Synnefo

# Copyright 2011 GRNET S.A. All rights reserved.

#

# Redistribution and use in source and binary forms, with or

# without modification, are permitted provided that the following

# conditions are met:

#

#   1. Redistributions of source code must retain the above

#      copyright notice, this list of conditions and the following

#      disclaimer.

#

#   2. Redistributions in binary form must reproduce the above

#      copyright notice, this list of conditions and the following

#      disclaimer in the documentation and/or other materials

#      provided with the distribution.

#

# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS

# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR

# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED

# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

#

# The views and conclusions contained in the software and

# documentation are those of the authors and should not be

# interpreted as representing official policies, either expressed

# or implied, of GRNET S.A.

from django.core.urlresolvers import reverse

from django.utils.translation import ugettext as _

from astakos.im import settings

import logging

logger = logging.getLogger(__name__)

# providers registry

PROVIDERS = {}

class AuthProviderBase(type):

    def __new__(cls, name, bases, dct):

        include = False

        if [b for b in bases if isinstance(b, AuthProviderBase)]:

            type_id = dct.get('module')

            if type_id:

                include = True

            if type_id in settings.IM_MODULES:

                dct['module_enabled'] = True

        newcls = super(AuthProviderBase, cls).__new__(cls, name, bases, dct)

        if include:

            PROVIDERS[type_id] = newcls

        return newcls

class AuthProvider(object):

    __metaclass__ = AuthProviderBase

    module = None

    module_active = False

    module_enabled = False

    one_per_user = False

    def __init__(self, user=None):

        self.user = user

    def get_setting(self, name, default=None):

        attr = 'AUTH_PROVIDER_%s_%s' % (self.module.upper(), name.upper())

        return getattr(settings, attr, default)

    def is_available_for_login(self):

        """ A user can login using authentication provider"""

        return self.is_active() and self.get_setting('CAN_LOGIN',

                                                     self.is_active())

    def is_available_for_create(self):

        """ A user can create an account using this provider"""

        return self.is_active() and self.get_setting('CAN_CREATE',

                                                   self.is_active())

    def is_available_for_add(self):

        """ A user can assign provider authentication method"""

        return self.is_active() and self.get_setting('CAN_ADD',

                                                   self.is_active())

    def is_active(self):

        return self.module in settings.IM_MODULES

class LocalAuthProvider(AuthProvider):

    module = 'local'

    title = _('Local password')

    description = _('Create a local password for your account')

    @property

    def add_url(self):

        return reverse('password_change')

    add_description = _('Create a local password for your account')

    login_template = 'auth/local_login_form.html'

    add_template = 'auth/local_add_action.html'

    one_per_user = True

    details_tpl = _('You can login to your account using your'

                    ' %(auth_backend)s password.')

    @property

    def extra_actions(self):

        return [(_('Change password'), reverse('password_change')), ]

class ShibbolethAuthProvider(AuthProvider):

    module = 'shibboleth'

    title = _('Academic credentials (Shibboleth)')

    description = _('Allows you to login to your account using your academic '

                    'credentials')

    @property

    def add_url(self):

        return reverse('astakos.im.target.shibboleth.login')

    add_description = _('Allows you to login to your account using your academic '

                    'credentials')

    login_template = 'auth/shibboleth_login_form.html'

    add_template = 'auth/shibboleth_add_action.html'

    details_tpl = _('You can login to your account using your'

                    ' shibboleth credentials. Shibboleth id: %(identifier)s')

def get_provider(id, user_obj=None, default=None):

    """

    Return a provider instance from the auth providers registry.

    """

    return PROVIDERS.get(id, default)(user_obj)

from astakos.im.auth_providers import PROVIDERS as AUTH_PROVIDERS

def auth_providers(request):

    return {'auth_providers': filter(lambda p:p.module_enabled,

                                     AUTH_PROVIDERS.itervalues())}

from django.db import transaction

    NEWPASSWD_INVALIDATE_TOKEN, MODERATION_ENABLED

from astakos.im import settings

class StoreUserMixin(object):

    @transaction.commit_on_success

    def store_user(self, user, request):

        user.save()

        self.post_store_user(user, request)

        return user

    def post_store_user(self, user, request):

        """

        Interface method for descendant backends to be able to do stuff within

        the transaction enabled by store_user.

