Ticket #2114: repozewho-tg-2114.diff

repoze/who/plugins/form.py

@@ -72 +72 @@
 class FormPlugin(FormPluginBase):
 
     implements(IChallenger, IIdentifier)
-    
+
     def __init__(self, login_form_qs, rememberer_name, formbody=None,
                  formcallable=None):
         self.login_form_qs = login_form_qs
@@ -88 +88 @@
         query = parse_dict_querystring(environ)
         # If the extractor finds a special query string on any request,
         # it will attempt to find the values in the input body.
-        if query.get(self.login_form_qs): 
+        if query.get(self.login_form_qs):
             form = parse_formvars(environ)
             from StringIO import StringIO
             # XXX we need to replace wsgi.input because we've read it
@@ -115 +115 @@
             if location:
                 headers = list(app_headers) + list(forget_headers)
                 return HTTPFound(headers = headers)
-                
+
         form = self.formbody or _DEFAULT_FORM
         if self.formcallable is not None:
             form = self.formcallable(environ)
@@ -131 +131 @@
 class RedirectingFormPlugin(FormPluginBase):
 
     implements(IChallenger, IIdentifier)
-    
+
     def __init__(self, login_form_url, login_handler_path, logout_handler_path,
                  rememberer_name, reason_param='reason'):
         self.login_form_url = login_form_url
@@ -146 +146 @@
     # IIdentifier
     def identify(self, environ):
         path_info = environ['PATH_INFO']
+        script_path = environ.get('SCRIPT_PATH') or '/'
         query = parse_dict_querystring(environ)
 
         if path_info == self.logout_handler_path:
             # we've been asked to perform a logout
             form = parse_formvars(environ)
             form.update(query)
-            referer = environ.get('HTTP_REFERER', '/')
+            referer = environ.get('HTTP_REFERER', script_path)
             came_from = form.get('came_from', referer)
             # set in environ for self.challenge() to find later
             environ['came_from'] = came_from
@@ -172 +173 @@
                     }
             except KeyError:
                 credentials = None
-            referer = environ.get('HTTP_REFERER', '/')
+            referer = environ.get('HTTP_REFERER', script_path)
             came_from = form.get('came_from', referer)
             environ['repoze.who.application'] = HTTPFound(came_from)
             return credentials
@@ -189 +190 @@
             query_elements[self.reason_param] = reason
         url_parts[4] = urllib.urlencode(query_elements, doseq=True)
         login_form_url = urlparse.urlunparse(url_parts)
+        login_form_url = self._get_full_path(login_form_url, environ)
         headers = [ ('Location', login_form_url) ]
         cookies = [(h,v) for (h,v) in app_headers if h.lower() == 'set-cookie']
         headers = headers + forget_headers + cookies
         return HTTPFound(headers=headers)
 
+    def _get_full_path(self, path, environ):
+        """
+        Return the full path to ``path`` by prepending the SCRIPT_PATH.
+
+        If ``path`` is a URL, do nothing.
+
+        """
+        if path.startswith('/'):
+            path = environ.get('SCRIPT_PATH', '') + path
+        return path
+
 def make_plugin(login_form_qs='__do_login', rememberer_name=None,
                 form=None):
     if rememberer_name is None:

repoze/who/tests.py

@@ -21 +21 @@
                  authenticators=None,
                  challengers=None,
                  classifier=None,
-                 mdproviders=None,                 
+                 mdproviders=None,
                  challenge_decider=None,
                  log_stream=None,
                  log_level=None,
@@ -53 +53 @@
                                     log_stream,
                                     log_level=logging.DEBUG)
         return mw
-    
+
     def test_accepts_logger(self):
         import logging
         logger = logging.Logger('something')
@@ -437 +437 @@
         self.assertEqual(environ['challenged'], app2)
         self.assertEqual(identifier.forgotten, identity)
 
