> === modified file 'lib/canonical/launchpad/testing/pages.py'
> --- lib/canonical/launchpad/testing/pages.py 2009-12-15 14:43:33 +0000
> +++ lib/canonical/launchpad/testing/pages.py 2009-12-16 15:52:00 +0000
> @@ -99,12 +99,24 @@
> consumers = getUtility(IOAuthConsumerSet)
> self.consumer = consumers.getByKey(oauth_consumer_key)
> if self.consumer is None:
> - # Set up for anonymous access
> + # The client wants to make a request using an
> + # unrecognized consumer key. Only an anonymous request
> + # (one in which oauth_access_key is the empty string)
> + # will succeed, but we run this code in either case,
> + # so that we can verify that a non-anonymous request
> + # fails.
> self.consumer = OAuthConsumer(oauth_consumer_key, '')
> - self.access_token = OAuthToken('', '')
> + self.access_token = OAuthToken(oauth_access_key, '')
> else:
> - self.access_token = self.consumer.getAccessToken(
> - oauth_access_key)
> + if oauth_access_key == '':
> + # The client wants to make an anonymous request
> + # using a recognized consumer key.
> + self.access_token = OAuthToken(oauth_access_key, '')
> + else:
> + # The client wants to make an authorized request
> + # using a recognized consumer key.
> + self.access_token = self.consumer.getAccessToken(
> + oauth_access_key)
Although this is now making it clear that we identify anonymous requests
by the lack of an access key, I think this can be simplified a bit.
This is what I had in mind when I first commented on this change.
if oauth_access_key == '':
# The client wants to make an anonymous request.
if self.consumer is None:
# Anonymous requests don't need a registered consumer, so we
# manually create a "fake" OauthConsumer (we call it "fake"
# because it's not really an IOAuthConsumer as returned by
# IOAuthConsumerSet.getByKey) to be used in the requests we make. self.consumer = OAuthConsumer(oauth_consumer_key, '') self.access_token = OAuthToken(oauth_access_key, '')
else:
assert self.consumer is not None, (
"Need a registered consumer key for authenticated requests.") self.access_token = self.consumer.getAccessToken( oauth_access_key)
It's untested but I think it's equivalent to what you have.
Does this mean we'll treat requests which don't include an oauth_token
as anonymous? I thought the plan was to do that just for the requests
which explicitly pass an empty string as the oauth_token.
> if consumer is None:
> + if consumer_key is None:
> + # Most likely the user is trying to make a totally
> + # unauthenticated request.
> + raise Unauthorized(
> + 'Request is missing an OAuth consumer key.')
> if anonymous_request:
> # This is the first time anyone has tried to make an
> # anonymous request using this consumer
> # name. Dynamically create the consumer.
> + #
> + # In the normal website this wouldn't be possible
> + # because GET requests have their transactions rolled
> + # back. But webservice requests always have their
> + # transactions committed so that we can keep track of
> + # the OAuth nonces and prevent replay attacks.
> consumer = consumers.new(consumer_key, '')
> else:
> # An unknown consumer can never make a non-anonymous
>
> === modified file 'lib/canonical/ launchpad/ testing/ pages.py' launchpad/ testing/ pages.py 2009-12-15 14:43:33 +0000 launchpad/ testing/ pages.py 2009-12-16 15:52:00 +0000 IOAuthConsumerS et) getByKey( oauth_consumer_ key) oauth_consumer_ key, '') oauth_access_ key, '') getAccessToken( oauth_access_ key, '') getAccessToken(
> --- lib/canonical/
> +++ lib/canonical/
> @@ -99,12 +99,24 @@
> consumers = getUtility(
> self.consumer = consumers.
> if self.consumer is None:
> - # Set up for anonymous access
> + # The client wants to make a request using an
> + # unrecognized consumer key. Only an anonymous request
> + # (one in which oauth_access_key is the empty string)
> + # will succeed, but we run this code in either case,
> + # so that we can verify that a non-anonymous request
> + # fails.
> self.consumer = OAuthConsumer(
> - self.access_token = OAuthToken('', '')
> + self.access_token = OAuthToken(
> else:
> - self.access_token = self.consumer.
> - oauth_access_key)
> + if oauth_access_key == '':
> + # The client wants to make an anonymous request
> + # using a recognized consumer key.
> + self.access_token = OAuthToken(
> + else:
> + # The client wants to make an authorized request
> + # using a recognized consumer key.
> + self.access_token = self.consumer.
> + oauth_access_key)
Although this is now making it clear that we identify anonymous requests
by the lack of an access key, I think this can be simplified a bit.
This is what I had in mind when I first commented on this change.
if oauth_access_key == '': et.getByKey) to be used in the requests we make.
self. consumer = OAuthConsumer( oauth_consumer_ key, '')
self.access_ token = OAuthToken( oauth_access_ key, '')
self.access_ token = self.consumer. getAccessToken(
oauth_ access_ key)
# The client wants to make an anonymous request.
if self.consumer is None:
# Anonymous requests don't need a registered consumer, so we
# manually create a "fake" OauthConsumer (we call it "fake"
# because it's not really an IOAuthConsumer as returned by
# IOAuthConsumerS
else:
assert self.consumer is not None, (
"Need a registered consumer key for authenticated requests.")
It's untested but I think it's equivalent to what you have.
> logout() 'user_webservic e'] = LaunchpadWebSer viceCaller( library' , 'nopriv- read-nonprivate ') 'anon_webservic e'] = LaunchpadWebSer viceCaller( library' , '') 'setupBrowser' ] = setupBrowser 'browser' ] = setupBrowser() 'anon_browser' ] = setupBrowser() launchpad/ webapp/ servers. py' launchpad/ webapp/ servers. py 2009-12-15 14:43:33 +0000 launchpad/ webapp/ servers. py 2009-12-16 16:42:15 +0000 IOAuthConsumerS et) getByKey( consumer_ key) 'oauth_ token')
> else:
> self.consumer = None
> @@ -660,7 +672,7 @@
> test.globs[
> 'launchpad-
> test.globs[
> - 'anonymous-access', '')
> + 'launchpad-
> test.globs[
> test.globs[
> test.globs[
>
> === modified file 'lib/canonical/
> --- lib/canonical/
> +++ lib/canonical/
> @@ -1180,12 +1180,23 @@
> consumers = getUtility(
> consumer = consumers.
> token_key = form.get(
> - anonymous_request = (token_key == '')
> + anonymous_request = (token_key == '' or token_key is None)
Does this mean we'll treat requests which don't include an oauth_token
as anonymous? I thought the plan was to do that just for the requests
which explicitly pass an empty string as the oauth_token.
> if consumer is None: new(consumer_ key, '')
> + if consumer_key is None:
> + # Most likely the user is trying to make a totally
> + # unauthenticated request.
> + raise Unauthorized(
> + 'Request is missing an OAuth consumer key.')
> if anonymous_request:
> # This is the first time anyone has tried to make an
> # anonymous request using this consumer
> # name. Dynamically create the consumer.
> + #
> + # In the normal website this wouldn't be possible
> + # because GET requests have their transactions rolled
> + # back. But webservice requests always have their
> + # transactions committed so that we can keep track of
> + # the OAuth nonces and prevent replay attacks.
> consumer = consumers.
> else:
> # An unknown consumer can never make a non-anonymous
>
--
Guilherme Salgado <email address hidden>