Add authentication through openstackid.org

In Refstack's database store only fullname, email and openid.
After sign in refstack backend create session and write it id in cookie.
When UI is opened in browser, Angular try to get info from
/v1/profile. If data about user received then user is authenticated.

Change-Id: Ib2cabc0c6b4de4b2ca1f02cc9e062a6e3550daa0

docker/Dockerfile

@@ -21,7 +21,6 @@ RUN \
 
 RUN \
     pip install virtualenv tox ipython ipdb httpie && \
-    npm install -g bower && \
     ln -s /usr/bin/nodejs /usr/bin/node
 
 ADD /docker/scripts/* /usr/bin/

docker/nginx/refstack-site.conf

@@ -1,4 +1,8 @@
 server {
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    proxy_read_timeout 600;
+    send_timeout 600;
     server_name 127.0.0.1;
     listen 443 ssl;
 

docker/scripts/api-up

@@ -2,4 +2,4 @@
 [[ ${DEBUG_MODE} ]] && set -x
 api-sync
 cd /home/dev/refstack
-.venv/bin/pecan serve refstack/api/config.py > /dev/null
+.venv/bin/pecan serve refstack/api/config.py

docker/scripts/start.sh

@@ -41,7 +41,8 @@ build_refstack_env () {
     #Install some dev tools
     .venv/bin/pip install ipython ipdb httpie
     cd /home/dev/refstack
-    bower install --config.interactive=false
+    npm install
+#    bower install --config.interactive=false
 
     build_tmpl /refstack/docker/templates/config.json.tmpl /home/dev/refstack/refstack-ui/app/config.json
     build_tmpl /refstack/docker/templates/refstack.conf.tmpl /home/dev/refstack.conf

docker/templates/refstack.conf.tmpl

@@ -1,12 +1,16 @@
 [DEFAULT]
 debug = true
 verbose = true
+ui_url = https://${REFSTACK_HOST:-127.0.0.1}
 
 [api]
 static_root = /home/dev/refstack/refstack-ui/app
 template_path = /home/dev/refstack/refstack-ui/app
 app_dev_mode = true
-test_results_url = https://${REFSTACK_HOST:-127.0.0.1}/#/results/%s
+api_url = https://${REFSTACK_HOST:-127.0.0.1}
 
 [database]
 connection = ${REFSTACK_MYSQL_URL}
+
+[osid]
+openstack_openid_endpoint = https://172.17.42.1:8443/accounts/openid2

etc/refstack.conf.sample

@@ -40,14 +40,16 @@
 #log_dir = <None>
 
 # Use syslog for logging. Existing syslog format is DEPRECATED during
-# I, and will change in J to honor RFC5424. (boolean value)
+# I, and changed in J to honor RFC5424. (boolean value)
 #use_syslog = false
 
 # (Optional) Enables or disables syslog rfc5424 format for logging. If
 # enabled, prefixes the MSG part of the syslog message with APP-NAME
-# (RFC5424). The format without the APP-NAME is deprecated in I, and
+# (RFC5424). The format without the APP-NAME is deprecated in K, and
-# will be removed in J. (boolean value)
+# will be removed in M, along with this option. (boolean value)
-#use_syslog_rfc_format = false
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#use_syslog_rfc_format = true
 
 # Syslog facility to receive log lines. (string value)
 #syslog_log_facility = LOG_USER
@@ -67,7 +69,7 @@
 
 # Prefix each line of exception output with this format. (string
 # value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
 
 # List of logger=LEVEL pairs. (list value)
 #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
@@ -86,10 +88,17 @@
 # (string value)
 #instance_uuid_format = "[instance: %(uuid)s] "
 
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
 #
 # From refstack
 #
 
+# Url of user interface for Refstack. Need for redirects after sign in
+# and sign out. (string value)
+#ui_url = http://refstack.net
+
 # The backend to use for database. (string value)
 #db_backend = sqlalchemy
 
@@ -100,6 +109,9 @@
 # From refstack
 #
 
+# Url of public Refstack API. (string value)
+#api_url = http://api.refstack.net
+
 # The directory where your static files can be found. Pecan comes with
 # middleware that can be used to serve static files (like CSS and
 # Javascript files) during development. %(project_root)s is special
@@ -116,9 +128,9 @@
 # relative the project root. (string value)
 #template_path = %(project_root)s/templates
 
-# List of sites allowed cross-origin resource access. If this is empty,
+# List of sites allowed cross-site resource access. If this is empty,
-# only same-origin requests are allowed.
+# only same-origin requests are allowed. (list value)
-#allowed_cors_origins =  http://refstack.net, http://localhost:8080
+#allowed_cors_origins =
 
 # Switch Refstack app into debug mode. Helpful for development. In
 # debug mode static file will be served by pecan application. Also,
@@ -127,7 +139,17 @@
 #app_dev_mode = false
 
 # Template for test result url. (string value)
-#test_results_url = http://refstack.net/output.html?test_id=%s
+#test_results_url = /#/results/%s
+
+# The GitHub API URL of the repository and location of the DefCore
+# capability files. This URL is used to get a listing of all
+# capability files. (string value)
+#github_api_capabilities_url = https://api.github.com/repos/openstack/defcore/contents
+
+# This is the base URL that is used for retrieving specific capability
+# files. Capability file names will be appended to this URL to get the
+# contents of that file. (string value)
+#github_raw_base_url = https://raw.githubusercontent.com/openstack/defcore/master/
 
 # Number of results for one page (integer value)
 #results_per_page = 20
@@ -135,15 +157,6 @@
 # The format for start_date and end_date parameters (string value)
 #input_date_format = %Y-%m-%d %H:%M:%S
 
-# The GitHub API URL of the repository and location of the DefCore
-# capability files. This URL is used to get a listing of all capability
-# files.
-#github_api_capabilities_url = https://api.github.com/repos/openstack/defcore/contents
-
-# The base URL that is used for retrieving specific capability files.
-# Capability file names will be appended to this URL to get the contents
-# of that file.
-#github_raw_base_url = https://raw.githubusercontent.com/openstack/defcore/master/
 
 [database]
 
@@ -249,3 +262,51 @@
 # error is raised. Set to -1 to specify an infinite retry count.
 # (integer value)
 #db_max_retries = 20
+
+
+[osid]
+
+#
+# From refstack
+#
+
+# OpenStackID Auth Server URI. (string value)
+#openstack_openid_endpoint = https://openstackid.org/accounts/openid2
+
+# Interaction mode. Specifies whether Openstack Id IdP may interact
+# with the user to determine the outcome of the request. (string
+# value)
+#openid_mode = checkid_setup
+
+# Protocol version. Value identifying the OpenID protocol version
+# being used. This value should be "http://specs.openid.net/auth/2.0".
+# (string value)
+#openid_ns = http://specs.openid.net/auth/2.0
+
+# Return endpoint in Refstack's API. Value indicating the endpoint
+# where the user should be returned to after signing in. Openstack Id
+# Idp only supports HTTPS address types. (string value)
+#openid_return_to = /v1/auth/signin_return
+
+# Claimed identifier. This value must be set to
+# "http://specs.openid.net/auth/2.0/identifier_select". or to user
+# claimed identity (user local identifier or user owned identity [ex:
+# custom html hosted on a owned domain set to html discover]). (string
+# value)
+#openid_claimed_id = http://specs.openid.net/auth/2.0/identifier_select
+
+# Alternate identifier. This value must be set to
+# http://specs.openid.net/auth/2.0/identifier_select. (string value)
+#openid_identity = http://specs.openid.net/auth/2.0/identifier_select
+
+# Indicates request for user attribute information. This value must be
+# set to "http://openid.net/extensions/sreg/1.1". (string value)
+#openid_ns_sreg = http://openid.net/extensions/sreg/1.1
+
+# Comma-separated list of field names which, if absent from the
+# response, will prevent the Consumer from completing the registration
+# without End User interation. The field names are those that are
+# specified in the Response Format, with the "openid.sreg." prefix
+# removed. Valid values include: "country", "email", "firstname",
+# "language", "lastname" (string value)
+#openid_sreg_required = email,fullname

refstack-ui/app/app.js

@@ -35,6 +35,29 @@ refstackApp.config([
                 url: '/results/:testID',
                 templateUrl: '/components/results-report/resultsReport.html',
                 controller: 'resultsReportController'
+            }).
+            state('profile', {
+                url: '/profile',
+                templateUrl: '/components/profile/profile.html',
+                controller: 'profileController'
+            });
+    }
+]);
+
+/**
+ * Try to authenticate user
+ */
+
+refstackApp.run(['$http', '$rootScope', 'refstackApiUrl',
+    function($http, $rootScope, refstackApiUrl) {
+        'use strict';
+        var profile_url = refstackApiUrl + '/profile';
+        $http.get(profile_url, {withCredentials: true}).
+            success(function(data) {
+                $rootScope.currentUser = data;
+            }).
+            error(function() {
+                $rootScope.currentUser = null;
             });
     }
 ]);