-    def test_add_metadata(self): 
+    def test_add_metadata(self):
         environ = self._makeEnviron()
         plugin1 = DummyMDProvider({'foo':'bar'})
         plugin2 = DummyMDProvider({'fuz':'baz'})
@@ -449 +449 @@
         self.assertEqual(identity['foo'], 'bar')
         self.assertEqual(identity['fuz'], 'baz')
 
-    def test_add_metadata_w_classification(self): 
+    def test_add_metadata_w_classification(self):
         environ = self._makeEnviron()
         plugin1 = DummyMDProvider({'foo':'bar'})
         plugin2 = DummyMDProvider({'fuz':'baz'})
@@ -461 +461 @@
         identity = {}
         mw.add_metadata(environ, classification, identity)
         self.assertEqual(identity['foo'], 'bar')
-        self.assertEqual(identity.get('fuz'), None)       
+        self.assertEqual(identity.get('fuz'), None)
 
     def test_call_remoteuser_already_set(self):
         environ = self._makeEnviron({'REMOTE_USER':'admin'})
@@ -504 +504 @@
         self.assertEqual(result, ['body'])
         self.assertEqual(start_response.status, '200 OK')
         self.assertEqual(start_response.headers, headers)
-        
+
     def test_call_401_no_identifiers(self):
         environ = self._makeEnviron()
         headers = [('a', '1')]
@@ -724 +724 @@
         self.assertEqual(wrapper.start_response, None)
         self.assertEqual(wrapper.headers, [])
         self.failUnless(wrapper.buffer)
-    
+
     def test_finish_response(self):
         statuses = []
         headerses = []
@@ -736 +736 @@
         def close():
             closededs.append(True)
         write.close = close
-            
+
         def start_response(status, headers, exc_info=None):
             statuses.append(status)
             headerses.append(headers)
             return write
-            
+
         wrapper = self._makeOne(start_response)
         wrapper.status = '401 Unauthorized'
         wrapper.headers = [('a', '1')]
@@ -782 +782 @@
             items.append(item)
         response = ''.join(items)
         self.failUnless(response.startswith('401 Unauthorized'))
-        
+
     def test_identify_noauthinfo(self):
         plugin = self._makeOne('realm')
         environ = self._makeEnviron()
@@ -836 +836 @@
         forget = plugin._get_wwwauth()
         result = plugin.challenge(environ, '401 Unauthorized', [], forget)
         self.assertEqual(result.headers, forget)
-        
+
     def test_challenge_forgetheaders_omits(self):
         plugin = self._makeOne('realm')
         creds = {'login':'foo', 'password':'password'}
@@ -874 +874 @@
         creds = {}
         result = plugin.authenticate(environ, creds)
         self.assertEqual(result, None)
-        
+
     def test_authenticate_nolines(self):
         from StringIO import StringIO
         io = StringIO()
@@ -883 +883 @@
         creds = {'login':'chrism', 'password':'pass'}
         result = plugin.authenticate(environ, creds)
         self.assertEqual(result, None)
-        
+
     def test_authenticate_nousermatch(self):
         from StringIO import StringIO
         io = StringIO('nobody:foo')
@@ -987 +987 @@
         environ = self._makeEnviron()
         result = plugin.identify(environ)
         self.assertEqual(result, None)
-        
+
     def test_identify_badcookies(self):
         plugin = self._makeOne('oatmeal')
         environ = self._makeEnviron({'HTTP_COOKIE':'oatmeal=a'})
@@ -1072 +1072 @@
             extra['QUERY_STRING'] = '__do_login=true'
         environ = self._makeEnviron(extra)
         return environ
-    
+
     def test_implements(self):
         from zope.interface.verify import verifyClass
         from repoze.who.interfaces import IIdentifier
@@ -1086 +1086 @@
         environ = self._makeFormEnviron()
         result = plugin.identify(environ)
         self.assertEqual(result, None)
-        
+
     def test_identify_qs_no_values(self):
         plugin = self._makeOne()
         environ = self._makeFormEnviron(do_login=True)
@@ -1098 +1098 @@
         environ = self._makeFormEnviron(do_login=True, login='chris')
         result = plugin.identify(environ)
         self.assertEqual(result, None)
-    
+
     def test_identify_nopassword(self):
         plugin = self._makeOne()
         environ = self._makeFormEnviron(do_login=True, password='password')
@@ -1217 +1217 @@
         return plugin
 