        """

        pass

class LocalUserCreationForm(UserCreationForm, StoreUserMixin):

        email = self.cleaned_data['email'].lower()

    def post_store_user(self, user, request):

        """

        Interface method for descendant backends to be able to do stuff within

        the transaction enabled by store_user.

        """

        user.add_auth_provider('local', auth_backend='astakos')

        user.set_password(self.cleaned_data['password1'])

        user.renew_token()

        user.update_invitations_level()

class ThirdPartyUserCreationForm(forms.ModelForm, StoreUserMixin):

        email = self.cleaned_data['email'].lower()

    def post_store_user(self, user, request):

        pending = PendingThirdPartyUser.objects.get(

                                token=request.POST.get('third_party_token'),

                                third_party_identifier= \

            self.cleaned_data.get('third_party_identifier'))

        return user.add_pending_auth_provider(pending)

        user.is_local = False

        user.renew_token()

        user.set_invitation_level()

        email = self.cleaned_data['email'].lower()

            if not user.can_change_password():

                raise forms.ValidationError(_('Password change for this account'

                                              ' is not supported.'))

            raise forms.ValidationError(_('That e-mail address doesn\'t have an'

                                          ' associated user account. Are you sure'

                                          ' you\'ve registered?'))

            url = user.astakosuser.get_password_reset_url(token_generator)

            raise forms.ValidationError(_(u"This email address is already "

                                           "in use. Please supply a "

                                           "different email address."))

    @transaction.commit_on_success()

            #self.user.flush_sessions()

            if not self.user.has_auth_provider('local'):

                self.user.add_auth_provider('local', auth_backend='astakos')

from urllib import quote

from django.core.urlresolvers import reverse

from django.utils.http import int_to_base36

from django.contrib.auth.tokens import default_token_generator

from django.core.validators import email_re

from astakos.im import auth_providers

class AstakosUserManager(models.Manager):

    def get_auth_provider_user(self, provider, **kwargs):

        """

        Retrieve AstakosUser instance associated with the specified third party

        id.

        """

        kwargs = dict(map(lambda x: ('auth_providers__%s' % x[0], x[1]),

                          kwargs.iteritems()))

        return self.get(auth_providers__module=provider, **kwargs)

    affiliation = models.CharField('Affiliation', max_length=255, blank=True,

                                   null=True)

    # DEPRECATED FIELDS: provider, third_party_identifier moved in

    #                    AstakosUserProvider model.

    provider = models.CharField('Provider', max_length=255, blank=True,

                                null=True)

    # ex. screen_name for twitter, eppn for shibboleth

    third_party_identifier = models.CharField('Third-party identifier',

                                              max_length=255, null=True,

                                              blank=True)

    objects = AstakosUserManager()

                username =  self.email

    def set_invitations_level(self):

        """

        Update user invitation level

        """

        level = self.invitation.inviter.level + 1

        self.level = level

        self.invitations = INVITATIONS_PER_LEVEL.get(level, 0)

    def can_login_with_auth_provider(self, provider):

        if not self.has_auth_provider(provider):

            return False

        else:

            return auth_providers.get_provider(provider).is_available_for_login()

    def can_add_provider(self, provider, **kwargs):

        provider_settings = auth_providers.get_provider(provider)

        if not provider_settings.is_available_for_login():

            return False

        if self.has_auth_provider(provider) and \

           provider_settings.one_per_user:

            return False

        return True

    def can_remove_auth_provider(self, provider):

        if len(self.get_active_auth_providers()) <= 1:

            return False

        return True

    def can_change_password(self):

        return self.has_auth_provider('local', auth_backend='astakos')

    def has_auth_provider(self, provider, **kwargs):

        return bool(self.auth_providers.filter(module=provider,

                                               **kwargs).count())

    def add_auth_provider(self, provider, **kwargs):

        self.auth_providers.create(module=provider, active=True, **kwargs)

    def add_pending_auth_provider(self, pending):

        """

        Convert PendingThirdPartyUser object to AstakosUserAuthProvider entry for

        the current user.