refstack-ui/app/components/auth/authController.js

@@ -0,0 +1,29 @@
+var refstackApp = angular.module('refstackApp');
+
+ /**
+ * Refstack Auth Controller
+ * This controller handles account authentication for users.
+ */
+
+refstackApp.controller('authController',
+    ['$scope', '$window', '$rootScope', 'refstackApiUrl',
+    function($scope, $window, $rootScope, refstackApiUrl){
+        'use strict';
+        var sign_in_url = refstackApiUrl + '/auth/signin';
+        $scope.doSignIn = function () {
+            $window.location.href = sign_in_url;
+        };
+
+        var sign_out_url = refstackApiUrl + '/auth/signout';
+        $scope.doSignOut = function () {
+            $rootScope.currentUser = null;
+            $window.location.href = sign_out_url;
+        };
+
+        $scope.isAuthenticated = function () {
+            if ($scope.currentUser) {
+                return !!$scope.currentUser.openid;
+            }
+            return false;
+        };
+    }]);

refstack-ui/app/components/profile/profile.html

@@ -0,0 +1,4 @@
+<h1>Hello, {{user.fullname}}!</h1>
+{{bar}}
+<p>openid: {{user.openid}}</p>
+<p>email: {{user.email}}</p>

refstack-ui/app/components/profile/profileController.js

@@ -0,0 +1,21 @@
+ /**
+ * Refstack User Profile Controller
+ * This controller handles user's profile page, where a user can view
+ * account-specific information.
+ */
+
+var refstackApp = angular.module('refstackApp');
+
+refstackApp.controller('profileController',
+    ['$scope', '$http', 'refstackApiUrl', '$state',
+    function($scope, $http, refstackApiUrl, $state) {
+        'use strict';
+        var profile_url = refstackApiUrl + '/profile';
+        $http.get(profile_url, {withCredentials: true}).
+            success(function(data) {
+                $scope.user = data;
+            }).
+            error(function() {
+                $state.go('home');
+            });
+    }]);

refstack-ui/app/index.html

@@ -40,6 +40,8 @@
         <script src="components/capabilities/capabilitiesController.js"></script>
         <script src="components/results/resultsController.js"></script>
         <script src="components/results-report/resultsReportController.js"></script>
+        <script src="components/profile/profileController.js"></script>
+        <script src="components/auth/authController.js"></script>
 
         <!-- Filters -->
         <script src="shared/filters.js"></script>

refstack-ui/app/shared/header/header.html

@@ -20,6 +20,11 @@ Refstack
             <li ng-class="{ active: isActive('/capabilities')}"><a ui-sref="capabilities">DefCore Capabilities</a></li>
             <li ng-class="{ active: isActive('/results')}"><a ui-sref="results">Community Results</a></li>
           </ul>
+          <ul ng-controller="authController" class="nav navbar-nav navbar-right">
+            <li ng-class="{ active: isActive('/profile')}" ng-if="isAuthenticated()"><a ui-sref="profile">{{currentUser.fullname}}</a></li>
+            <li ng-if="isAuthenticated()"><a href="" ng-click="doSignOut()">Sign Out</a></li>
+            <li ng-if="!isAuthenticated()"><a href="" ng-click="doSignIn()">Sign In / Sign Up</a></li>
+          </ul>
         </div>
     </div>
 </nav>

refstack-ui/tests/unit/ControllerSpec.js

@@ -2,9 +2,16 @@
 describe('Refstack controllers', function () {
     'use strict';
 
+    var fakeApiUrl = 'http://foo.bar/v1';
+    beforeEach(function () {
+        module(function ($provide) {
+            $provide.constant('refstackApiUrl', fakeApiUrl);
+        });
+        module('refstackApp');
+    });
+
     describe('headerController', function () {
         var scope, $location;
-        beforeEach(module('refstackApp'));
 
         beforeEach(inject(function ($rootScope, $controller, _$location_) {
             scope = $rootScope.$new();
@@ -29,15 +36,39 @@ describe('Refstack controllers', function () {
             });
     });
 
+    describe('authController', function () {
+        var scope, $httpBackend, $window;
+
+        beforeEach(inject(function (_$httpBackend_, $rootScope, $controller) {
+            $httpBackend = _$httpBackend_;
+            scope = $rootScope.$new();
+            $window = {location: { href: jasmine.createSpy()} };
+            $controller('authController', {$scope: scope, $window: $window});
+        }));
+
+        it('should show signin url for signed user', function () {
+            $httpBackend.expectGET(fakeApiUrl +
+            '/profile').respond({'openid': 'foo@bar.com',
+                                 'email': 'foo@bar.com',
+                                 'fullname': 'foo' });
+            $httpBackend.flush();
+            scope.doSignIn();
+            expect($window.location.href).toBe(fakeApiUrl + '/auth/signin');
+            expect(scope.isAuthenticated()).toBe(true);
+        });
+
+        it('should show signout url for not signed user', function () {
+            $httpBackend.expectGET(fakeApiUrl +
+            '/profile').respond(401);
+            $httpBackend.flush();
+            scope.doSignOut();
+            expect($window.location.href).toBe(fakeApiUrl + '/auth/signout');
+            expect(scope.isAuthenticated()).toBe(false);
+        });
+    });
+
     describe('capabilitiesController', function () {
         var scope, $httpBackend;
-        var fakeApiUrl = 'http://foo.bar/v1';
-        beforeEach(function () {
-            module('refstackApp');
-            module(function ($provide) {
-                $provide.constant('refstackApiUrl', fakeApiUrl);
-            });
-        });
 
         beforeEach(inject(function (_$httpBackend_, $rootScope, $controller) {
             $httpBackend = _$httpBackend_;
@@ -56,6 +87,8 @@ describe('Refstack controllers', function () {
         });
 
         it('should fetch the selected capabilities version', function () {
+            $httpBackend.expectGET(fakeApiUrl +
+            '/profile').respond(401);
             $httpBackend.expectGET(fakeApiUrl +
             '/capabilities').respond(['2015.03.json', '2015.04.json']);
             // Should call request with latest version.
@@ -115,7 +148,6 @@ describe('Refstack controllers', function () {
 
     describe('resultsController', function () {
         var scope, $httpBackend;
-        var fakeApiUrl = 'http://foo.bar/v1';
         var fakeResponse = {
             'pagination': {'current_page': 1, 'total_pages': 2},
             'results': [{
@@ -125,13 +157,6 @@ describe('Refstack controllers', function () {
             }]
         };
 
-        beforeEach(function () {
-            module('refstackApp');
-            module(function ($provide) {
-                $provide.constant('refstackApiUrl', fakeApiUrl);
-            });
-        });
-
         beforeEach(inject(function (_$httpBackend_, $rootScope, $controller) {
             $httpBackend = _$httpBackend_;
             scope = $rootScope.$new();
@@ -141,6 +166,7 @@ describe('Refstack controllers', function () {
         it('should fetch the first page of results with proper URL args',
             function () {
                 // Initial results should be page 1 of all results.
+                $httpBackend.expectGET(fakeApiUrl + '/profile').respond(401);
                 $httpBackend.expectGET(fakeApiUrl +
                 '/results?page=1').respond(fakeResponse);
                 $httpBackend.flush();
@@ -162,6 +188,7 @@ describe('Refstack controllers', function () {
             });
 
         it('should set an error when results cannot be retrieved', function () {
+            $httpBackend.expectGET(fakeApiUrl + '/profile').respond(401);
             $httpBackend.expectGET(fakeApiUrl + '/results?page=1').respond(404,
                 {'detail': 'Not Found'});
             $httpBackend.flush();
@@ -174,6 +201,7 @@ describe('Refstack controllers', function () {
 
         it('should have an function to clear filters and update the view',
             function () {
+                $httpBackend.expectGET(fakeApiUrl + '/profile').respond(401);
                 $httpBackend.expectGET(fakeApiUrl +
                 '/results?page=1').respond(fakeResponse);
                 scope.startDate = 'some date';
@@ -190,7 +218,6 @@ describe('Refstack controllers', function () {
 
     describe('resultsReportController', function () {
         var scope, $httpBackend, stateparams;
-        var fakeApiUrl = 'http://foo.bar/v1';
         var fakeResultResponse = {'results': ['test_id_1']};
         var fakeCapabilityResponse = {
             'platform': {'required': ['compute']},
@@ -211,13 +238,6 @@ describe('Refstack controllers', function () {
             }
         };
 
