Startseite Erkunden Hilfe
Anmelden
joostsijm
/
clean-python
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 0a34f43e37
Branches Tags
clean-python
/
tests
/
oauth2
/
test_verifier.py

test_verifier.py 3.3 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 
  1. # (c) Nelen & Schuurmans
    2. 

  2. 

  3. import json
    4. 

  4. import socket
    5. 

  5. import time
    6. 

  6. import urllib.request
    7. 

  7. from io import BytesIO
    8. 

  8. from unittest import mock
    9. 

  9. 

  10. import jwt
    11. 

  11. import pytest
    12. 

  12. 

  13. from clean_python import PermissionDenied
    14. 

  14. from clean_python import Unauthorized
    15. 

  15. from clean_python.oauth2 import Token
    16. 

  16. from clean_python.oauth2 import TokenVerifier
    17. 

  17. 

  18. 

  19. @pytest.fixture
    20. 

  20. def patched_verifier(settings, jwk_patched):
    21. 

  21.     return TokenVerifier(settings)
    22. 

  22. 

  23. 

  24. def test_verifier_ok(patched_verifier, token_generator, jwk_patched):
    25. 

  25.     token = token_generator()
    26. 

  26.     verified_token = patched_verifier("Bearer " + token)
    27. 

  27. 

  28.     assert isinstance(verified_token, Token)
    29. 

  29.     assert verified_token.user.id == "foo"
    30. 

  30.     assert verified_token.tenant is None
    31. 

  31.     assert verified_token.scope == {"user"}
    32. 

  32. 

  33.     jwk_patched.assert_called_once_with(
    34. 

  34.         "https://some/auth/server/.well-known/jwks.json"
    35. 

  35.     )
    36. 

  36. 

  37. 

  38. def test_verifier_exp_leeway(patched_verifier, token_generator):
    39. 

  39.     token = token_generator(exp=int(time.time()) - 60)
    40. 

  40.     patched_verifier("Bearer " + token)
    41. 

  41. 

  42. 

  43. def test_verifier_multiple_scopes(patched_verifier, token_generator, settings):
    44. 

  44.     token = token_generator(scope=f"scope1 {settings.scope} scope3")
    45. 

  45.     patched_verifier("Bearer " + token)
    46. 

  46. 

  47. 

  48. @pytest.mark.parametrize(
    49. 

  49.     "claim_overrides",
    50. 

  50.     [
    51. 

  51.         {"iss": "https://authserver"},
    52. 

  52.         {"iss": None},
    53. 

  53.         {"scope": "nothing"},
    54. 

  54.         {"scope": None},
    55. 

  55.         {"exp": int(time.time()) - 3600},
    56. 

  56.         {"exp": None},
    57. 

  57.         {"nbf": int(time.time()) + 3600},
    58. 

  58.         {"token_use": "id"},
    59. 

  59.         {"token_use": None},
    60. 

  60.         {"sub": None},
    61. 

  61.         {"username": None},
    62. 

  62.     ],
    63. 

  63. )
    64. 

  64. def test_verifier_bad(patched_verifier, token_generator, claim_overrides):
    65. 

  65.     token = token_generator(**claim_overrides)
    66. 

  66.     with pytest.raises(Unauthorized):
    67. 

  67.         patched_verifier("Bearer " + token)
    68. 

  68. 

  69. 

  70. def test_verifier_authorize(patched_verifier, token_generator):
    71. 

  71.     token = token_generator(sub="bar")
    72. 

  72.     with pytest.raises(PermissionDenied):
    73. 

  73.         patched_verifier("Bearer " + token)
    74. 

  74. 

  75. 

  76. @pytest.mark.parametrize("prefix", ["", "foo ", "key ", "bearer ", "Bearer  "])
    77. 

  77. def test_verifier_bad_header_prefix(patched_verifier, token_generator, prefix):
    78. 

  78.     token = token_generator()
    79. 

  79.     with pytest.raises(Unauthorized):
    80. 

  80.         patched_verifier(prefix + token)
    81. 

  81. 

  82. 

  83. @pytest.mark.parametrize("header", ["", None, " "])
    84. 

  84. def test_verifier_no_header(patched_verifier, header):
    85. 

  85.     with pytest.raises(Unauthorized):
    86. 

  86.         patched_verifier(header)
    87. 

  87. 

  88. 

  89. @mock.patch.object(urllib.request, "urlopen")
    90. 

  90. def test_get_key_timeout(urlopen, patched_verifier, token_generator, public_key):
    91. 

  91.     def side_effect():
    92. 

  92.         assert socket.getdefaulttimeout() == 0.1
    93. 

  93.         return BytesIO(json.dumps({"keys": [public_key]}).encode())
    94. 

  94. 

  95.     urlopen.return_value.__enter__.side_effect = side_effect
    96. 

  96. 

  97.     assert socket.getdefaulttimeout() is None
    98. 

  98.     key = patched_verifier.get_key(token_generator(), timeout=0.1)
    99. 

  99.     assert socket.getdefaulttimeout() is None
    100. 

  100. 

  101.     assert isinstance(key, jwt.PyJWK)
    102. 

  102.     assert key.key_id == public_key["kid"]
    103. 

  103. 

  104. 

  105. @mock.patch.object(urllib.request, "urlopen")
    106. 

  106. def test_get_key_invalid_kid(urlopen, settings, token_generator, public_key):
    107. 

  107.     urlopen.return_value.__enter__.return_value = BytesIO(
    108. 

  108.         json.dumps({"keys": []}).encode()
    109. 

  109.     )
    110. 

  110. 

  111.     with pytest.raises(jwt.exceptions.PyJWTError):
    112. 

  112.         TokenVerifier(settings).get_key(token_generator())
    113.