        """

        if not isinstance(pending, PendingThirdPartyUser):

            pending = PendingThirdPartyUser.objects.get(token=pending)

        provider = self.add_auth_provider(pending.provider,

                               identifier=pending.third_party_identifier)

        if email_re.match(pending.email) and pending.email != self.email:

            self.additionalmail_set.get_or_create(email=pending.email)

        pending.delete()

        return provider

    def remove_auth_provider(self, provider, **kwargs):

        self.auth_providers.get(module=provider, **kwargs).delete()

    # user urls

    def get_resend_activation_url(self):

        return reverse('send_activation', {'user_id': self.pk})

    def get_activation_url(self, nxt=False):

        url = "%s?auth=%s" % (reverse('astakos.im.views.activate'),

                                 quote(self.auth_token))

        if nxt:

            url += "&next=%s" % quote(nxt)

        return url

    def get_password_reset_url(self, token_generator=default_token_generator):

        return reverse('django.contrib.auth.views.password_reset_confirm',

                          kwargs={'uidb36':int_to_base36(self.id),

                                  'token':token_generator.make_token(self)})

    def get_auth_providers(self):

        return self.auth_providers.all()

    def get_available_auth_providers(self):

        """

        Returns a list of providers available for user to connect to.

        """

        providers = []

        for module, provider_settings in auth_providers.PROVIDERS.iteritems():

            if self.can_add_provider(module):

                providers.append(provider_settings(self))

        return providers

    def get_active_auth_providers(self):

        providers = []

        for provider in self.auth_providers.active():

            if auth_providers.get_provider(provider.module).is_available_for_login():

                providers.append(provider)

        return providers

class AstakosUserAuthProviderManager(models.Manager):

    def active(self):

        return self.filter(active=True)

class AstakosUserAuthProvider(models.Model):

    """

    Available user authentication methods.

    """

    affiliation = models.CharField('Affiliation', max_length=255, blank=True,

                                   null=True, default=None)

    user = models.ForeignKey(AstakosUser, related_name='auth_providers')

    module = models.CharField('Provider', max_length=255, blank=False,

                                default='local')

    identifier = models.CharField('Third-party identifier',

                                              max_length=255, null=True,

                                              blank=True)

    active = models.BooleanField(default=True)

    auth_backend = models.CharField('Backend', max_length=255, blank=False,

                                   default='astakos')

    objects = AstakosUserAuthProviderManager()

    class Meta:

        unique_together = (('identifier', 'module', 'user'), )

    @property

    def settings(self):

        return auth_providers.get_provider(self.module)

    @property

    def details_display(self):

        print self.settings.details_tpl

        return self.settings.details_tpl % self.__dict__

    def can_remove(self):

        return self.user.can_remove_auth_provider(self.module)

    def delete(self, *args, **kwargs):

        ret = super(AstakosUserAuthProvider, self).delete(*args, **kwargs)

        self.user.set_unusable_password()

        self.user.save()

        return ret

    token = models.CharField('Token', max_length=255, null=True, blank=True)

    created = models.DateTimeField(auto_now_add=True, null=True, blank=True)

    def generate_token(self):

        self.password = self.third_party_identifier

        self.last_login = datetime.now()

        self.token = default_token_generator.make_token(self)

    'astakos.im.context_processors.auth_providers',

from astakos.im.views import requires_anonymous, signed_terms_required, \

        requires_auth_provider

from astakos.im.forms import LoginForm, ExtendedPasswordChangeForm, \

        ExtendedSetPasswordForm

from astakos.im.settings import (RATELIMIT_RETRIES_ALLOWED,

                                ENABLE_LOCAL_ACCOUNT_MIGRATION)

from astakos.im import settings

@requires_auth_provider('local', login=True)

    third_party_token = get_query(request).get('key', False)

