid_email(self): + data = '{"email": "matt@lp.com", "password": "password"}' + r = self.client.post('/login', data=data, content_type='application/json') + self.assertEquals(r.status_code, 200) + self.assertNotIn('error', r.data) + + def test_request_login_token_with_json_and_invalid_email(self): + data = '{"email": "nobody@lp.com", "password": "password"}' + r = self.client.post('/login', data=data, content_type='application/json') + self.assertIn('errors', r.data) + + def test_request_login_token_sends_email_and_can_login(self): + e = 'matt@lp.com' + r, user, token = None, None, None + + with capture_passwordless_login_requests() as requests: + with self.app.extensions['mail'].record_messages() as outbox: + r = self.client.post('/login', + data=dict(email=e), + follow_redirects=True) + + self.assertEqual(len(outbox), 1) + + self.assertEquals(1, len(requests)) + self.assertIn('user', requests[0]) + self.assertIn('login_token', requests[0]) + + user = requests[0]['user'] + token = requests[0]['login_token'] + + msg = self.app.config['SECURITY_MSG_LOGIN_EMAIL_SENT'][0] + msg = msg % dict(email=user.email) + self.assertIn(msg, r.data) + + r = self.client.get('/login/' + token, follow_redirects=True) + msg = self.get_message('PASSWORDLESS_LOGIN_SUCCESSFUL') + self.assertIn(msg, r.data) + + r = self.client.get('/profile') + self.assertIn('Profile Page', r.data) + + def test_invalid_login_token(self): + msg = self.app.config['SECURITY_MSG_INVALID_LOGIN_TOKEN'][0] + r = self._get('/login/bogus', follow_redirects=True) + self.assertIn(msg, r.data) + + def test_token_login_when_already_authenticated(self): + with capture_passwordless_login_requests() as requests: + self.client.post('/login', + data=dict(email='matt@lp.com'), + follow_redirects=True) + token = requests[0]['login_token'] + + r = self.client.get('/login/' + token, follow_redirects=True) + msg = self.get_message('PASSWORDLESS_LOGIN_SUCCESSFUL') + self.assertIn(msg, r.data) + + r = self.client.get('/login/' + token, follow_redirects=True) + msg = self.get_message('PASSWORDLESS_LOGIN_SUCCESSFUL') + self.assertNotIn(msg, r.data) + + def test_send_login_with_invalid_email(self): + r = self._post('/login', data=dict(email='bogus@bogus.com')) + self.assertIn('Specified user does not exist', r.data) + + +class ExpiredLoginTokenTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_PASSWORDLESS': True, + 'SECURITY_LOGIN_WITHIN': '1 milliseconds', + 'USER_COUNT': 1 + } + + def test_expired_login_token_sends_email(self): + e = 'matt@lp.com' + + with capture_passwordless_login_requests() as requests: + self.client.post('/login', + data=dict(email=e), + follow_redirects=True) + token = requests[0]['login_token'] + + time.sleep(1.25) + + with self.app.extensions['mail'].record_messages() as outbox: + r = self.client.get('/login/' + token, follow_redirects=True) + + expire_text = self.AUTH_CONFIG['SECURITY_LOGIN_WITHIN'] + msg = self.app.config['SECURITY_MSG_LOGIN_EXPIRED'][0] + msg = msg % dict(within=expire_text, email=e) + self.assertIn(msg, r.data) + + self.assertEqual(len(outbox), 1) + self.assertIn(e, outbox[0].html) + self.assertNotIn(token, outbox[0].html) + + +class AsyncMailTaskTests(SecurityTest): + + AUTH_CONFIG = { + 'SECURITY_RECOVERABLE': True, + 'USER_COUNT': 1 + } + + def setUp(self): + super(AsyncMailTaskTests, self).setUp() + self.mail_sent = False + + def test_send_email_task_is_called(self): + @self.app.security.send_mail_task + def send_email(msg): + self.mail_sent = True + + self.client.post('/reset', data=dict(email='matt@lp.com')) + self.assertTrue(self.mail_sent) + + +class NoBlueprintTests(SecurityTest): + + AUTH_CONFIG = { + 'USER_COUNT': 1 + } + + def _create_app(self, auth_config): + return super(NoBlueprintTests, self)._create_app(auth_config, False) + + def test_login_endpoint_is_404(self): + r = self._get('/login') + self.assertEqual(404, r.status_code) + + def test_http_auth_without_blueprint(self): + auth = 'Basic ' + base64.b64encode("matt@lp.com:password") + r = self._get('/http', headers={'Authorization': auth}) + self.assertIn('HTTP Authentication', r.data) diff --git a/tests/functional_tests.py