-        beforeEach(function () {
-            module('refstackApp');
-            module(function ($provide) {
-                $provide.constant('refstackApiUrl', fakeApiUrl);
-            });
-        });
-
         beforeEach(inject(function (_$httpBackend_, $rootScope, $controller) {
             $httpBackend = _$httpBackend_;
             stateparams = {testID: 1234};
@@ -229,6 +249,7 @@ describe('Refstack controllers', function () {
         it('should make all necessary API requests to get results ' +
             'and capabilities',
             function () {
+                $httpBackend.expectGET(fakeApiUrl + '/profile').respond(401);
                 $httpBackend.expectGET(fakeApiUrl +
                 '/results/1234').respond(fakeResultResponse);
                 $httpBackend.expectGET(fakeApiUrl +

refstack-ui/tests/unit/FilterSpec.js

@@ -2,9 +2,16 @@
 describe('Refstack filters', function () {
     'use strict';
 
+    var fakeApiUrl = 'http://foo.bar/v1';
+    beforeEach(function () {
+        module(function ($provide) {
+            $provide.constant('refstackApiUrl', fakeApiUrl);
+        });
+        module('refstackApp');
+    });
+
     describe('Filter: arrayConverter', function () {
         var $filter;
-        beforeEach(module('refstackApp'));
         beforeEach(inject(function (_$filter_) {
             $filter = _$filter_('arrayConverter');
         }));
@@ -19,7 +26,6 @@ describe('Refstack filters', function () {
 
     describe('Filter: capitalize', function() {
         var $filter;
-        beforeEach(module('refstackApp'));
         beforeEach(inject(function(_$filter_) {
             $filter = _$filter_('capitalize');
         }));

refstack/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Refstack package."""

refstack/api/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Refstack API package."""

refstack/api/app.py

@@ -19,20 +19,33 @@ import json
 import logging
 import os
 
+from beaker.middleware import SessionMiddleware
 from oslo_config import cfg
 from oslo_log import log
 from oslo_log import loggers
 import pecan
 import webob
 
+from refstack.api import utils as api_utils
 from refstack.common import validators
 
 LOG = log.getLogger(__name__)
 
 PROJECT_ROOT = os.path.join(os.path.dirname(os.path.abspath(__file__)),
                             os.pardir)
+UI_OPTS = [
+    cfg.StrOpt('ui_url',
+               default='http://refstack.net',
+               help='Url of user interface for Refstack. Need for redirects '
+                    'after sign in and sign out.'
+               ),
+]
 
 API_OPTS = [
+    cfg.StrOpt('api_url',
+               default='http://refstack.net',
+               help='Url of public Refstack API.'
+               ),
     cfg.StrOpt('static_root',
                default='%(project_root)s/static',
                help='The directory where your static files can '
@@ -65,7 +78,7 @@ API_OPTS = [
                      'contain some details with debug information.'
                 ),
     cfg.StrOpt('test_results_url',
-               default='http://refstack.net/#/results/%s',
+               default='/#/results/%s',
                help='Template for test result url.'
                ),
     cfg.StrOpt('github_api_capabilities_url',
@@ -89,6 +102,8 @@ CONF = cfg.CONF
 opt_group = cfg.OptGroup(name='api',
                          title='Options for the Refstack API')
 
+CONF.register_opts(UI_OPTS)
+
 CONF.register_group(opt_group)
 CONF.register_opts(API_OPTS, opt_group)
 
@@ -96,9 +111,8 @@ log.register_options(CONF)
 
 
 class JSONErrorHook(pecan.hooks.PecanHook):
-    """
+
-    A pecan hook that translates webob HTTP errors into a JSON format.
+    """A pecan hook that translates webob HTTP errors into a JSON format."""
-    """
 
     def __init__(self):
         """Hook init."""
@@ -106,7 +120,9 @@ class JSONErrorHook(pecan.hooks.PecanHook):
 
     def on_error(self, state, exc):
         """Request error handler."""
-        if isinstance(exc, webob.exc.HTTPError):
+        if isinstance(exc, webob.exc.HTTPRedirection):
+            return
+        elif isinstance(exc, webob.exc.HTTPError):
             status_code = exc.status_int
             body = {'title': exc.title}
         elif isinstance(exc, validators.ValidationError):
@@ -128,9 +144,8 @@ class JSONErrorHook(pecan.hooks.PecanHook):
 
 
 class CORSHook(pecan.hooks.PecanHook):
-    """
+
-    A pecan hook that handles Cross-Origin Resource Sharing.
+    """A pecan hook that handles Cross-Origin Resource Sharing."""
-    """
 
     def __init__(self):
         """Init the hook by getting the allowed origins."""
@@ -149,6 +164,7 @@ class CORSHook(pecan.hooks.PecanHook):
                 'GET, OPTIONS, PUT, POST'
             state.response.headers['Access-Control-Allow-Headers'] = \
                 'origin, authorization, accept, content-type'
+            state.response.headers['Access-Control-Allow-Credentials'] = 'true'
 
 
 def setup_app(config):
@@ -187,8 +203,16 @@ def setup_app(config):
         )]
     )
 
+    beaker_conf = {
+        'session.key': 'refstack',
+        'session.type': 'memory',
+        'session.timeout': 604800,
+        'session.validate_key': api_utils.get_token(),
+    }
+    app = SessionMiddleware(app, beaker_conf)
+
     if CONF.api.app_dev_mode:
-        LOG.debug('\n\n Refstack is served at %s \n\n',
+        LOG.debug('\n\n <<< Refstack UI is available at %s >>>\n\n',
-                  CONF.api.test_results_url.split('/#/')[0])
+                  CONF.ui_url)
 
     return app

refstack/api/constants.py

@@ -12,12 +12,27 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""Constants for Refstack API."""
-Constants for Refstack API
-"""
 
 # Names of input parameters for request
 START_DATE = 'start_date'
 END_DATE = 'end_date'
 CPID = 'cpid'
 PAGE = 'page'
+
+# OpenID parameters
+OPENID_MODE = 'openid.mode'
+OPENID_NS = 'openid.ns'
+OPENID_RETURN_TO = 'openid.return_to'
+OPENID_CLAIMED_ID = 'openid.claimed_id'
+OPENID_IDENTITY = 'openid.identity'
+OPENID_REALM = 'openid.realm'
+OPENID_NS_SREG = 'openid.ns.sreg'
+OPENID_NS_SREG_REQUIRED = 'openid.sreg.required'
+OPENID_NS_SREG_EMAIL = 'openid.sreg.email'
+OPENID_NS_SREG_FULLNAME = 'openid.sreg.fullname'
+OPENID_ERROR = 'openid.error'
+
+# User session parameters
+CSRF_TOKEN = 'csrf_token'
+USER_OPENID = 'user_openid'

refstack/api/controllers/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""API controllers package."""

