Canonical SSO provider

Merge lp:~michael.nelson/canonical-identity-provider/demo-test into lp:canonical-identity-provider/release

demo-test
Merge into trunk

Proposed by Michael Nelson on 2016-06-02

Status:	Rejected
Rejected by:	Daniel Manrique on 2018-09-11
Proposed branch:	lp:~michael.nelson/canonical-identity-provider/demo-test
Merge into:	lp:canonical-identity-provider/release
Diff against target:	300 lines (+230/-3) 4 files modified src/webui/forms.py (+72/-0) src/webui/templates/account/ssh_keys.html (+23/-2) src/webui/tests/test_forms.py (+113/-0) src/webui/views/account.py (+22/-1)
To merge this branch:	bzr merge lp:~michael.nelson/canonical-identity-provider/demo-test
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu One hackers		2016-06-02	Pending
Review via email: mp+296275@code.launchpad.net

Unmerged revisions

1476. By Michael Nelson on 2016-06-02: Demo test
1475. By Michael Nelson on 2016-06-01: Thomi's changes.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Michael Nelson

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

Canonical SSO provider

Merge lp:~michael.nelson/canonical-identity-provider/demo-test into lp:canonical-identity-provider/release

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

 === modified file 'src/webui/forms.py'
 --- src/webui/forms.py	2016-05-30 21:15:35 +0000
 +++ src/webui/forms.py	2016-06-02 01:29:45 +0000
@@ -2,6 +2,8 @@
  # the GNU Affero General Public License version 3 (see the file LICENSE).
  from django import forms
++from django.utils.html import escape
++from django.utils.safestring import mark_safe
  from django.utils.translation import ugettext_lazy as _
  from gpgservice_client import (
      GPGServiceException,
@@ -13,6 +15,8 @@
  from webservices.launchpad import (
      LaunchpadAPIError,
      add_lp_ssh_key,
++    delete_lp_ssh_key,
++    get_lp_ssh_keys,
+ )
  from webui.gpg import (
      SSOGPGClient,
@@ -252,3 +256,71 @@
      def add_key_to_launchpad(self):
          keytext = self.cleaned_data['ssh_key']
          add_lp_ssh_key(self.account.openid_identifier, keytext, dry_run=False)
++
++
++def format_ssh_key(ssh_key):
++    """Decide how to display 'ssh_key'.
++
++    SSH keys are freeform text, so users absolutely *will* try and add keys
++    that contain javascript, so we need to make sure they're escaped when
++    being displayed to the user.
++    """
++    try:
++        key_type, key_text, comment = ssh_key.split(' ', 2)
++    except ValueError:
++        # This should never happen, as launchpad is supposed to guarantee a
++        # valid ssh key format. However, we need to exercise this code path
++        # in tests to ensure that users malicously POST'ing bad key formats
++        # will get a ValidationError.
++        # Just return the escaped data - this will never be run in production:
++        return mark_safe_lazy(
++            '<label>Bad Key Data: <span>{key}</span></label>').format(
++                key=escape(ssh_key))
++    else:
++        #return mark_safe_lazy(
++        # format_html isn't being used here because it's not lazy?
++        return mark_safe(
++            '<label>{key_type_label}<span>{key_type}</span></label> '
++            '<label>{key_text_label}<span>{key_text}</span></label> '
++            '<label>{comment_label}<span>{comment}</span></label> '.format(
++                key_type_label=_("Key Type: "),
++                key_type=escape(key_type),
++                key_text_label=_("Key Text: "),
++                key_text=escape(key_text),
++                comment_label=_("Comment: "),
++                comment=escape(comment)
++            ))
++
++
++from django.forms.widgets import CheckboxChoiceInput
++
++class SSHChoiceInput(CheckboxChoiceInput):
++
++    def __init__(self, *args, **kwargs):
++        super(SSHChoiceInput, self).__init__(*args, **kwargs)
++        self.choice_label = format_ssh_key(self.choice_label)
++
++
++class SSHFieldRenderer(forms.widgets.CheckboxFieldRenderer):
++
++    choice_input_class = SSHChoiceInput
++
++
++class DeleteSSHKeyForm(forms.Form):