b/tests/functional_tests.py index 0451e7d..c9fd8da 100644 --- a/tests/functional_tests.py +++ b/tests/functional_tests.py @@ -1,138 +1,236 @@ -import unittest -from example import app +# -*- coding: utf-8 -*- + +from __future__ import with_statement + +import base64 +import simplejson as json +from cookielib import Cookie + +from werkzeug.utils import parse_cookie + +from tests import SecurityTest -class SecurityTest(unittest.TestCase): - - AUTH_CONFIG = None - - def setUp(self): - super(SecurityTest, self).setUp() - - self.app = self._create_app(self.AUTH_CONFIG or None) - self.app.debug = False - self.app.config['TESTING'] = True - - self.client = self.app.test_client() - - def _create_app(self, auth_config): - return app.create_sqlalchemy_app(auth_config) - - def _get(self, route, content_type=None, follow_redirects=None): - return self.client.get(route, follow_redirects=follow_redirects, - content_type=content_type or 'text/html') - - def _post(self, route, data=None, content_type=None, follow_redirects=True): - return self.client.post(route, data=data, - follow_redirects=follow_redirects, - content_type=content_type or 'text/html') - - def authenticate(self, username, password, endpoint=None): - data = dict(username=username, password=password) - return self._post(endpoint or '/auth', data=data, - content_type='application/x-www-form-urlencoded') - - def logout(self, endpoint=None): - return self._get(endpoint or '/logout', follow_redirects=True) +def get_cookies(rv): + cookies = {} + for value in rv.headers.get_all("Set-Cookie"): + cookies.update(parse_cookie(value)) + return cookies class DefaultSecurityTests(SecurityTest): + def test_instance(self): + self.assertIsNotNone(self.app) + self.assertIsNotNone(self.app.security) + self.assertIsNotNone(self.app.security.pwd_context) + def test_login_view(self): r = self._get('/login') - assert 'Login Page' in r.data + self.assertIn('Login
', r.data) def test_authenticate(self): - r = self.authenticate("matt", "password") - assert 'Home Page' in r.data + r = self.authenticate() + self.assertIn('Hello matt@lp.com', r.data) def test_unprovided_username(self): - r = self.authenticate("", "password") - assert "Username not provided" in r.data + r = self.authenticate("") + self.assertIn("Email not provided", r.data) def test_unprovided_password(self): - r = self.authenticate("matt", "") - assert "Password not provided" in r.data + r = self.authenticate(password="") + self.assertIn("Password not provided", r.data) def test_invalid_user(self): - r = self.authenticate("bogus", "password") - assert "Specified user does not exist" in r.data + r = self.authenticate(email="bogus@bogus.com") + self.assertIn("Specified user does not exist", r.data) def test_bad_password(self): - r = self.authenticate("matt", "bogus") - assert "Password does not match" in r.data + r = self.authenticate(password="bogus") + self.assertIn("Invalid password", r.data) def test_inactive_user(self): - r = self.authenticate("tiya", "password") - assert "Inactive user" in r.data + r = self.authenticate("tiya@lp.com", "password") + self.assertIn("Account is disabled", r.data) def test_logout(self): - self.authenticate("matt", "password") + self.authenticate() r = self.logout() - assert 'Home Page' in r.data + self.assertIsHomePage(r.data) def test_unauthorized_access(self): r = self._get('/profile', follow_redirects=True) - assert 'Please log in to access this page' in r.data + self.assertIn('Please log in to access this page', r.data) def test_authorized_access(self): - self.authenticate("matt", "password") + self.authenticate() r = self._get("/profile") - assert 'profile' in r.data + self.assertIn('profile', r.data) def test_valid_admin_role(self): - self.authenticate("matt", "password") + self.authenticate() r = self._get("/admin") - assert 'Admin Page' in r.data + self.assertIn('Admin Page', r.data) def test_invalid_admin_role(self): - self.authenticate("joe", "password") + self.authenticate("joe@lp.com") r = self._get("/admin", follow_redirects=True) - assert 'Home Page' in r.data + self.assertIsHomePage(r.data) def test_roles_accepted(self): - for user in ("matt", "joe"): - self.authenticate(user, "password") + for user in ("matt@lp.com", "joe@lp.com"): + self.authenticate(user) r = self._get("/admin_or_editor") self.assertIn('Admin or Editor Page', r.data) self.logout() - self.authenticate("jill", "password") + self.authenticate("jill@lp.com") r = self._get("/admin_or_editor", follow_redirects=True) - self.assertIn('Home Page', r.data) + self.assertIsHomePage(r.data) def test_unauthenticated_role_required(self): r = self._get('/admin', follow_redirects=True) - self.assertIn('Unauthorized', r.data) + self.assertIn('WWW-Authenticate', r.headers) + self.assertEquals('Basic realm="Login Required"', + r.headers['WWW-Authenticate']) + + def test_invalid_http_auth_bad_password(self): + r = self._get('/http', headers={ + 'Authorization': 'Basic ' + base64.b64encode("joe@lp.com:bogus") + }) + self.assertIn('Unauthorized
', r.data) + self.assertIn('WWW-Authenticate', r.headers) + self.assertEquals('Basic realm="Login Required"', + r.headers['WWW-Authenticate']) + + def test_custom_http_auth_realm(self): + r = self._get('/http_custom_realm', headers={ + 'Authorization': 'Basic ' + base64.b64encode("joe@lp.com:bogus") + }) + self.assertIn('Unauthorized
', r.data) + self.assertIn('WWW-Authenticate', r.headers) + self.assertEquals('Basic realm="My Realm"', + r.headers['WWW-Authenticate']) + + def test_user_deleted_during_session_reverts_to_anonymous_user(self): + self.authenticate() + + with self.app.test_request_context('/'): + user = self.app.security.datastore.find_user(email='matt@lp.com') + self.app.security.datastore.delete_user(user) + self.app.security.datastore.commit() + + r = self._get('/') + self.assertNotIn('Hello matt@lp.com', r.data) + + def test_remember_token(self): + r = self.authenticate(follow_redirects=False) + self.client.cookie_jar.clear_session_cookies() + r = self._get('/profile') + self.assertIn('profile', r.data) + + def test_token_loader_does_not_fail_with_invalid_token(self): + c = Cookie(version=0, name='remember_token', value='None', port=None, + port_specified=False, domain='www.example.com', + domain_specified=False, domain_initial_dot=False, path='/', + path_specified=True, secure=False, expires=None, + discard=True, comment=None, comment_url=None, + rest={'HttpOnly': None}, rfc2109=False) + + self.client.cookie_jar.set_cookie(c) + r = self._get('/') + self.assertNotIn('BadSignature', r.data) class MongoEngineSecurityTests(DefaultSecurityTests): def _create_app(self, auth_config): - return app.create_mongoengine_app(auth_config) + from tests.test_app.mongoengine import create_app + return create_app(auth_config) + + +class DefaultDatastoreTests(SecurityTest): + + def test_add_role_to_user(self): + r = self._get('/coverage/add_role_to_user') + self.assertIn('success', r.data) + + def test_remove_role_from_user(self): + r = self._get('/coverage/remove_role_from_user') + self.assertIn('success', r.data) + + def test_activate_user(self): + r = self._get('/coverage/activate_user') + self.assertIn('success', r.data) + + def test_deactivate_user(self): + r = self._get('/coverage/deactivate_user') + self.assertIn('success', r.data) + + def test_invalid_role(self): + r = self._get('/coverage/invalid_role') + self.assertIn('success', r.data) + + +class MongoEngineDatastoreTests(DefaultDatastoreTests): + + def _create_app(self, auth_config): + from tests.test_app.mongoengine import create_app + return create_app(auth_config) diff --git a/tests/test_app/__init__.py b/tests/test_app/__init__.py new file mode 100644 index 0000000..5cad502 --- /dev/null +++ b/tests/test_app/__init__.py @@ -0,0 +1,165 @@ +# -*- coding: utf-8 -*- + +from flask import Flask, render_template, current_app +from flask.ext.mail import Mail +from flask.ext.security import login_required, roles_required, roles_accepted +from flask.ext.security.decorators import http_auth_required, \ + auth_token_required +from flask.ext.security.utils import encrypt_password +from werkzeug.local import LocalProxy + +ds = LocalProxy(lambda: current_app.extensions['security'].datastore) + +def create_app(config): + app = Flask(__name__) + app.debug = True + app.config['SECRET_KEY'] = 