     def _makeFormEnviron(self, login=None, password=None, came_from=None,
-                         path_info='/', identifier=None):
+                         path_info='/', identifier=None, script_path=''):
         from StringIO import StringIO
         fields = []
         if login:
@@ -1240 +1240 @@
                  'repoze.who.plugins': {'cookie':identifier},
                  'QUERY_STRING':'default=1',
                  'PATH_INFO':path_info,
+                 'SCRIPT_PATH':script_path
                  }
         environ = self._makeEnviron(extra)
         return environ
-    
+
     def test_implements(self):
         from zope.interface.verify import verifyClass
         from repoze.who.interfaces import IIdentifier
@@ -1258 +1259 @@
         result = plugin.identify(environ)
         self.assertEqual(result, None)
         self.failIf(environ.get('repoze.who.application'))
-        
+
     def test_identify_via_login_handler(self):
         plugin = self._makeOne()
         environ = self._makeFormEnviron(path_info='/login_handler',
@@ -1315 +1316 @@
         self.assertEqual(value, 'http://foo.bar')
         self.assertEqual(app.code, 302)
 
+    def test_identify_via_login_handler_no_came_from_no_referer_spath(self):
+        plugin = self._makeOne()
+        environ = self._makeFormEnviron(path_info='/login_handler',
+                                        script_path='/my-app',
+                                        login='chris',
+                                        password='password')
+        plugin.identify(environ)
+        app = environ['repoze.who.application']
+        self.assertEqual(app.location(), '/my-app')
+
     def test_identify_via_logout_handler(self):
         plugin = self._makeOne()
         environ = self._makeFormEnviron(path_info='/logout_handler',
@@ -1340 +1351 @@
         self.assertEqual(app.code, 401)
         self.assertEqual(environ['came_from'], '/')
 
+    def test_identify_via_logout_handler_no_came_from_no_referer_spath(self):
+        plugin = self._makeOne()
+        environ = self._makeFormEnviron(path_info='/logout_handler',
+                                        script_path='/my-app',
+                                        login='chris',
+                                        password='password')
+        plugin.identify(environ)
+        app = environ['repoze.who.application']
+        self.assertEqual(environ['came_from'], '/my-app')
+
     def test_identify_via_logout_handler_no_came_from(self):
         plugin = self._makeOne()
         environ = self._makeFormEnviron(path_info='/logout_handler',
@@ -1506 +1527 @@
         self.assertEqual(sr.headers[2][0], 'set-cookie')
         self.assertEqual(sr.headers[2][1], 'b')
 