refstack/api/controllers/auth.py

@@ -0,0 +1,170 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Authentication controller."""
+from oslo_config import cfg
+from oslo_log import log
+import pecan
+from pecan import rest
+from six.moves.urllib import parse
+
+from refstack.api import constants as const
+from refstack.api import utils as api_utils
+from refstack import db
+
+
+LOG = log.getLogger(__name__)
+
+OPENID_OPTS = [
+    cfg.StrOpt('openstack_openid_endpoint',
+               default='https://openstackid.org/accounts/openid2',
+               help='OpenStackID Auth Server URI.'
+               ),
+    cfg.StrOpt('openid_mode',
+               default='checkid_setup',
+               help='Interaction mode. Specifies whether Openstack Id '
+                    'IdP may interact with the user to determine the '
+                    'outcome of the request.'
+               ),
+    cfg.StrOpt('openid_ns',
+               default='http://specs.openid.net/auth/2.0',
+               help='Protocol version. Value identifying the OpenID '
+                    'protocol version being used. This value should '
+                    'be "http://specs.openid.net/auth/2.0".'
+               ),
+    cfg.StrOpt('openid_return_to',
+               default='/v1/auth/signin_return',
+               help='Return endpoint in Refstack\'s API. Value indicating '
+                    'the endpoint where the user should be returned to after '
+                    'signing in. Openstack Id Idp only supports HTTPS '
+                    'address types.'
+               ),
+    cfg.StrOpt('openid_claimed_id',
+               default='http://specs.openid.net/auth/2.0/identifier_select',
+               help='Claimed identifier. This value must be set to '
+                    '"http://specs.openid.net/auth/2.0/identifier_select". '
+                    'or to user claimed identity (user local identifier '
+                    'or user owned identity [ex: custom html hosted on a '
+                    'owned domain set to html discover]).'
+               ),
+    cfg.StrOpt('openid_identity',
+               default='http://specs.openid.net/auth/2.0/identifier_select',
+               help='Alternate identifier. This value must be set to '
+                    'http://specs.openid.net/auth/2.0/identifier_select.'
+               ),
+    cfg.StrOpt('openid_ns_sreg',
+               default='http://openid.net/extensions/sreg/1.1',
+               help='Indicates request for user attribute information. '
+                    'This value must be set to '
+                    '"http://openid.net/extensions/sreg/1.1".'
+               ),
+    cfg.StrOpt('openid_sreg_required',
+               default='email,fullname',
+               help='Comma-separated list of field names which, '
+                    'if absent from the response, will prevent the '
+                    'Consumer from completing the registration without '
+                    'End User interation. The field names are those that '
+                    'are specified in the Response Format, with the '
+                    '"openid.sreg." prefix removed. Valid values include: '
+                    '"country", "email", "firstname", "language", "lastname"'
+               )
+]
+
+CONF = cfg.CONF
+opt_group = cfg.OptGroup(name='osid',
+                         title='Options for the Refstack OpenID 2.0 through '
+                               'Openstack Authentication Server')
+CONF.register_group(opt_group)
+CONF.register_opts(OPENID_OPTS, opt_group)
+
+
+class AuthController(rest.RestController):
+
+    """Controller provides user authentication in OpenID 2.0 IdP."""
+
+    _custom_actions = {
+        "signin": ["GET"],
+        "signin_return": ["GET"],
+        "signout": ["GET"]
+    }
+
+    @pecan.expose()
+    def signin(self):
+        """Handle signin request."""
+        session = api_utils.get_user_session()
+        if api_utils.is_authenticated():
+            pecan.redirect(CONF.ui_url)
+        else:
+            api_utils.delete_params_from_user_session([const.USER_OPENID])
+
+        csrf_token = api_utils.get_token()
+        session[const.CSRF_TOKEN] = csrf_token
+        session.save()
+        return_endpoint = parse.urljoin(CONF.api.api_url,
+                                        CONF.osid.openid_return_to)
+        return_to = api_utils.set_query_params(return_endpoint,
+                                               {const.CSRF_TOKEN: csrf_token})
+
+        params = {
+            const.OPENID_MODE: CONF.osid.openid_mode,
+            const.OPENID_NS: CONF.osid.openid_ns,
+            const.OPENID_RETURN_TO: return_to,
+            const.OPENID_CLAIMED_ID: CONF.osid.openid_claimed_id,
+            const.OPENID_IDENTITY: CONF.osid.openid_identity,
+            const.OPENID_REALM: CONF.api.api_url,
+            const.OPENID_NS_SREG: CONF.osid.openid_ns_sreg,
+            const.OPENID_NS_SREG_REQUIRED: CONF.osid.openid_sreg_required,
+        }
+        url = CONF.osid.openstack_openid_endpoint
+        url = api_utils.set_query_params(url, params)
+        pecan.redirect(location=url)
+
+    @pecan.expose()
+    def signin_return(self):
+        """Handle returned request from OpenID 2.0 IdP."""
+        session = api_utils.get_user_session()
+        if pecan.request.GET.get(const.OPENID_ERROR):
+            api_utils.delete_params_from_user_session([const.CSRF_TOKEN])
+            pecan.abort(401, pecan.request.GET.get(const.OPENID_ERROR))
+
+        if pecan.request.GET.get(const.OPENID_MODE) == 'cancel':
+            api_utils.delete_params_from_user_session([const.CSRF_TOKEN])
+            pecan.abort(401, 'Authentication canceled.')
+
+        session_token = session.get(const.CSRF_TOKEN)
+        request_token = pecan.request.GET.get(const.CSRF_TOKEN)
+        if request_token != session_token:
+            api_utils.delete_params_from_user_session([const.CSRF_TOKEN])
+            pecan.abort(401, 'Authentication is failed. Try again.')
+
+        api_utils.verify_openid_request(pecan.request)
+        user_info = {
+            'openid': pecan.request.GET.get(const.OPENID_CLAIMED_ID),
+            'email': pecan.request.GET.get(const.OPENID_NS_SREG_EMAIL),
+            'fullname': pecan.request.GET.get(const.OPENID_NS_SREG_FULLNAME)
+        }
+        user = db.user_update_or_create(user_info)
+
+        api_utils.delete_params_from_user_session([const.CSRF_TOKEN])
+        session[const.USER_OPENID] = user.openid
+        session.save()
+
+        pecan.redirect(CONF.ui_url)
+
+    @pecan.expose()
+    def signout(self):
+        """Handle signout request."""
+        if api_utils.is_authenticated():
+            api_utils.delete_params_from_user_session([const.USER_OPENID])
+        pecan.redirect(CONF.ui_url)

refstack/api/controllers/root.py

@@ -32,4 +32,9 @@ class RootController(object):
     if CONF.api.app_dev_mode:
         @expose(generic=True, template='index.html')
         def index(self):
+            """Return index.html in development mode.
+
+            It allows to run both API and UI with pecan serve.
+            Template path should point into UI app folder
+            """
             return dict()

refstack/api/controllers/user.py

@@ -0,0 +1,39 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""User profile controller."""
+import pecan
+from pecan import rest
+from pecan.secure import secure
+
+from refstack.api import constants as const
+from refstack.api import utils as api_utils
+from refstack import db
+
+
+class ProfileController(rest.RestController):
+
+    """Controller provides user information in OpenID 2.0 IdP."""
+
+    @secure(api_utils.is_authenticated)
+    @pecan.expose('json')
+    def get(self):
+        """Handle get request on user info."""
+        session = api_utils.get_user_session()
+        user = db.user_get(session.get(const.USER_OPENID))
+        return {
+            "openid": user.openid,
+            "email": user.email,
+            "fullname": user.fullname
+        }

refstack/api/controllers/v1.py

@@ -24,10 +24,13 @@ from pecan import rest
 import re
 import requests
 import requests_cache
+from six.moves.urllib import parse
 
 from refstack import db
 from refstack.api import constants as const
 from refstack.api import utils as api_utils
+from refstack.api.controllers import auth
+from refstack.api.controllers import user
 from refstack.common import validators
 
 LOG = log.getLogger(__name__)
@@ -55,7 +58,8 @@ requests_cache.install_cache(cache_name='github_cache',
 
 class BaseRestControllerWithValidation(rest.RestController):
 
-    """
+    """Rest controller with validation.
+
     Controller provides validation for POSTed data
     exposed endpoints:
     POST base_url/
@@ -66,22 +70,24 @@ class BaseRestControllerWithValidation(rest.RestController):
     __validator__ = None
 
     def __init__(self):  # pragma: no cover
+        """Init."""
         if self.__validator__:
             self.validator = self.__validator__()
         else:
             raise ValueError("__validator__ is not defined")
 
     def get_item(self, item_id):  # pragma: no cover
-        """Handler for getting item"""
+        """Handler for getting item."""
         raise NotImplementedError
 
     def store_item(self, item_in_json):  # pragma: no cover
-        """Handler for storing item. Should return new item id"""
+        """Handler for storing item. Should return new item id."""
         raise NotImplementedError
 
     @pecan.expose('json')
     def get_one(self, arg):
         """Return test results in JSON format.
+
         :param arg: item ID in uuid4 format or action
         """
         if self.validator.assert_id(arg):
@@ -110,7 +116,7 @@ class ResultsController(BaseRestControllerWithValidation):
     __validator__ = validators.TestResultValidator
 
     def get_item(self, item_id):
-        """Handler for getting item"""
+        """Handler for getting item."""
         test_info = db.get_test(item_id)
         if not test_info:
             pecan.abort(404)
@@ -122,7 +128,7 @@ class ResultsController(BaseRestControllerWithValidation):
                 "results": test_name_list}
 
     def store_item(self, item_in_json):
-        """Handler for storing item. Should return new item id"""
+        """Handler for storing item. Should return new item id."""
         item = item_in_json.copy()
         if pecan.request.headers.get('X-Public-Key'):
             if 'metadata' not in item:
@@ -132,21 +138,21 @@ class ResultsController(BaseRestControllerWithValidation):
         test_id = db.store_results(item)
         LOG.debug(item)
         return {'test_id': test_id,
-                'url': CONF.api.test_results_url % test_id}
+                'url': parse.urljoin(CONF.ui_url,
+                                     CONF.api.test_results_url) % test_id}
 
     @pecan.expose('json')
     def get(self):
-        """
+        """Get information of all uploaded test results.
+
         Get information of all uploaded test results in descending
-            chronological order.
+        chronological order. Make it possible to specify some
-            Make it possible to specify some input parameters
+        input parameters for filtering.
-            for filtering.
         For example:
             /v1/results?page=<page number>&cpid=1234.
         By default, page is set to page number 1,
         if the page parameter is not specified.
         """
-
         expected_input_params = [
             const.START_DATE,
             const.END_DATE,
@@ -192,8 +198,11 @@ class ResultsController(BaseRestControllerWithValidation):
 
 class CapabilitiesController(rest.RestController):
 