             'key': third_party_token},

            msg = _('You have not followed the activation link.')

            if settings.MODERATION_ENABLED:

                msg_extra = ' ' + _('Please contact support.')

            else:

                msg_extra = _('<a href="%s">Resend activation email?</a>') % url

            message = msg + msg_extra

    elif not user.can_login_with_auth_provider('local'):

                                  {'login_form': form},

    response = prepare_response(request, user, next)

    if third_party_token:

        # use requests to assign the account he just authenticated with with

        # a third party provider account

          request.user.add_pending_auth_provider(third_party_token)

          messages.success(request, _('Your new login method has been added'))

        except PendingThirdPartyUser.DoesNotExist:

          messages.error(request, _('Account method assignment failed'))

    return response

@requires_auth_provider('local', login=True)

    create_password = False

    # no local backend user wants to create a password

    if not request.user.has_auth_provider('local'):

        create_password = True

        password_change_form = ExtendedSetPasswordForm

        post_change_redirect = reverse('edit_profile')

        form_kwargs = dict(

        if not create_password:

            form_kwargs['session_key'] = session_key=request.session.session_key

        form = password_change_form(**form_kwargs)

from django.shortcuts import get_object_or_404

from urlparse import urlunsplit, urlsplit

from astakos.im.views import requires_anonymous, render_response, \

        requires_auth_provider

from astakos.im import settings

@requires_auth_provider('local', login=True)

    template='im/third_party_check_local.html',

            raise KeyError(_('Missing provider token'))

            raise KeyError(_('Missing provider user information'))

        # invalid shibboleth headers, redirect to login, display message

        return HttpResponseRedirect(reverse('login'))

    # an existing user accessed the view

    if request.user.is_authenticated():

        if request.user.has_auth_provider('shibboleth', identifier=eppn):

            return HttpResponseRedirect(reverse('edit_profile'))

        # automatically add eppn provider to user

        user = request.user

        user.add_provider('shibboleth', identifier=eppn)

        return HttpResponseRedirect('edit_profile')

        # astakos user exists ?

        user = AstakosUser.objects.get_auth_provider_user(

            'shibboleth',

            identifier=eppn

            # authenticate user

            if not settings.MODERATION_ENABLED:

                url = user.get_resend_activation_url()

                msg_extra = _('<a href="%s">Resend activation email?</a>') % url

                message = message + u' ' + msg_extra

            return HttpResponseRedirect(reverse('login'))

            message = _(u'Account disabled. Please contact support')

            return HttpResponseRedirect(reverse('login'))

        # eppn not stored in astakos models, create pending profile

        user, created = PendingThirdPartyUser.objects.get_or_create(

            third_party_identifier=eppn,

            provider='shibboleth',

        )

        # update pending user

        user.realname = realname

        user.affiliation = affiliation

        user.email = email

        user.generate_token()

        user.save()

        extra_context['provider'] = 'shibboleth'

        extra_context['token'] = user.token

@requires_auth_provider('local', login=True, create=True)

    token,

    extra_context=None):

    if not token:

    pending = get_object_or_404(PendingThirdPartyUser, token=token)

    d = pending.__dict__

    d.pop('_state', None)

    d.pop('id', None)

    d.pop('token', None)

    d.pop('created', None)

    user = AstakosUser(**d)

    extra_context['provider'] = 'shibboleth'

    extra_context['third_party_token'] = token

    )