++
++    ssh_keys = forms.MultipleChoiceField(
++        required=True,
++        widget=forms.CheckboxSelectMultiple(renderer=SSHFieldRenderer),
++    )
++
++    def __init__(self, account, *args, **kwargs):
++        super(DeleteSSHKeyForm, self).__init__(*args, **kwargs)
++        self.account = account
++        keys = get_lp_ssh_keys(self.account.openid_identifier)
++        choices = [(key, key) for key in keys]
++        self.fields['ssh_keys'].choices = choices
++
++    def delete_keys_from_launchpad(self):
++        for key in self.cleaned_data['ssh_keys']:
++            delete_lp_ssh_key(self.account.openid_identifier, key,
++                              dry_run=False)
 === modified file 'src/webui/templates/account/ssh_keys.html'
 --- src/webui/templates/account/ssh_keys.html	2016-05-26 00:06:10 +0000
 +++ src/webui/templates/account/ssh_keys.html	2016-06-02 01:29:45 +0000
@@ -8,9 +8,30 @@
  {% block title %}{% trans "SSH Keys" %}{% endblock %}
  {% block text_title %}
--  <h1 class="u1-h-main">{% trans "SSH Keys" %}</h1>
++  <h1 class="u1-h-main">{% trans "Change your SSH keys" %}</h1>
  {% endblock %}
  {% block content %}
--<p>Coming soon!</p>
++{% if delete_key_form.fields.ssh_keys.choices %}
++  <b>Delete SSH Keys:</b>
++  <form action="" method="POST">
++    {% csrf_token %}
++    {{ delete_key_form.non_field_errors }}
++    {{ delete_key_form.fields.ssh_keys.errors }}
++    <ul>
++      {% for key_choice_id, key_choice_label in delete_key_form.fields.ssh_keys.choices %}
++      <li>{{key_choice_id}}</li>
++      {% endfor %}
++    </ul>
++    {{ delete_key_form }}
++    <input class="cta" type="submit" name="delete_key" value="{% trans "Delete Selected Keys" %}"/>
++  </form>
++{% endif %}
++
++<b>Import new SSH key</b>
++<form action="" method="POST">
++  {% csrf_token %}
++  {{ import_key_form }}
++  <input class="cta" type="submit" name="import_key" value="{% trans "Import SSH key" %}"/>
++</form>
  {% endblock %}
 === modified file 'src/webui/tests/test_forms.py'
 --- src/webui/tests/test_forms.py	2016-05-30 21:15:35 +0000
 +++ src/webui/tests/test_forms.py	2016-06-02 01:29:45 +0000
@@ -20,10 +20,12 @@
  from webui.forms import (
      ClaimOpenPGPKeyForm,
      ClaimSSHKeyForm,
++    DeleteSSHKeyForm,
      DisabledGPGKeysForm,
      EnabledGPGKeysForm,
      PendingGPGValidationTokenForm,
      VerifySignedTextForm,
++    format_ssh_key,
+ )
  from webui.tests.gpg_fixture import SSOGPGServiceFixture
  from webui.views import gpg_messages
@@ -672,3 +674,114 @@
              account.openid_identifier,
              'ssh-rsa foo bar',
              dry_run=False)
++
++
++class FormatSSHKeyTestCase(SSOBaseTestCase):
++
++    def test_escapes_xss(self):
++        bad_content = '<script>window.alert("boo!");</script>'
++        bad_key = ' '.join((bad_content,) * 3)
++        formatted_key = format_ssh_key(bad_key)
++        self.assertNotIn(bad_content, formatted_key)
++        self.assertIn(
++            '&lt;script&gt;window.alert(&quot;boo!&quot;);&lt;/script&gt;',
++            formatted_key
++        )
++
++
++class DeleteSSHKeyFormTestCase(SSOBaseTestCase):
++
++    SAMPLE_RSA_KEY = 'ssh-rsa keytext_goes_here comment goes here'
++    SAMPLE_DSA_KEY = 'ssh-dss more_keytext_here this is a comment'
++
++    def setUp(self):
++        super(DeleteSSHKeyFormTestCase, self).setUp()
++        self.account = self.factory.make_account()
++
++    def patch_lp_delete_key(self, raise_exception=None):
++        """Patch the 'delete_lp_ssh_key', creating realistic side effects.
++
++        :param raise_exception: If specified, must be one of NoSuchAccount,
++            SSHKeyAdditionTypeError or SSHKeyAdditionDataError Exceptions will
++            be raised with the same message as if they'd been returned from
++            launchpad.
++        """
++        exception_messages = {
++            NoSuchAccount: "No account found for openid identifier '{openid}'",
++            SSHKeyAdditionTypeError: "Invalid SSH key type: '{sshkeytype}'",
++            SSHKeyAdditionDataError: "Invalid SSH key data: '{sshkey}'",