-    """/v1/capabilities handler. This acts as a proxy for retrieving
+    """/v1/capabilities handler.
-       capability files from the openstack/defcore Github repository."""
+
+    This acts as a proxy for retrieving capability files
+    from the openstack/defcore Github repository.
+    """
 
     @pecan.expose('json')
     def get(self):
@@ -248,3 +257,5 @@ class V1Controller(object):
 
     results = ResultsController()
     capabilities = CapabilitiesController()
+    auth = auth.AuthController()
+    profile = user.ProfileController()

refstack/api/utils.py

@@ -15,12 +15,18 @@
 
 """Refstack API's utils."""
 import copy
+import random
+import requests
+import string
 
 from oslo_config import cfg
 from oslo_log import log
 from oslo_utils import timeutils
 import pecan
+import six
+from six.moves.urllib import parse
 
+from refstack import db
 from refstack.api import constants as const
 
 LOG = log.getLogger(__name__)
@@ -28,6 +34,9 @@ CONF = cfg.CONF
 
 
 class ParseInputsError(Exception):
+
+    """Raise if input params are invalid."""
+
     pass
 
 
@@ -55,7 +64,6 @@ def parse_input_params(expected_input_params):
 
     :param expecred_params: (array) Expected input
                             params specified in constants.
-
     """
     raw_filters = _get_input_params_from_request(expected_input_params)
     filters = copy.deepcopy(raw_filters)
@@ -83,6 +91,7 @@ def parse_input_params(expected_input_params):
 
 def _calculate_pages_number(per_page, records_count):
     """Return pages number.
+
     :param per_page: (int) results number fot one page.
     :param records_count: (int) total records count.
     """
@@ -93,7 +102,8 @@ def _calculate_pages_number(per_page, records_count):
 
 
 def get_page_number(records_count):
-    """Get page number from request
+    """Get page number from request.
+
     :param records_count: (int) total records count.
     """
     page_number = pecan.request.GET.get(const.PAGE)
@@ -121,3 +131,80 @@ def get_page_number(records_count):
                                'is greater than the total number of pages.')
 
     return (page_number, total_pages)
+
+
+def set_query_params(url, params):
+    """Set params in given query."""
+    url_parts = parse.urlparse(url)
+    url = parse.urlunparse((
+        url_parts.scheme,
+        url_parts.netloc,
+        url_parts.path,
+        url_parts.params,
+        parse.urlencode(params),
+        url_parts.fragment))
+    return url
+
+
+def get_token(length=30):
+    """Get random token."""
+    return ''.join(random.choice(string.ascii_lowercase)
+                   for i in range(length))
+
+
+def delete_params_from_user_session(params):
+    """Delete params from user session."""
+    session = get_user_session()
+    for param in params:
+        if session.get(param):
+            del session[param]
+    session.save()
+
+
+def get_user_session():
+    """Return user session."""
+    return pecan.request.environ['beaker.session']
+
+
+def is_authenticated():
+    """Return True if user is authenticated."""
+    session = get_user_session()
+    if session.get(const.USER_OPENID):
+        try:
+            if db.user_get(session.get(const.USER_OPENID)):
+                return True
+        except db.UserNotFound:
+            pass
+    return False
+
+
+def verify_openid_request(request):
+    """Verify OpenID returned request in OpenID."""
+    verify_params = dict(request.params.copy())
+    verify_params["openid.mode"] = "check_authentication"
+
+    verify_response = requests.post(
+        CONF.osid.openstack_openid_endpoint, data=verify_params,
+        verify=not CONF.api.app_dev_mode
+    )
+    verify_data_tokens = verify_response.content.split()
+    verify_dict = dict((token.split(":")[0], token.split(":")[1])
+                       for token in verify_data_tokens)
+
+    if (verify_response.status_code / 100 != 2
+            or verify_dict['is_valid'] != 'true'):
+        pecan.abort(401, 'Authentication is failed. Try again.')
+
+    # Is the data we've received within our required parameters?
+    required_parameters = {
+        const.OPENID_NS_SREG_EMAIL: 'Please permit access to '
+                                    'your email address.',
+        const.OPENID_NS_SREG_FULLNAME: 'Please permit access to '
+                                       'your name.',
+    }
+
+    for name, error in six.iteritems(required_parameters):
+        if name not in verify_params or not verify_params[name]:
+            pecan.abort(401, 'Authentication is failed. %s' % error)
+
+    return True

refstack/common/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Refstack common package."""

refstack/common/validators.py

@@ -13,8 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-""" Validators module
+"""Validators module."""
-"""
 
 import binascii
 import uuid
@@ -30,7 +29,10 @@ ext_format_checker = jsonschema.FormatChecker()
 
 class ValidationError(Exception):
 
+    """Raise if request doesn't pass trough validation process."""
+
     def __init__(self, title, exc=None):
+        """Init."""
         super(ValidationError, self).__init__(title)
         self.exc = exc
         self.title = title
@@ -40,9 +42,11 @@ class ValidationError(Exception):
             if self.exc else self.title
 
     def __repr__(self):
+        """Repr method."""
         return self.details
 
     def __str__(self):
+        """Str method."""
         return self.__repr__()
 
 
@@ -59,20 +63,20 @@ def is_uuid(inst):
                                  format='uuid_hex',
                                  raises=(TypeError, ValueError))
 def checker_uuid(inst):
-    """Checker 'uuid_hex' format for jsonschema validator"""
+    """Checker 'uuid_hex' format for jsonschema validator."""
     return is_uuid(inst)
 
 
 class Validator(object):
 
-    """Base class for validators"""
+    """Base class for validators."""
+
     def __init__(self):
+        """Init."""
         self.schema = {}  # pragma: no cover
 
     def validate(self, request):
-        """
+        """Validate request."""
-        :param json_data: data for validation
-        """
         try:
             body = json.loads(request.body)
         except (ValueError, TypeError) as e:
@@ -89,7 +93,7 @@ class TestResultValidator(Validator):
     """Validator for incoming test results."""
 
     def __init__(self):
-
+        """Init."""
         self.schema = {
             'type': 'object',
             'properties': {
@@ -122,6 +126,7 @@ class TestResultValidator(Validator):
         )
 
     def validate(self, request):
+        """Validate uploaded test results."""
         super(TestResultValidator, self).validate(request)
         if request.headers.get('X-Signature') or \
                 request.headers.get('X-Public-Key'):

refstack/db/__init__.py

@@ -12,8 +12,6 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""DB abstraction for Refstack."""
-DB abstraction for Refstack
-"""
 
 from refstack.db.api import *  # noqa

refstack/db/api.py

@@ -18,7 +18,6 @@
 Functions in this module are imported into the refstack.db namespace.
 Call these functions from refstack.db namespace, not the refstack.db.api
 namespace.
-
 """
 from oslo_config import cfg
 from oslo_db import api as db_api
@@ -37,8 +36,9 @@ _BACKEND_MAPPING = {'sqlalchemy': 'refstack.db.sqlalchemy.api'}
 IMPL = db_api.DBAPI.from_config(cfg.CONF, backend_mapping=_BACKEND_MAPPING,
                                 lazy=True)
 
+UserNotFound = IMPL.UserNotFound
+
 
-###################
 def store_results(results):
     """Storing results into database.
 
@@ -79,3 +79,19 @@ def get_test_records_count(filters):
     :param filters: (Dict) Filters that will be applied for records.
     """
     return IMPL.get_test_records_count(filters)
+
+
+def user_get(user_openid):
+    """Get user info.
+
+    :param user_openid: User openid
+    """
+    return IMPL.user_get(user_openid)
+
+
+def user_update_or_create(user_info):
+    """Create user DB record if it exists, otherwise record will be updated.
+
+    :param user_info: User record
+    """
+    return IMPL.user_update_or_create(user_info)

refstack/db/migrations/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Migrations."""

refstack/db/migrations/alembic/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Alembic backend for migrations."""

refstack/db/migrations/alembic/env.py

@@ -14,6 +14,8 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+"""Alembic environment script."""
+
 from __future__ import with_statement
 
 from alembic import context
@@ -23,12 +25,11 @@ from refstack.db.sqlalchemy import models as db_models
 
 
 def run_migrations_online():
-
     """Run migrations in 'online' mode.
 