    <div class="auth_methods">

      <br /><br />

        <div class="assigned">

          <h4>Authentication methods</h4>

          <p>You can login to your account using the following methods</p>

          <ul class="auth_providers">

            {% for provider in user_providers %}

            <li>

            <h2>

                {{ provider.settings.title }}

                <span class="actions" style="margin-left: 40px">

                  {% for name, url in provider.settings.extra_actions %}

                  <a href="{{ url }}" title="{{ name }}">{{ name }}</a>

                  {% endfor %}

                  {% if provider.can_remove %}

                      <a href="{% url remove_auth_provider provider.pk %}" title="disble">Remove</a>

                  {% endif %}

                </span>

            </h2>

            <p>{{ provider.details_display }}</p>

            <br />

            </li>

            {% empty %}

            <li>No available authentication methods</li>

            {% endfor %}

          </ul>

        </div>

        <div class="notassigned">

          <p>You can add the following authentication methods to your account </p>

          <ul class="auth_providers">

            {% for provider in user_available_providers %}

            <li>

            <h2><a href="{{ provider.add_url }}">{{ provider.title }}</a></h2>

            <p>{{ provider.add_description }}</p>

            <br />

            </li>

            {% empty %}

            No available providers.

            {% endfor %}

          </ul>

        </div>

    </div>

            {% if third_party_token %}

            <input type="hidden" name="third_party_token" value={{ third_party_token }}>

            {% endif %}

        <a href="{% url astakos.im.views.index %}?key={{ token }}">YES</a>

        <a href="{% url shibboleth_signup token %}">NO</a>

{% endblock %}

            <input type="hidden" name="third_party_token" value={{ third_party_token }}>

# Copyright 2011 GRNET S.A. All rights reserved.

#

# Redistribution and use in source and binary forms, with or

# without modification, are permitted provided that the following

# conditions are met:

#

#   1. Redistributions of source code must retain the above

#      copyright notice, this list of conditions and the following

#      disclaimer.

#

#   2. Redistributions in binary form must reproduce the above

#      copyright notice, this list of conditions and the following

#      disclaimer in the documentation and/or other materials

#      provided with the distribution.

#

# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS

# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR

# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED

# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

#

# The views and conclusions contained in the software and

# documentation are those of the authors and should not be

# interpreted as representing official policies, either expressed

# or implied, of GRNET S.A.

import datetime

from django.test import TestCase, Client

from django.conf import settings

from django.core import mail

from astakos.im.target.shibboleth import Tokens as ShibbolethTokens

from astakos.im.models import *

from astakos.im import functions

from astakos.im import settings as astakos_settings

from urllib import quote

class ShibbolethClient(Client):

    """

    A shibboleth agnostic client.

    """

    VALID_TOKENS = filter(lambda x: not x.startswith("_"), dir(ShibbolethTokens))

    def __init__(self, *args, **kwargs):

        self.tokens = kwargs.pop('tokens', {})

        super(ShibbolethClient, self).__init__(*args, **kwargs)

    def set_tokens(self, **kwargs):

        for key, value in kwargs.iteritems():

            key = 'SHIB_%s' % key.upper()

            if not key in self.VALID_TOKENS:

                raise Exception('Invalid shibboleth token')

            self.tokens[key] = value

    def unset_tokens(self, *keys):

        for key in keys:

            key = 'SHIB_%s' % param.upper()

            if key in self.tokens:

                del self.tokens[key]

    def reset_tokens(self):

        self.tokens = {}

    def get_http_token(self, key):

        http_header = getattr(ShibbolethTokens, key)

        return http_header

    def request(self, **request):

        """

        Transform valid shibboleth tokens to http headers

        """

        for token, value in self.tokens.iteritems():

            request[self.get_http_token(token)] = value

        for param in request.keys():

            key = 'SHIB_%s' % param.upper()

            if key in self.VALID_TOKENS:

                request[self.get_http_token(key)] = request[param]

                del request[param]

        return super(ShibbolethClient, self).request(**request)

def get_local_user(username, **kwargs):

        try:

            return AstakosUser.objects.get(email=username)

        except:

            user_params = {

                'username': username,

                'email': username,

                'is_active': True,

                'activation_sent': datetime.now(),

                'email_verified': True,

                'provider': 'local'