++        }
++
++        def _side_effect(openid_id, key_text, dry_run):
++            key_type = key_text.split(' ')[0]
++            message = exception_messages[raise_exception].format(
++                openid=openid_id,
++                sshkeytype=key_type,
++                sshkey=key_text,
++            )
++            raise raise_exception(400, message)
++
++        mock = self.patch('webui.forms.delete_lp_ssh_key')
++        if raise_exception is not None:
++            mock.side_effect = _side_effect
++        return mock
++
++    def patch_get_keys(self, returned_keys=[]):
++        mock = self.patch('webui.forms.get_lp_ssh_keys')
++        mock.return_value = returned_keys
++        return mock
++
++    def assert_form_field_has_error(self, form, field, expected_error):
++        self.assertIn(field, form.errors)
++        self.assertEqual([expected_error], form.errors[field])
++
++    def test_form_widget_with_labels(self):
++        self.patch_get_keys([self.SAMPLE_RSA_KEY, self.SAMPLE_DSA_KEY])
++        form = DeleteSSHKeyForm(self.account)
++
++
++        html = form.as_ul()
++
++        self.assertIn('<label>Key Type', html)
++
++    def test_form_passes_account_id_to_get_lp_keys(self):
++        mock_get_keys = self.patch_get_keys()
++        DeleteSSHKeyForm(self.account)
++
++        mock_get_keys.assert_called_once_with(self.account.openid_identifier)
++
++    def test_form_with_no_keys(self):
++        self.patch_get_keys()
++        form = DeleteSSHKeyForm(self.account)
++
++        self.assertEqual(0, len(form.fields['ssh_keys'].choices))
++
++    def test_form_multiple_keys(self):
++        self.patch_get_keys([self.SAMPLE_RSA_KEY, self.SAMPLE_DSA_KEY])
++        form = DeleteSSHKeyForm(self.account)
++
++        self.assertEqual(2, len(form.fields['ssh_keys'].choices))
++        rsa_choice, dsa_choice = form.fields['ssh_keys'].choices
++        self.assertEqual(
++            (self.SAMPLE_RSA_KEY, format_ssh_key(self.SAMPLE_RSA_KEY)),
++            rsa_choice,
++        )
++        self.assertEqual(
++            (self.SAMPLE_DSA_KEY, format_ssh_key(self.SAMPLE_DSA_KEY)),
++            dsa_choice,
++        )
++
++    def test_form_deletes_ssh_key(self):
++        self.patch_get_keys([self.SAMPLE_RSA_KEY])
++        form = DeleteSSHKeyForm(
++            self.account, {'ssh_keys': [self.SAMPLE_RSA_KEY]})
++
++        mock_lp_delete = self.patch_lp_delete_key()
++        self.assertTrue(form.is_valid())
++        mock_lp_delete.reset_mock()
++        form.delete_keys_from_launchpad()
++
++        mock_lp_delete.assert_called_once_with(
++            self.account.openid_identifier,
++            self.SAMPLE_RSA_KEY,
++            dry_run=False)
 === modified file 'src/webui/views/account.py'
 --- src/webui/views/account.py	2016-05-26 00:06:10 +0000
 +++ src/webui/views/account.py	2016-06-02 01:29:45 +0000
@@ -64,6 +64,8 @@
  from webui.decorators import check_readonly, sso_login_required
  from webui.forms import (
      ClaimOpenPGPKeyForm,
++    ClaimSSHKeyForm,
++    DeleteSSHKeyForm,
      DisabledGPGKeysForm,
      EnabledGPGKeysForm,
      PendingGPGValidationTokenForm,
@@ -636,4 +638,23 @@
  @sso_login_required
  @check_readonly
  def ssh_keys(request):
--    return render(request, 'account/ssh_keys.html', {})
++
++    if 'delete_keys' in request.POST:
++        delete_keys_form = DeleteSSHKeyForm(request.user, request.POST)
++        if delete_keys_form.is_valid():
++            delete_keys_form.delete_keys_from_launchpad()
++    else:
++        delete_keys_form = DeleteSSHKeyForm(request.user)
++
++    if 'import_key' in request.POST:
++        import_key_form = ClaimSSHKeyForm(request.user, request.POST)
++        if import_key_form.is_valid():
++            import_key_form.add_key_to_launchpad()
++    else:
++        import_key_form = ClaimSSHKeyForm(request.user)
++
++    context = {
++        'delete_key_form': delete_keys_form,
++        'import_key_form': import_key_form,
++    }
++    return render(request, 'account/ssh_keys.html', context)