Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/sso-preflight into lp:canonical-identity-provider/release

sso-preflight
Merge into trunk

Proposed by David Owen on 2011-03-04

Status:

Merged

Approved by:

David Owen on 2011-03-07

Approved revision:

no longer in the source branch.

Merged at revision:

135

Proposed branch:

lp:~canonical-isd-hackers/canonical-identity-provider/sso-preflight

Merge into:

lp:canonical-identity-provider/release

Diff against target:

239 lines (+83/-56)

8 files modified

debian/control (+2/-0)
identityprovider/auth.py (+9/-0)
identityprovider/decorators.py (+15/-0)
identityprovider/preflight.py (+42/-0)
identityprovider/tests/test_views_preflight.py (+12/-11)
identityprovider/urls.py (+0/-4)
identityprovider/views/versions.py (+0/-39)
setup.py (+3/-2)

To merge this branch:

bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/sso-preflight

Related bugs:

Bug #720690: Add django-preflight

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Ricardo Kirkner (community)		Approve on 2011-03-07
Łukasz Czyżykowski	2011-03-04	Pending
Review via email: mp+52230@code.launchpad.net

Commit message

Added preflight, removed old +versions page

Description of the change

Be sure to grab the config changes at https://code.launchpad.net/~canonical-isd-hackers/isd-configs/sso-preflight/+merge/52261

Brings Łukasz's django-preflight into SSO. Part of preflight includes a version check, which completely supersedes SSO's previous /+versions page.

I've added only one preflight check (DB connectivity). I have filed bugs for logging and OOPS checks, which will not be trivial.

Revision history for this message

David Owen (dsowen) wrote on 2011-03-04:

I rebased to pull in the new bootstrap changes, but I haven't been able to produce an environment that works since.

Revision history for this message

Ricardo Kirkner (ricardokirkner) wrote on 2011-03-07:

Fine work. Please just remove the commented code.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Canonical ISD hackers

