allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#8159] Loosen IP matching restrictions for antispam checks
Date Fri, 21 Jul 2017 18:23:32 GMT
Repository: allura
Updated Branches:
  refs/heads/master cc9b8663c -> 9c40bb977


[#8159] Loosen IP matching restrictions for antispam checks


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/9c40bb97
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/9c40bb97
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/9c40bb97

Branch: refs/heads/master
Commit: 9c40bb977b84263d212c6da1d4d0bab090c7ca42
Parents: cc9b866
Author: Kenton Taylor <ktaylor@slashdotmedia.com>
Authored: Fri Jul 21 15:05:45 2017 +0000
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Fri Jul 21 14:23:14 2017 -0400

----------------------------------------------------------------------
 Allura/allura/lib/utils.py                  |  8 +++++++-
 Allura/allura/tests/functional/test_auth.py | 24 +++++++++++++++++++++++-
 Allura/allura/tests/test_utils.py           |  3 ++-
 AlluraTest/alluratest/controller.py         |  2 +-
 4 files changed, 33 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/9c40bb97/Allura/allura/lib/utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 3fa269e..19d677a 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -343,8 +343,14 @@ class AntiSpam(object):
             self.client_ip = ip_address(self.request)
         except (TypeError, AttributeError):
             self.client_ip = '127.0.0.1'
+
+        if not self.client_ip:
+            # this is primarily for tests that sometimes don't have a remote_addr set on
the request
+            self.client_ip = '127.0.0.1'
+        octets = self.client_ip.split('.')
+        ip_chunk = '.'.join(octets[0:3])
         plain = '%d:%s:%s' % (
-            timestamp, self.client_ip, pylons.config.get('spinner_secret', 'abcdef'))
+            timestamp, ip_chunk, pylons.config.get('spinner_secret', 'abcdef'))
         return hashlib.sha1(plain).digest()
 
     @classmethod

http://git-wip-us.apache.org/repos/asf/allura/blob/9c40bb97/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 64b4da5..7def429 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -29,7 +29,7 @@ from bson import ObjectId
 import re
 from ming.orm.ormsession import ThreadLocalORMSession, session
 from tg import config, expose
-from mock import patch
+from mock import patch, Mock
 import mock
 from nose.tools import (
     assert_equal,
@@ -96,6 +96,28 @@ class TestAuth(TestController):
             _session_id=self.app.cookies['_session_id']))
         assert 'Invalid login' in str(r), r.showbrowser()
 
+    def login_diff_ips_ok(self):
+        extra = {'username': '*anonymous', 'REMOTE_ADDR': '11.22.33.44'}
+        r = self.app.get('/auth/', extra_environ=extra)
+
+        f = r.forms[0]
+        encoded = self.app.antispam_field_names(f)
+        f[encoded['username']] = 'test-user'
+        f[encoded['password']] = 'foo'
+        with audits('Successful login', user=True):
+            r = f.submit(extra_environ={'username': '*anonymous', 'REMOTE_ADDR': '11.22.33.99'})
+
+    def login_diff_ips_bad(self):
+        extra = {'username': '*anonymous', 'REMOTE_ADDR': '24.52.32.123'}
+        r = self.app.get('/auth/', extra_environ=extra)
+
+        f = r.forms[0]
+        encoded = self.app.antispam_field_names(f)
+        f[encoded['username']] = 'test-user'
+        f[encoded['password']] = 'foo'
+        with assert_raises(ValueError) as ex:
+            r = f.submit(extra_environ={'username': '*anonymous', 'REMOTE_ADDR': '11.22.33.99'})
+
     def test_logout(self):
         self.app.extra_environ = {'disable_auth_magic': 'True'}
         nav_pattern = ('nav', {'class': 'nav-main'})

http://git-wip-us.apache.org/repos/asf/allura/blob/9c40bb97/Allura/allura/tests/test_utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_utils.py b/Allura/allura/tests/test_utils.py
index 084aacd..0a466cc 100644
--- a/Allura/allura/tests/test_utils.py
+++ b/Allura/allura/tests/test_utils.py
@@ -125,7 +125,8 @@ class TestAntispam(unittest.TestCase):
     def test_valid_submit(self):
         form = dict(a='1', b='2')
         r = Request.blank('/', POST=self._encrypt_form(**form),
-                          environ={'remote_addr': '127.0.0.1'})
+                          environ={'remote_addr': '127.0.0.1'}
+                          )
         validated = utils.AntiSpam.validate_request(r)
         assert dict(a='1', b='2') == validated, validated
 

http://git-wip-us.apache.org/repos/asf/allura/blob/9c40bb97/AlluraTest/alluratest/controller.py
----------------------------------------------------------------------
diff --git a/AlluraTest/alluratest/controller.py b/AlluraTest/alluratest/controller.py
index eae6fba..f479072 100644
--- a/AlluraTest/alluratest/controller.py
+++ b/AlluraTest/alluratest/controller.py
@@ -124,7 +124,7 @@ def setup_unit_test():
     REGISTRY.register(g, Globals())
     REGISTRY.register(c, mock.Mock())
     REGISTRY.register(url, lambda: None)
-    REGISTRY.register(request, Request.blank('/'))
+    REGISTRY.register(request, Request.blank('/', remote_addr='127.0.0.1'))
     REGISTRY.register(response, Response())
     REGISTRY.register(allura.credentials, allura.lib.security.Credentials())
     c.model_cache = None


Mime
View raw message