Add tests for authentication blacklist

2025-10-18 07:23:00 +00:00 · 2018-04-26 14:56:32 +03:00
parent ea7b1caa4e
commit 95a9b97649
2 changed files with 60 additions and 1 deletions
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -274,13 +274,13 @@ class Authenticator(LoggingConfigurable):
            return

        blacklist_pass = await maybe_future(self.check_blacklist(username))
+        whitelist_pass = await maybe_future(self.check_whitelist(username))
        if blacklist_pass:
            pass
        else:
            self.log.warning("User %r in blacklist. Stop authentication", username)
            return

-        whitelist_pass = await maybe_future(self.check_whitelist(username))
        if whitelist_pass:
            return authenticated
        else:
--- a/jupyterhub/tests/test_auth.py
+++ b/jupyterhub/tests/test_auth.py
@@ -103,6 +103,65 @@ def test_pam_auth_group_whitelist():
    assert authorized is None


+@pytest.mark.gen_test
+def test_pam_auth_blacklist():
+    # Null case compared to next case
+    authenticator = MockPAMAuthenticator()
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'wash',
+        'password': 'wash',
+    })
+    assert authorized['name'] == 'wash'
+
+    # Blacklist basics
+    authenticator = MockPAMAuthenticator(blacklist={'wash'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'wash',
+        'password': 'wash',
+    })
+    assert authorized is  None
+
+    # User in both white and blacklists: default deny.  Make error someday?
+    authenticator = MockPAMAuthenticator(blacklist={'wash'}, whitelist={'wash', 'kaylee'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'wash',
+        'password': 'wash',
+    })
+    assert authorized is None
+
+    # User not in blacklist can log in
+    authenticator = MockPAMAuthenticator(blacklist={'wash'}, whitelist={'wash', 'kaylee'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'kaylee',
+        'password': 'kaylee',
+    })
+    assert authorized['name'] == 'kaylee'
+
+    # User in whitelist, blacklist irrelevent
+    authenticator = MockPAMAuthenticator(blacklist={'mal'}, whitelist={'wash', 'kaylee'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'wash',
+        'password': 'wash',
+    })
+    assert authorized['name'] == 'wash'
+
+    # User in neither list
+    authenticator = MockPAMAuthenticator(blacklist={'mal'}, whitelist={'wash', 'kaylee'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'simon',
+        'password': 'simon',
+    })
+    assert authorized is None
+
+    # blacklist == {}
+    authenticator = MockPAMAuthenticator(blacklist=set(), whitelist={'wash', 'kaylee'})
+    authorized = yield authenticator.get_authenticated_user(None, {
+        'username': 'kaylee',
+        'password': 'kaylee',
+    })
+    assert authorized['name'] == 'kaylee'
+
+
@pytest.mark.gen_test
 def test_pam_auth_no_such_group():
    authenticator = MockPAMAuthenticator(group_whitelist={'nosuchcrazygroup'})