     In this scenario we need to create an Engine
-    and associate a connection with the context."""
+    and associate a connection with the context.
-
+    """
     engine = db_api.get_engine()
     connection = engine.connect()
     target_metadata = db_models.RefStackBase.metadata

refstack/db/migrations/alembic/migration.py

@@ -12,9 +12,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""Implementation of Alembic commands."""
-Implementation of Alembic commands.
-"""
 import os
 
 import alembic

refstack/db/migrations/alembic/versions/2f178b0bf762_create_user_table.py

@@ -0,0 +1,38 @@
+"""Create user table.
+
+Revision ID: 2f178b0bf762
+Revises: 42278d6179b9
+Create Date: 2015-05-12 12:15:43.810938
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '2f178b0bf762'
+down_revision = '42278d6179b9'
+MYSQL_CHARSET = 'utf8'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    """Upgrade DB."""
+    op.create_table(
+        'user',
+        sa.Column('updated_at', sa.DateTime()),
+        sa.Column('deleted_at', sa.DateTime()),
+        sa.Column('deleted', sa.Integer, default=0),
+        sa.Column('_id', sa.Integer(), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('openid', sa.String(length=128),
+                  nullable=False, unique=True),
+        sa.Column('email', sa.String(length=128)),
+        sa.Column('fullname', sa.String(length=128)),
+        sa.PrimaryKeyConstraint('_id'),
+        mysql_charset=MYSQL_CHARSET
+    )
+
+
+def downgrade():
+    """Downgrade DB."""
+    op.drop_table('user')

refstack/db/migrations/alembic/versions/42278d6179b9_init.py

@@ -1,4 +1,4 @@
-"""Init
+"""Init.
 
 Revision ID: 42278d6179b9
 Revises: None
@@ -16,6 +16,7 @@ import sqlalchemy as sa
 
 
 def upgrade():
+    """Upgrade DB."""
     op.create_table(
         'test',
         sa.Column('updated_at', sa.DateTime()),
@@ -67,6 +68,7 @@ def upgrade():
 
 
 def downgrade():
+    """Downgrade DB."""
     op.drop_table('results')
     op.drop_table('meta')
     op.drop_table('test')

refstack/db/sqlalchemy/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""SQLAlchemy backend."""

refstack/db/sqlalchemy/api.py

@@ -12,9 +12,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""Implementation of SQLAlchemy backend."""
-Implementation of SQLAlchemy backend.
-"""
 import sys
 import uuid
 
@@ -35,6 +33,7 @@ db_options.set_defaults(cfg.CONF)
 
 
 def _create_facade_lazily():
+    """Create DB facade lazily."""
     global _FACADE
     if _FACADE is None:
         _FACADE = db_session.EngineFacade.from_config(CONF)
@@ -42,25 +41,24 @@ def _create_facade_lazily():
 
 
 def get_engine():
+    """Get DB engine."""
     facade = _create_facade_lazily()
     return facade.get_engine()
 
 
 def get_session(**kwargs):
+    """Get DB session."""
     facade = _create_facade_lazily()
     return facade.get_session(**kwargs)
 
 
 def get_backend():
     """The backend is this module itself."""
-
     return sys.modules[__name__]
 
 
-###################
-
-
 def store_results(results):
+    """Store test results."""
     test = models.Test()
     test_id = str(uuid.uuid4())
     test.id = test_id
@@ -83,6 +81,7 @@ def store_results(results):
 
 
 def get_test(test_id):
+    """Get test info."""
     session = get_session()
     test_info = session.query(models.Test).\
         filter_by(id=test_id).\
@@ -91,6 +90,7 @@ def get_test(test_id):
 
 
 def get_test_results(test_id):
+    """Get test results."""
     session = get_session()
     results = session.query(models.TestResults.name).\
         filter_by(test_id=test_id).\
@@ -99,6 +99,7 @@ def get_test_results(test_id):
 
 
 def _apply_filters_for_query(query, filters):
+    """Apply filters for DB query."""
     start_date = filters.get(api_const.START_DATE)
     if start_date:
         query = query.filter(models.Test.created_at >= start_date)
@@ -115,6 +116,7 @@ def _apply_filters_for_query(query, filters):
 
 
 def get_test_records(page, per_page, filters):
+    """Get page with list of test records."""
     session = get_session()
     query = session.query(models.Test.id,
                           models.Test.created_at,
@@ -128,8 +130,39 @@ def get_test_records(page, per_page, filters):
 
 
 def get_test_records_count(filters):
+    """Get total test records count."""
     session = get_session()
     query = session.query(models.Test.id)
     records_count = _apply_filters_for_query(query, filters).count()
 
     return records_count
+
+
+class UserNotFound(Exception):
+
+    """Raise if user not found."""
+
+    pass
+
+
+def user_get(user_openid):
+    """Get user info by openid."""
+    session = get_session()
+    user = session.query(models.User).filter_by(openid=user_openid).first()
+    if user is None:
+        raise UserNotFound('User with OpenID %s not found' % user_openid)
+    return user
+
+
+def user_update_or_create(user_info):
+    """Create user DB record if it exists, otherwise record will be updated."""
+    try:
+        user = user_get(user_info['openid'])
+    except UserNotFound:
+        user = models.User()
+
+    session = get_session()
+    with session.begin():
+        user.update(user_info)
+        user.save(session=session)
+        return user

refstack/db/sqlalchemy/models.py

@@ -13,9 +13,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""SQLAlchemy models for Refstack data."""
-SQLAlchemy models for Refstack data.
-"""
 
 from oslo_config import cfg
 from oslo_db.sqlalchemy import models
@@ -82,3 +80,15 @@ class TestMeta(BASE, RefStackBase):
                         index=True, nullable=False, unique=False)
     meta_key = sa.Column(sa.String(64), index=True, nullable=False)
     value = sa.Column(sa.Text())
+
+
+class User(BASE, RefStackBase):
+
+    """User information."""
+
+    __tablename__ = 'user'
+    _id = sa.Column(sa.Integer, primary_key=True, autoincrement=True)
+    openid = sa.Column(sa.String(128), nullable=False, unique=True,
+                       index=True)
+    email = sa.Column(sa.String(128))
+    fullname = sa.Column(sa.String(128))

refstack/db/utils.py

@@ -22,14 +22,17 @@ LOG = log.getLogger(__name__)
 
 
 class PluggableBackend(object):
+
     """A pluggable backend loaded lazily based on some value."""
 
     def __init__(self, pivot, **backends):
+        """Init."""
         self.__backends = backends
         self.__pivot = pivot
         self.__backend = None
 
     def __get_backend(self):
+        """Get backend."""
         if not self.__backend:
             backend_name = CONF[self.__pivot]
             if backend_name not in self.__backends:  # pragma: no cover
@@ -48,5 +51,6 @@ class PluggableBackend(object):
         return self.__backend
 
     def __getattr__(self, key):
+        """Proxy interface to backend."""
         backend = self.__get_backend()
         return getattr(backend, key)

refstack/opts.py

@@ -12,10 +12,10 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-"""
+"""Function list_opts intended for oslo-config-generator.
-    Function list_opts intended for oslo-config-generator. It tool used for
+
-    generate config file with help info and default values for options defined
+this tool used for generate config file with help info and default values
-    anywhere in application.
+for options defined anywhere in application.
 All new options must be imported here and must be returned from
 list_opts function as list that contain tuple.
 Use itertools.chain if config section contain more than one imported module
@@ -35,13 +35,20 @@ import itertools
 
 import refstack.api.app
 import refstack.api.controllers.v1
+import refstack.api.controllers.auth
 import refstack.db.api
 
 
 def list_opts():
+    """List oslo config options.
+
+    Keep a list in alphabetical order
+    """
     return [
-        # Keep a list in alphabetical order
+        #
-        ('DEFAULT', refstack.db.api.db_opts),
+        ('DEFAULT', itertools.chain(refstack.api.app.UI_OPTS,
+                                    refstack.db.api.db_opts)),
         ('api', itertools.chain(refstack.api.app.API_OPTS,
                                 refstack.api.controllers.v1.CTRLS_OPTS)),
+        ('osid', refstack.api.controllers.auth.OPENID_OPTS),
     ]

refstack/tests/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Refstack tests."""

refstack/tests/api/__init__.py

@@ -74,7 +74,7 @@ class FunctionalTest(base.BaseTestCase):
         self.app.reset()
 
     def drop_all_tables_and_constraints(self):
-        """Drop tables and cyclical constraints between tables"""
+        """Drop tables and cyclical constraints between tables."""
         engine = create_engine(self.connection)
         conn = engine.connect()
         trans = conn.begin()

refstack/tests/unit/__init__.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2015 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+"""Refstack unittests."""

refstack/tests/unit/test_api.py

@@ -23,10 +23,14 @@ import mock
 from oslo_config import fixture as config_fixture
 from oslotest import base
 import requests
+from six.moves.urllib import parse
+import webob.exc
 
 from refstack.api import constants as const
 from refstack.api import utils as api_utils
+from refstack.api.controllers import auth
 from refstack.api.controllers import v1
+from refstack.api.controllers import user
 
 
 def safe_json_dump(content):
@@ -62,10 +66,12 @@ class ResultsControllerTestCase(base.BaseTestCase):
         self.controller = v1.ResultsController()
         self.config_fixture = config_fixture.Config()
         self.CONF = self.useFixture(self.config_fixture).conf
-        self.test_results_url = 'host?%s'
+        self.test_results_url = '/#/results/%s'
+        self.ui_url = 'host.org'
         self.CONF.set_override('test_results_url',
                                self.test_results_url,
                                'api')
+        self.CONF.set_override('ui_url', self.ui_url)
 