            }

            user_params.update(kwargs)

            user = AstakosUser(**user_params)

            user.set_password(kwargs.get('password', 'password'))

            user.save()

            user.add_auth_provider('local', auth_backend='astakos')

            if kwargs.get('is_active', True):

                user.is_active = True

            else:

                user.is_active = False

            user.save()

            return user

def get_mailbox(email):

    mails = []

    for sent_email in mail.outbox:

        for recipient in sent_email.recipients():

            if email in recipient:

                mails.append(sent_email)

    return mails

class ShibbolethTests(TestCase):

    """

    Testing shibboleth authentication.

    """

    fixtures = ['groups']

    def setUp(self):

        self.client = ShibbolethClient()

        settings.ASTAKOS_IM_MODULES = ['local', 'shibboleth']

    def test_create_account(self):

        client = ShibbolethClient()

        # shibboleth views validation

        # eepn required

        r = client.get('/im/login/shibboleth?', follow=True)

        self.assertContains(r, 'Missing provider token')

        client.set_tokens(eppn="kpapeppn")

        # shibboleth user info required

        r = client.get('/im/login/shibboleth?', follow=True)

        self.assertContains(r, 'Missing provider user information')

        # shibboleth logged us in

        client.set_tokens(mail="kpap@grnet.gr", eppn="kpapeppn", cn="1", )

        r = client.get('/im/login/shibboleth?')

        # astakos asks if we want to add shibboleth

        self.assertContains(r, "Already have an account?")

        # a new pending user created

        pending_user = PendingThirdPartyUser.objects.get(

            third_party_identifier="kpapeppn")

        self.assertEqual(PendingThirdPartyUser.objects.count(), 1)

        token = pending_user.token

        # from now on no shibboleth headers are sent to the server

        client.reset_tokens()

        # we choose to signup as a new user

        r = client.get('/im/shibboleth/signup/%s' % pending_user.username)

        self.assertEqual(r.status_code, 404)

        r = client.get('/im/shibboleth/signup/%s' % token)

        form = r.context['form']

        post_data = {'email': 'kpap@grnet.gr',

                     'third_party_identifier': pending_user.third_party_identifier,

                     'first_name': 'Kostas',

                     'third_party_token': token,

                     'last_name': 'Mitroglou',

                     'additional_email': 'kpap@grnet.gr',

                     'provider': 'shibboleth'

                    }

        r = client.post('/im/signup', post_data)

        self.assertEqual(r.status_code, 200)

        self.assertEqual(AstakosUser.objects.count(), 1)

        self.assertEqual(PendingThirdPartyUser.objects.count(), 0)

        self.assertEqual(AstakosUserAuthProvider.objects.count(), 1)

        client.set_tokens(mail="kpap@grnet.gr", eppn="kpapeppn", cn="1", )

        r = client.get("/im/login/shibboleth?", follow=True)

        self.assertContains(r, "Your request is pending activation")

        r = client.get("/im/profile", follow=True)

        self.assertRedirects(r, 'http://testserver/im/?next=%2Fim%2Fprofile')

        u = AstakosUser.objects.get()

        functions.activate(u)

        self.assertEqual(u.is_active, True)

        r = client.get("/im/login/shibboleth?")

        self.assertRedirects(r, '/im/profile')

    def test_existing(self):

        existing_user = get_local_user('kpap@grnet.gr')

        client = ShibbolethClient()

        # shibboleth logged us in, notice that we use different email

        client.set_tokens(mail="kpap@shibboleth.gr", eppn="kpapeppn", cn="1", )

        r = client.get("/im/login/shibboleth?")

        # astakos asks if we want to switch a local account to shibboleth

        self.assertContains(r, "Already have an account?")