'secret' + + for key, value in config.items(): + app.config[key] = value + + mail = Mail(app) + app.extensions['mail'] = mail + + @app.route('/') + def index(): + return render_template('index.html', content='Home Page') + + @app.route('/profile') + @login_required + def profile(): + return render_template('index.html', content='Profile Page') + + @app.route('/post_login') + @login_required + def post_login(): + return render_template('index.html', content='Post Login') + + @app.route('/http') + @http_auth_required + def http(): + return 'HTTP Authentication' + + @app.route('/http_custom_realm') + @http_auth_required('My Realm') + def http_custom_realm(): + return render_template('index.html', content='HTTP Authentication') + + @app.route('/token') + @auth_token_required + def token(): + return render_template('index.html', content='Token Authentication') + + @app.route('/post_logout') + def post_logout(): + return render_template('index.html', content='Post Logout') + + @app.route('/post_register') + def post_register(): + return render_template('index.html', content='Post Register') + + @app.route('/admin') + @roles_required('admin') + def admin(): + return render_template('index.html', content='Admin Page') + + @app.route('/admin_and_editor') + @roles_required('admin', 'editor') + def admin_and_editor(): + return render_template('index.html', content='Admin and Editor Page') + + @app.route('/admin_or_editor') + @roles_accepted('admin', 'editor') + def admin_or_editor(): + return render_template('index.html', content='Admin or Editor Page') + + @app.route('/unauthorized') + def unauthorized(): + return render_template('unauthorized.html') + + @app.route('/coverage/add_role_to_user') + def add_role_to_user(): + u = ds.find_user(email='joe@lp.com') + r = ds.find_role('admin') + ds.add_role_to_user(u, r) + return 'success' + + @app.route('/coverage/remove_role_from_user') + def remove_role_from_user(): + u = ds.find_user(email='matt@lp.com') + ds.remove_role_from_user(u, 'admin') + return 'success' + + @app.route('/coverage/deactivate_user') + def deactivate_user(): + u = ds.find_user(email='matt@lp.com') + ds.deactivate_user(u) + return 'success' + + @app.route('/coverage/activate_user') + def activate_user(): + u = ds.find_user(email='tiya@lp.com') + ds.activate_user(u) + return 'success' + + @app.route('/coverage/invalid_role') + def invalid_role(): + return 'success' if ds.find_role('bogus') is None else 'failure' + + return app + +def create_roles(): + for role in ('admin', 'editor', 'author'): + ds.create_role(name=role) + ds.commit() + +def create_users(count=None): + users = [('matt@lp.com', 'password', ['admin'], True), + ('joe@lp.com', 'password', ['editor'], True), + ('dave@lp.com', 'password', ['admin', 'editor'], True), + ('jill@lp.com', 'password', ['author'], True), + ('tiya@lp.com', 'password', [], False)] + count = count or len(users) + + for u in users[:count]: + pw = encrypt_password(u[1]) + ds.create_user(email=u[0], password=pw, + roles=u[2], active=u[3]) + ds.commit() + +def populate_data(user_count=None): + create_roles() + create_users(user_count) + +def add_context_processors(s): + @s.context_processor + def for_all(): + return dict() + + @s.forgot_password_context_processor + def forgot_password(): + return dict() + + @s.login_context_processor + def login(): + return dict() + + @s.register_context_processor + def register(): + return dict() + + @s.reset_password_context_processor + def reset_password(): + return dict() + + @s.send_confirmation_context_processor + def send_confirmation(): + return dict() + + @s.send_login_context_processor + def send_login(): + return dict() + + @s.mail_context_processor + def mail(): + return dict() diff --git a/tests/test_app/mongoengine.py b/tests/test_app/mongoengine.py new file mode 100644 index 0000000..52377f2 --- /dev/null +++ b/tests/test_app/mongoengine.py @@ -0,0 +1,56 @@ +# -*- coding: utf-8 -*- + +import sys +import os + +sys.path.pop(0) +sys.path.insert(0, os.getcwd()) + +from flask.ext.mongoengine import MongoEngine +from flask.ext.security import Security, UserMixin, RoleMixin, \ + MongoEngineUserDatastore + +from tests.test_app import create_app as create_base_app, populate_data, \ + add_context_processors + +def create_app(config): + app = create_base_app(config) + + app.config['MONGODB_SETTINGS'] = dict( + db='flask_security_test', + host='localhost', + port=27017 + ) + + db = MongoEngine(app) + + class Role(db.Document, RoleMixin): + name = db.StringField(required=True, unique=True, max_length=80) + description = db.StringField(max_length=255) + + class User(db.Document, UserMixin): + email = db.StringField(unique=True, max_length=255) + password = db.StringField(required=True, max_length=255) + last_login_at = db.DateTimeField() + current_login_at = db.DateTimeField() + last_login_ip = db.StringField(max_length=100) + current_login_ip = db.StringField(max_length=100) + login_count = db.IntField() + active = db.BooleanField(default=True) + confirmed_at = db.DateTimeField() + roles = db.ListField(db.ReferenceField(Role), default=[]) + + @app.before_first_request + def before_first_request(): + User.drop_collection() + Role.drop_collection() + populate_data(app.config.get('USER_COUNT', None)) + + app.security = Security(app, MongoEngineUserDatastore(db, User, Role)) + + add_context_processors(app.security) + + return app + +if __name__ == '__main__': + create_app({}).run() diff --git a/tests/test_app/sqlalchemy.py b/tests/test_app/sqlalchemy.py new file mode 100644 index 0000000..0cf2e9c --- /dev/null +++ b/tests/test_app/sqlalchemy.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- + +import sys +import os + +sys.path.pop(0) +sys.path.insert(0, os.getcwd()) + + +from flask.ext.sqlalchemy import SQLAlchemy +from flask.ext.security import Security, UserMixin, RoleMixin, \ + SQLAlchemyUserDatastore + +from tests.test_app import create_app as create_base_app, populate_data, \ + add_context_processors + +def create_app(config, register_blueprint=True): + app = create_base_app(config) + + app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql://root@localhost/flask_security_test' + + db = SQLAlchemy(app) + + roles_users = db.Table('roles_users', + db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), + db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) + + class Role(db.Model, RoleMixin): + id = db.Column(db.Integer(), primary_key=True) + name = db.Column(db.String(80), unique=True) + description = db.Column(db.String(255)) + + class User(db.Model, UserMixin): + id = db.Column(db.Integer, primary_key=True) + email = db.Column(db.String(255), unique=True) + password = db.Column(db.String(255)) + last_login_at = db.Column(db.DateTime()) + current_login_at = db.Column(db.DateTime()) + last_login_ip = db.Column(db.String(100)) + current_login_ip = db.Column(db.String(100)) + login_count = db.Column(db.Integer) + active = db.Column(db.Boolean()) + confirmed_at = db.Column(db.DateTime()) + roles = db.relationship('Role', secondary=roles_users, + backref=db.backref('users', lazy='dynamic')) + + @app.before_first_request + def before_first_request(): + db.drop_all() + db.create_all() + populate_data(app.config.get('USER_COUNT', None)) + + app.security = Security(app, SQLAlchemyUserDatastore(db, User, Role), + register_blueprint=register_blueprint) + + add_context_processors(app.security) + + return app + +if __name__ == '__main__': + create_app({}).run() diff --git a/example/templates/_messages.html b/tests/test_app/templates/_messages.html similarity index 100% rename from example/templates/_messages.html rename to tests/test_app/templates/_messages.html diff --git a/example/templates/_nav.html b/tests/test_app/templates/_nav.html similarity index 83% rename from example/templates/_nav.html rename to tests/test_app/templates/_nav.html index 9e07a4e..4c71709 100644 --- a/example/templates/_nav.html +++ b/tests/test_app/templates/_nav.html @@ -12,9 +12,9 @@ {% endif -%}Register
+ +{{ content }}
diff --git a/tests/test_app/templates/unauthorized.html b/tests/test_app/templates/unauthorized.html new file mode 100644 index 0000000..10e9c2b --- /dev/null +++ b/tests/test_app/templates/unauthorized.html @@ -0,0 +1,3 @@ +{% include "_messages.html" %} +{% include "_nav.html" %} +