     @mock.patch('refstack.db.get_test')
     @mock.patch('refstack.db.get_test_results')
@@ -101,9 +107,12 @@ class ResultsControllerTestCase(base.BaseTestCase):
         mock_request.headers = {}
         mock_store_results.return_value = 'fake_test_id'
         result = self.controller.post()
-        self.assertEqual(result,
+        self.assertEqual(
+            result,
             {'test_id': 'fake_test_id',
-                          'url': self.test_results_url % 'fake_test_id'})
+             'url': parse.urljoin(self.ui_url,
+                                  self.test_results_url) % 'fake_test_id'}
+        )
         self.assertEqual(mock_response.status, 201)
         mock_store_results.assert_called_once_with({'answer': 42})
 
@@ -366,3 +375,152 @@ class BaseRestControllerWithValidationTestCase(base.BaseTestCase):
         self.validator.assert_id = mock.Mock(return_value=False)
         self.controller.get_one('fake_arg')
         mock_abort.assert_called_once_with(404)
+
+
+class ProfileControllerTestCase(base.BaseTestCase):
+
+    def setUp(self):
+        super(ProfileControllerTestCase, self).setUp()
+        self.controller = user.ProfileController()
+
+    @mock.patch('refstack.db.user_get',
+                return_value=mock.Mock(openid='foo@bar.org',
+                                       email='foo@bar.org',
+                                       fullname='Dobby'))
+    @mock.patch('refstack.api.utils.get_user_session',
+                return_value={const.USER_OPENID: 'foo@bar.org'})
+    @mock.patch('refstack.api.utils.is_authenticated', return_value=True)
+    def test_get(self, mock_is_authenticated, mock_get_user_session,
+                 mock_user_get):
+        actual_result = self.controller.get()
+        self.assertEqual({'openid': 'foo@bar.org',
+                          'email': 'foo@bar.org',
+                          'fullname': 'Dobby'}, actual_result)
+
+
+class AuthControllerTestCase(base.BaseTestCase):
+
+    def setUp(self):
+        super(AuthControllerTestCase, self).setUp()
+        self.controller = auth.AuthController()
+        self.config_fixture = config_fixture.Config()
+        self.CONF = self.useFixture(self.config_fixture).conf
+        self.CONF.set_override('app_dev_mode', True, 'api')
+        self.CONF.set_override('ui_url', '127.0.0.1')
+
+    @mock.patch('refstack.api.utils.get_user_session')
+    @mock.patch('refstack.api.utils.is_authenticated', return_value=True)
+    @mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection)
+    def test_signed_signin(self, mock_redirect, mock_is_authenticated,
+                           mock_get_user_session):
+        mock_session = mock.MagicMock(**{const.USER_OPENID: 'foo@bar.org'})
+        mock_get_user_session.return_value = mock_session
+        self.assertRaises(webob.exc.HTTPRedirection, self.controller.signin)
+        mock_redirect.assert_called_with('127.0.0.1')
+
+    @mock.patch('refstack.api.utils.get_user_session')
+    @mock.patch('refstack.api.utils.is_authenticated', return_value=False)
+    @mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection)
+    def test_unsigned_signin(self, mock_redirect, mock_is_authenticated,
+                             mock_get_user_session):
+        mock_session = mock.MagicMock(**{const.USER_OPENID: 'foo@bar.org'})
+        mock_get_user_session.return_value = mock_session
+        self.assertRaises(webob.exc.HTTPRedirection, self.controller.signin)
+        self.assertIn(self.CONF.osid.openstack_openid_endpoint,
+                      mock_redirect.call_args[1]['location'])
+
+    @mock.patch('socket.gethostbyname', return_value='1.1.1.1')
+    @mock.patch('pecan.request')
+    @mock.patch('refstack.api.utils.get_user_session')
+    @mock.patch('pecan.abort', side_effect=webob.exc.HTTPError)
+    def test_signin_return_failed(self, mock_abort, mock_get_user_session,
+                                  mock_request, mock_socket):
+        mock_session = mock.MagicMock(**{const.USER_OPENID: 'foo@bar.org',
+                                         const.CSRF_TOKEN: '42'})
+        mock_get_user_session.return_value = mock_session
+        mock_request.remote_addr = '1.1.1.2'
+
+        mock_request.GET = {
+            const.OPENID_ERROR: 'foo is not bar!!!'
+        }
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        self.assertRaises(webob.exc.HTTPError, self.controller.signin_return)
+        mock_abort.assert_called_once_with(
+            401, mock_request.GET[const.OPENID_ERROR])
+        self.assertNotIn(const.CSRF_TOKEN,
+                         mock_request.environ['beaker.session'])
+
+        mock_abort.reset_mock()
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        mock_request.GET = {
+            const.OPENID_MODE: 'cancel'
+        }
+        self.assertRaises(webob.exc.HTTPError, self.controller.signin_return)
+        mock_abort.assert_called_once_with(
+            401, 'Authentication canceled.')
+        self.assertNotIn(const.CSRF_TOKEN,
+                         mock_request.environ['beaker.session'])
+
+        mock_abort.reset_mock()
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        mock_request.GET = {}
+        self.assertRaises(webob.exc.HTTPError, self.controller.signin_return)
+        mock_abort.assert_called_once_with(
+            401, 'Authentication is failed. Try again.')
+        self.assertNotIn(const.CSRF_TOKEN,
+                         mock_request.environ['beaker.session'])
+
+        mock_abort.reset_mock()
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        mock_request.GET = {const.CSRF_TOKEN: '24'}
+        mock_request.remote_addr = '1.1.1.1'
+        self.assertRaises(webob.exc.HTTPError, self.controller.signin_return)
+        mock_abort.assert_called_once_with(
+            401, 'Authentication is failed. Try again.')
+        self.assertNotIn(const.CSRF_TOKEN,
+                         mock_request.environ['beaker.session'])
+
+    @mock.patch('refstack.api.utils.verify_openid_request', return_value=True)
+    @mock.patch('refstack.db.user_update_or_create')
+    @mock.patch('pecan.request')
+    @mock.patch('refstack.api.utils.get_user_session')
+    @mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection)
+    def test_signin_return_success(self, mock_redirect, mock_get_user_session,
+                                   mock_request, mock_user, mock_verify):
+        mock_session = mock.MagicMock(**{const.USER_OPENID: 'foo@bar.org',
+                                         const.CSRF_TOKEN: 42})
+        mock_session.get = mock.Mock(return_value=42)
+        mock_get_user_session.return_value = mock_session
+
+        mock_request.GET = {
+            const.OPENID_CLAIMED_ID: 'foo@bar.org',
+            const.OPENID_NS_SREG_EMAIL: 'foo@bar.org',
+            const.OPENID_NS_SREG_FULLNAME: 'foo',
+            const.CSRF_TOKEN: 42
+        }
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        self.assertRaises(webob.exc.HTTPRedirection,
+                          self.controller.signin_return)
+
+    @mock.patch('pecan.request')
+    @mock.patch('refstack.api.utils.is_authenticated', return_value=True)
+    @mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection)
+    def test_signout(self, mock_redirect, mock_is_authenticated,
+                     mock_request):
+        mock_request.environ['beaker.session'] = {
+            const.CSRF_TOKEN: 42
+        }
+        self.assertRaises(webob.exc.HTTPRedirection, self.controller.signout)
+        mock_redirect.assert_called_with('127.0.0.1')
+        self.assertNotIn(const.CSRF_TOKEN,
+                         mock_request.environ['beaker.session'])

refstack/tests/unit/test_api_utils.py

@@ -19,9 +19,11 @@ import mock
 from oslo_config import fixture as config_fixture
 from oslo_utils import timeutils
 from oslotest import base
+from six.moves.urllib import parse
 
 from refstack.api import constants as const
 from refstack.api import utils as api_utils
+from refstack import db
 
 
 class APIUtilsTestCase(base.BaseTestCase):
@@ -255,3 +257,75 @@ class APIUtilsTestCase(base.BaseTestCase):
 