        # a new pending user created

        pending_user = PendingThirdPartyUser.objects.get()

        self.assertEqual(PendingThirdPartyUser.objects.count(), 1)

        pending_key = pending_user.token

        client.reset_tokens()

        # we choose to add shibboleth to an our existing account

        # we get redirected to login page with the pending token set

        r = client.get('/im/login?key=%s' % pending_key)

        post_data = {'password': 'password',

                     'username': 'kpap@grnet.gr',

                     'key': pending_key}

        r = client.post('/im/local', post_data, follow=True)

        self.assertContains(r, "Your new login method has been added")

        user = AstakosUser.objects.get(username="kpap@grnet.gr",

                                       email="kpap@grnet.gr")

        self.assertTrue(user.has_auth_provider('shibboleth'))

        self.assertTrue(user.has_auth_provider('local', auth_backend='astakos'))

        client.logout()

        # again ???? show her a message

        r = client.get('/im/login?key=%s' % pending_key)

        post_data = {'password': 'password',

                     'username': 'kpap@grnet.gr',

                     'key': pending_key}

        r = self.client.post('/im/local', post_data, follow=True)

        self.assertContains(r, "Account method assignment failed")

        self.client.logout()

        client.logout()

        # look Ma, i can login with both my shibboleth and local account

        client.set_tokens(mail="kpap@shibboleth.gr", eppn="kpapeppn", cn="1")

        r = client.get("/im/login/shibboleth?", follow=True)

        self.assertTrue(r.context['request'].user.is_authenticated())

        self.assertTrue(r.context['request'].user.email == "kpap@grnet.gr")

        r = client.get("/im/profile")

        self.assertEquals(r.status_code,200)

        client.logout()

        client.reset_tokens()

        r = client.get("/im/profile", follow=True)

        self.assertFalse(r.context['request'].user.is_authenticated())

        post_data = {'password': 'password',

                     'username': 'kpap@grnet.gr'}

        r = self.client.post('/im/local', post_data, follow=True)

        self.assertTrue(r.context['request'].user.is_authenticated())

        r = self.client.get("/im/profile")

        self.assertEquals(r.status_code,200)

        r = client.post('/im/local', post_data, follow=True)

        client.set_tokens(mail="secondary@shibboleth.gr", eppn="kpapeppn", cn="1", )

        r = client.get("/im/login/shibboleth?", follow=True)

        client.reset_tokens()

        client.logout()

        client.set_tokens(mail="kpap@grnet.gr", eppn="kpapeppninvalid", cn="1")

        r = client.get("/im/login/shibboleth?", follow=True)

        self.assertFalse(r.context['request'].user.is_authenticated())

class LocalUserTests(TestCase):

    fixtures = ['groups']

    def test_invitations(self):

        return

    def test_local_provider(self):

        r = self.client.get("/im/signup")

        self.assertEqual(r.status_code, 200)

        data = {'email':'kpap@grnet.gr', 'password1':'password',

                'password2':'password', 'first_name': 'Kostas',

                'last_name': 'Mitroglou', 'provider': 'local'}

        r = self.client.post("/im/signup", data)

        self.assertEqual(AstakosUser.objects.count(), 1)

        user = AstakosUser.objects.get(username="kpap@grnet.gr",

                                       email="kpap@grnet.gr")

        self.assertEqual(user.username, 'kpap@grnet.gr')

        self.assertEqual(user.has_auth_provider('local'), True)

        self.assertFalse(user.is_active)

        # admin gets notified

        self.assertEqual(len(get_mailbox('support@cloud.grnet.gr')), 1)

        # and sends user activation email

        functions.send_activation(user)

        # user activation fields updated

        user = AstakosUser.objects.get(pk=user.pk)

        self.assertTrue(user.activation_sent)

        self.assertFalse(user.email_verified)

        # email sent to user

        self.assertEqual(len(get_mailbox('kpap@grnet.gr')), 1)

        # user forgot she got registered and tries to submit registration

        # form. Notice the upper case in email

        data = {'email':'KPAP@grnet.gr', 'password1':'password',

                'password2':'password', 'first_name': 'Kostas',

                'last_name': 'Mitroglou', 'provider': 'local'}