+    def test_challenge_with_non_root_script_path(self):
+        """The script path must be taken into account while redirecting."""
+        plugin = self._makeOne(login_form_url='/login')
+        environ = self._makeFormEnviron(script_path='/app',
+                                        path_info='/admin')
+        came_from = 'http://www.example.com/app/admin?default=1'
+        environ['came_from'] = came_from
+        app = plugin.challenge(environ, '401 Unauthorized', [('app', '1')],
+                               [('forget', '1')])
+        from urllib import quote
+        login_url = '/app/login?came_from=%s' % quote(came_from, '')
+        self.assertEqual(app.location(), login_url)
+
 class TestAuthTktCookiePlugin(Base):
     def _getTargetClass(self):
         from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
@@ -1546 +1580 @@
         environ = self._makeEnviron()
         result = plugin.identify(environ)
         self.assertEqual(result, None)
-        
+
     def test_identify_good_cookie_include_ip(self):
         plugin = self._makeOne('secret', include_ip=True)
         val = self._makeTicket(remote_addr='1.1.1.1')
@@ -1608 +1642 @@
         environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=bogus'})
         result = plugin.identify(environ)
         self.assertEqual(result, None)
-    
+
     def test_remember_creds_same(self):
         plugin = self._makeOne('secret')
         val = self._makeTicket(userid='userid')
@@ -1642 +1676 @@
         new_val = self._makeTicket(userid='1', userdata='userid_type:int')
         result = plugin.remember(environ, {'repoze.who.userid':1,
                                            'userdata':''})
-        
+
         self.assertEqual(len(result), 3)
         self.assertEqual(result[0],
                          ('Set-Cookie',
@@ -1717 +1751 @@
         environ = self._makeEnviron({'HTTP_USER_AGENT':'WebDrive'})
         result = classifier(environ)
         self.assertEqual(result, 'dav')
-        
+
     def test_classify_xmlpost(self):
         classifier = self._getFUT()
         environ = self._makeEnviron({'CONTENT_TYPE':'text/xml',
@@ -1742 +1776 @@
         iface_reg, name_reg = fn([], [], [], [])
         self.assertEqual(iface_reg, {})
         self.assertEqual(name_reg, {})
-        
+
     def test_brokenimpl(self):
         fn = self._getFUT()
         self.assertRaises(ValueError, fn, [(None, DummyApp())], [], [], [])
@@ -2240 +2274 @@
 
 IDENTIFIERS_ONLY = """\
 [identifiers]
-plugins = 
+plugins =
     repoze.who.tests:DummyPlugin;klass1
     repoze.who.tests:DummyPlugin
 """
 
 IDENTIFIERS_WITH_PLUGINS = """\
 [identifiers]
-plugins = 
+plugins =
     foo;klass1
     bar
 
@@ -2260 +2294 @@
 
 AUTHENTICATORS_ONLY = """\
 [authenticators]
-plugins = 
+plugins =
     repoze.who.tests:DummyPlugin;klass1
     repoze.who.tests:DummyPlugin
 """
 
 AUTHENTICATORS_WITH_PLUGINS = """\
 [authenticators]
-plugins = 
+plugins =
     foo;klass1
     bar
 
@@ -2280 +2314 @@
 
 CHALLENGERS_ONLY = """\
 [challengers]
-plugins = 
+plugins =
     repoze.who.tests:DummyPlugin;klass1
     repoze.who.tests:DummyPlugin
 """
 
 CHALLENGERS_WITH_PLUGINS = """\
 [challengers]
-plugins = 
+plugins =
     foo;klass1
     bar
 
@@ -2300 +2334 @@
 
 MDPROVIDERS_ONLY = """\
 [mdproviders]
-plugins = 
+plugins =
     repoze.who.tests:DummyPlugin;klass1
     repoze.who.tests:DummyPlugin
 """
 
 MDPROVIDERS_WITH_PLUGINS = """\
 [mdproviders]
-plugins = 
+plugins =
     foo;klass1
     bar
 
@@ -2383 +2417 @@
 challenge_decider = repoze.who.classifiers:default_challenge_decider
 
 [identifiers]
-plugins = 
+plugins =
     form;browser
     auth_tkt
     basicauth
@@ -2606 +2640 @@
         environ['repoze.who.identity']['password'] = 'schooled'
         start_response(self.status, self.headers)
         return ['body']
-    
+
 class DummyRequestClassifier:
     def __call__(self, environ):
         return 'browser'
@@ -2648 +2682 @@
 class DummyAuthenticator:
     def __init__(self, userid=None):
         self.userid = userid
-        
+
     def authenticate(self, environ, credentials):
         if self.userid is None:
             return credentials['login']
@@ -2672 +2706 @@
 class DummyMDProvider:
     def __init__(self, metadata=None):
         self._metadata = metadata
-        
+
     def add_metadata(self, environ, identity):
         return identity.update(self._metadata)