         self.assertEqual(page_number, 2)
         self.assertEqual(total_pages, total_records / per_page)
+
+    def test_set_query_params(self):
+        url = 'http://e.io/path#fragment'
+        new_url = api_utils.set_query_params(url, {'foo': 'bar', '?': 42})
+        self.assertEqual(parse.parse_qs(parse.urlparse(new_url)[4]),
+                         {'foo': ['bar'], '?': ['42']})
+
+    def test_get_token(self):
+        token = api_utils.get_token(42)
+        self.assertRegexpMatches(token, "[a-z]{42}")
+
+    @mock.patch.object(api_utils, 'get_user_session')
+    def test_delete_params_from_user_session(self, mock_get_user_session):
+        mock_session = mock.MagicMock(**{'foo': 'bar', 'answer': 42})
+        mock_get_user_session.return_value = mock_session
+        api_utils.delete_params_from_user_session(('foo', 'answer'))
+        self.assertNotIn('foo', mock_session.__dir__)
+        self.assertNotIn('answer', mock_session.__dir__)
+        mock_session.save.called_once_with()
+
+    @mock.patch('pecan.request')
+    def test_get_user_session(self, mock_request):
+        mock_request.environ = {'beaker.session': 42}
+        session = api_utils.get_user_session()
+        self.assertEqual(42, session)
+
+    @mock.patch.object(api_utils, 'get_user_session')
+    @mock.patch.object(api_utils, 'db')
+    def test_is_authenticated(self, mock_db, mock_get_user_session):
+        mock_session = mock.MagicMock(**{const.USER_OPENID: 'foo@bar.com'})
+        mock_get_user_session.return_value = mock_session
+        mock_get_user = mock_db.user_get
+        mock_get_user.return_value = 'Dobby'
+        self.assertEqual(True, api_utils.is_authenticated())
+        mock_db.user_get.called_once_with(mock_session)
+        mock_db.UserNotFound = db.UserNotFound
+        mock_get_user.side_effect = mock_db.UserNotFound
+        self.assertEqual(False, api_utils.is_authenticated())
+
+    @mock.patch('requests.post')
+    @mock.patch('pecan.abort')
+    def test_verify_openid_request(self, mock_abort, mock_post):
+        mock_response = mock.Mock()
+        mock_response.content = ('is_valid:true\n'
+                                 'ns:http://specs.openid.net/auth/2.0\n')
+        mock_response.status_code = 200
+        mock_post.return_value = mock_response
+        mock_request = mock.Mock()
+        mock_request.params = {
+            const.OPENID_NS_SREG_EMAIL: 'foo@bar.org',
+            const.OPENID_NS_SREG_FULLNAME: 'foo'
+        }
+        self.assertEqual(True, api_utils.verify_openid_request(mock_request))
+
+        mock_response.content = ('is_valid:false\n'
+                                 'ns:http://specs.openid.net/auth/2.0\n')
+        api_utils.verify_openid_request(mock_request)
+        mock_abort.assert_called_once_with(
+            401, 'Authentication is failed. Try again.'
+        )
+
+        mock_abort.reset_mock()
+        mock_response.content = ('is_valid:true\n'
+                                 'ns:http://specs.openid.net/auth/2.0\n')
+        mock_request.params = {
+            const.OPENID_NS_SREG_EMAIL: 'foo@bar.org',
+        }
+        api_utils.verify_openid_request(mock_request)
+        mock_abort.assert_called_once_with(
+            401, 'Authentication is failed. '
+                 'Please permit access to your name.'
+        )

refstack/tests/unit/test_app.py

@@ -90,6 +90,15 @@ class JSONErrorHookTestCase(base.BaseTestCase):
                            'detail': str(exc)}
         )
 
+    @mock.patch.object(webob, 'Response')
+    def test_on_http_redirection(self, response):
+        self.CONF.set_override('app_dev_mode', False, 'api')
+
+        exc = mock.Mock(spec=webob.exc.HTTPRedirection)
+        hook = app.JSONErrorHook()
+        result = hook.on_error(mock.Mock(), exc)
+        self.assertEqual(result, None)
+
     @mock.patch.object(webob, 'Response')
     def test_on_error_with_other_exceptions(self, response):
         self.CONF.set_override('app_dev_mode', False, 'api')
@@ -180,7 +189,9 @@ class SetupAppTestCase(base.BaseTestCase):
     @mock.patch.object(app, 'CORSHook')
     @mock.patch('os.path.join')
     @mock.patch('pecan.make_app')
-    def test_setup_app(self, make_app, os_join,
+    @mock.patch('refstack.api.app.SessionMiddleware')
+    @mock.patch('refstack.api.utils.get_token', return_value='42')
+    def test_setup_app(self, get_token, session_middleware, make_app, os_join,
                        json_error_hook, cors_hook, pecan_hooks):
 
         self.CONF.set_override('app_dev_mode',
@@ -201,10 +212,11 @@ class SetupAppTestCase(base.BaseTestCase):
         pecan_config = mock.Mock()
         pecan_config.app = {'root': 'fake_pecan_config'}
         make_app.return_value = 'fake_app'
+        session_middleware.return_value = 'fake_app_with_middleware'
 
         result = app.setup_app(pecan_config)
 
-        self.assertEqual(result, 'fake_app')
+        self.assertEqual(result, 'fake_app_with_middleware')
 
         app_conf = dict(pecan_config.app)
         make_app.assert_called_once_with(
@@ -214,3 +226,10 @@ class SetupAppTestCase(base.BaseTestCase):
             template_path='fake_template_path',
             hooks=['cors_hook', 'json_error_hook', 'request_viewer_hook']
         )
+        session_middleware.assert_called_once_with(
+            'fake_app',
+            {'session.key': 'refstack',
+             'session.type': 'memory',
+             'session.timeout': 604800,
+             'session.validate_key': get_token.return_value}
+        )

refstack/tests/unit/test_db.py

@@ -55,6 +55,18 @@ class DBAPITestCase(base.BaseTestCase):
         db.get_test_records_count(filters)
         mock_db.assert_called_once_with(filters)
 
+    @mock.patch.object(api, 'user_get')
+    def test_user_get(self, mock_db):
+        user_openid = 'user@example.com'
+        db.user_get(user_openid)
+        mock_db.assert_called_once_with(user_openid)
+
+    @mock.patch.object(api, 'user_update_or_create')
+    def test_user_update_or_create(self, mock_db):
+        user_info = 'user@example.com'
+        db.user_update_or_create(user_info)
+        mock_db.assert_called_once_with(user_info)
+
 
 class DBHelpersTestCase(base.BaseTestCase):
     """Test case for database backend helpers."""
@@ -261,3 +273,48 @@ class DBBackendTestCase(base.BaseTestCase):
         session.query.assert_called_once_with(mock_model.id)
         mock_apply.assert_called_once_with(query, filters)
         apply_result.count.assert_called_once_with()
+
+    @mock.patch.object(api, 'get_session',
+                       return_value=mock.Mock(name='session'),)
+    @mock.patch('refstack.db.sqlalchemy.models.User')
+    def test_user_get(self, mock_model, mock_get_session):
+        user_openid = 'user@example.com'
+        session = mock_get_session.return_value
+        query = session.query.return_value
+        filtered = query.filter_by.return_value
+        user = filtered.first.return_value
+
+        result = api.user_get(user_openid)
+        self.assertEqual(result, user)
+
+        session.query.assert_called_once_with(mock_model)
+        query.filter_by.assert_called_once_with(openid=user_openid)
+        filtered.first.assert_called_once_with()
+
+    @mock.patch.object(api, 'get_session',
+                       return_value=mock.Mock(name='session'),)
+    @mock.patch('refstack.db.sqlalchemy.models.User')
+    def test_user_get_none(self, mock_model, mock_get_session):
+        user_openid = 'user@example.com'
+        session = mock_get_session.return_value
+        query = session.query.return_value
+        filtered = query.filter_by.return_value
+        filtered.first.return_value = None
+        self.assertRaises(api.UserNotFound, api.user_get, user_openid)
+
+    @mock.patch.object(api, 'get_session')
+    @mock.patch('refstack.db.sqlalchemy.models.User')
+    @mock.patch.object(api, 'user_get', side_effect=api.UserNotFound)
+    def test_user_update_or_create(self, mock_get_user, mock_model,
+                                   mock_get_session):
+        user_info = {'openid': 'user@example.com'}
+        session = mock_get_session.return_value
+        user = mock_model.return_value
+        result = api.user_update_or_create(user_info)
+        self.assertEqual(result, user)
+
+        mock_model.assert_called_once_with()
+        mock_get_session.assert_called_once_with()
+        user.save.assert_called_once_with(session=session)
+        user.update.assert_called_once_with(user_info)
+        session.begin.assert_called_once_with()

requirements.txt

@@ -1,5 +1,6 @@
 SQLAlchemy>=0.8.3
 alembic==0.5.0
+beaker==1.6.5.post1
 #gunicorn 19.1.1 has a bug with threading module
 gunicorn==18
 oslo.config>=1.6.0 # Apache-2.0