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'debian/control'
 --- debian/control	2011-01-21 23:23:08 +0000
 +++ debian/control	2011-03-07 23:24:09 +0000
@@ -18,6 +18,8 @@
   canonical-isd-web-dependencies (>= 1.0.18),
   memcached,
   python-django-oauth-backend (= 0.1.dev1),
++ python-django-preflight (>= 0.1),
++ python-django-preflight (<< 0.2),
   python-django-settings (>= 0.2),
   python-memcache,
   python-lazr.restful (>= 0.9.18),
 === modified file 'identityprovider/auth.py'
 --- identityprovider/auth.py	2011-01-10 15:02:53 +0000
 +++ identityprovider/auth.py	2011-03-07 23:24:09 +0000
@@ -3,6 +3,7 @@
  from datetime import datetime
++from django.conf import settings
  from oauth_backend.models import Consumer, Token
  from identityprovider.models import Account, AccountPassword, EmailAddress
@@ -84,3 +85,11 @@
              return account
          else:
              return None
++
++
++def internal_authorize(user):
++    if user.is_authenticated() and user.person is not None:
++        for team in getattr(settings, 'SSO_VERSIONS_TEAMS', []):
++            if user.person.in_team(team):
++                return True
++    return False
 === modified file 'identityprovider/decorators.py'
 --- identityprovider/decorators.py	2010-08-23 15:54:23 +0000
 +++ identityprovider/decorators.py	2011-03-07 23:24:09 +0000
@@ -14,6 +14,8 @@
  import functools
  from hashlib import sha1
++from identityprovider import auth
++
  def guest_required(func):
      def _guest_required_decorator(request, *args, **kwargs):
@@ -195,3 +197,16 @@
+             }
          args.update(options)
          super(limitlogin, self).__init__(**args)
++
++
++def internal_only(view):
++    """
++    Restricts access to internal team members only, and masks the
++    existence of the view from others.
++    """
++    @functools.wraps(view)
++    def wrapper(request, *args, **kwargs):
++        if auth.internal_authorize(request.user):
++            return view(request, *args, **kwargs)
++        raise Http404
++    return wrapper
 === added file 'identityprovider/preflight.py'
 --- identityprovider/preflight.py	1970-01-01 00:00:00 +0000
 +++ identityprovider/preflight.py	2011-03-07 23:24:09 +0000
@@ -0,0 +1,42 @@
++from __future__ import absolute_import
++
++import preflight
++
++from .auth import internal_authorize
++
++
++# Remember that the preflight may be run from the command-line or
++# queried from a web-browser.  Some tests may always pass in one
++# environment (e.g. if you can even *hit* the preflight page in a
++# browser, you already know the DB is up), and that's okay.
++#
++# Make sure that each test at least works in both environment: a test
++# shouldn't fail in either environment unless there's really a
++# problem.
++
++@preflight.register
++class SSOPreflight(preflight.Preflight):
++
++    def authenticate(self, request):
++        return internal_authorize(request.user)
++
++    def versions(self):
++        import lazr
++        import openid
++        import identityprovider
++        return [
++            {'name': 'SSO', 'version': identityprovider.__version__},
++            {'name': 'lazr.restful', 'version': lazr.restful.__version__},
++            {'name': 'openid', 'version': openid.__version__},
++        ]
++
++
++    def check_database(self):
++        'Are database connections accepted?'
++        from django import db
++
++        cursor = db.connection.cursor()
++        cursor.execute('SELECT 42')
++        cursor.fetchone()
++
++        return True
 === renamed file 'identityprovider/tests/test_views_versions.py' => 'identityprovider/tests/test_views_preflight.py'
 --- identityprovider/tests/test_views_versions.py	2010-06-18 15:36:18 +0000
 +++ identityprovider/tests/test_views_preflight.py	2011-03-07 23:24:09 +0000
@@ -1,33 +1,34 @@
++from django.conf import settings
++
++from identityprovider.models.account import Account
  from identityprovider.tests.utils import BasicAccountTestCase
--from identityprovider.models.account import Account
--from django.conf import settings
--
--
--
--class VersionsViewAccessTestCase(BasicAccountTestCase):
++
++
++class PreflightViewAccessTestCase(BasicAccountTestCase):
      fixtures = ["test"]
++    URL = '/preflight/'
      def test_non_authenticated_users_are_getting_404(self):
--        r = self.client.get('/+versions')
++        r = self.client.get(self.URL)
          self.assertEquals(r.status_code, 404)
      def test_account_withtout_person_receives_404(self):
          account = Account.objects.create_account(
              "test", "abcd@example.com", "test")
          self.client.login(username="abcd@example.com", password="test")
--        r = self.client.get('/+versions')
++        r = self.client.get(self.URL)
          self.assertEquals(r.status_code, 404)
          account.delete()
      def test_person_not_in_the_required_team_will_get_404(self):
          self.client.login(username="test@canonical.com", password="test")
--        r = self.client.get('/+versions')
++        r = self.client.get(self.URL)
          self.assertEquals(r.status_code, 404)
      def test_person_in_ubuntu_team_can_access_the_page(self):
          settings.SSO_VERSIONS_TEAMS = ["ubuntu-team"]
          self.client.login(username="member@canonical.com", password="test")
--        r = self.client.get('/+versions')
--        self.assertTemplateUsed(r, "versions.html")
++        r = self.client.get(self.URL)
++        self.assertTemplateUsed(r, "preflight/overview.html")
 === modified file 'identityprovider/urls.py'
 --- identityprovider/urls.py	2010-10-21 21:39:03 +0000
 +++ identityprovider/urls.py	2011-03-07 23:24:09 +0000
@@ -82,10 +82,6 @@
          (r'^set_language$', 'set_language'),
+ )
--urlpatterns += patterns('identityprovider.views.versions',
--    (r'\+versions','versions'),
--)
--
  urlpatterns += patterns('identityprovider.views.readonly',
      (r'^readonly$', 'readonly_admin'),
      (r'^readonly/((?P<appserver>[A-Za-z0-9\-_.:]+)/)?(?P<action>enable|disable|set|clear)(/(?P<conn>[A-Za-z0-9\-_.]+))?',
 === removed file 'identityprovider/views/versions.py'
 --- identityprovider/views/versions.py	2010-06-21 08:09:20 +0000
 +++ identityprovider/views/versions.py	1970-01-01 00:00:00 +0000
@@ -1,39 +0,0 @@
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
--# GNU Affero General Public License version 3 (see the file LICENSE).
--
--from django.template import RequestContext
--from django.shortcuts import render_to_response
--from django.http import Http404
--from django.conf import settings
--
--
--def gather_version_information():
--    import identityprovider
--    import lazr.restful
--    import django
--    import openid
--    import sys
--
--    return [
--        {'name': 'SSO', 'version': identityprovider.__version__},
--        {'name': 'Django', 'version': django.get_version()},
--        {'name': 'lazr.restful', 'version': lazr.restful.__version__},
--        {'name': 'openid', 'version': openid.__version__},
--        {'name': 'Python', 'version': sys.version},
--    ]
--
--
--def versions(request):
--    # 404 to not reveal this to automatic scripts
--    if not request.user.is_authenticated() or request.user.person is None:
--        raise Http404
--
--    for team in getattr(settings, 'SSO_VERSIONS_TEAMS', []):
--        if request.user.person.in_team(team):
--            break
--    else:
--        raise Http404
--
--    versions = gather_version_information()
--    return render_to_response("versions.html",
--                              RequestContext(request, {'versions': versions}))
 === modified file 'setup.py'
 --- setup.py	2011-03-03 03:12:06 +0000
 +++ setup.py	2011-03-07 23:24:09 +0000
@@ -77,9 +77,10 @@
          'South==0.6',
          'configglue==0.9pre1',
          'django-configglue==0.3',
++        # need to install it via requirements.txt until a release is made:
++        #'django-oauth-backend',
          'django-openid-auth==0.2',
--        # need to install it via requirements.txt until a release is made
--        #'django-oauth-backend',
++        'django-preflight==0.1',
          'lazr.authentication==0.1.2',
          'lazr.restful==0.9.19',
  # PyPi calls upstream's 1.0a "1.0.1" maybe because it doesn't