def test_token_negotiation(self, username, password, basic_auth):
def bearer_realm_callback(request):
# Verify if username and password were provided, token is negotiated
# with realm via basic auth.
if basic_auth:
creds = b64encode(username, password)
assert request.headers['authorization'] == 'Basic {}'.format(creds)
else:
assert 'authorization' not in request.headers
return (200, {}, json.dumps({'token': BEARER_TOKEN}))
responses.add_callback(responses.GET, BEARER_REALM_URL + '?scope=repository:fedora:pull',
callback=bearer_realm_callback, match_querystring=True)
url = 'https://registry.example.com/v2/fedora/tags/list'
responses.add_callback(responses.GET, url, callback=bearer_unauthorized_callback)
responses.add_callback(responses.GET, url, callback=bearer_success_callback)
auth = HTTPBearerAuth(username=username, password=password)
assert requests.get(url, auth=auth).json() == 'success'
assert len(responses.calls) == 3
def test_token_cached_per_repo(self):
responses.add(responses.GET, BEARER_REALM_URL + '?scope=repository:fedora:pull',
json={'token': BEARER_TOKEN}, match_querystring=True)
responses.add(responses.GET, BEARER_REALM_URL + '?scope=repository:centos:pull',
json={'token': BEARER_TOKEN}, match_querystring=True)
fedora_url = 'https://registry.example.com/v2/fedora/tags/list'
responses.add_callback(responses.GET, fedora_url, callback=bearer_unauthorized_callback)
responses.add(responses.GET, fedora_url, status=200, json='fedora-success')
responses.add(responses.GET, fedora_url, status=200, json='fedora-success-also')
centos_url = 'https://registry.example.com/v2/centos/tags/list'
responses.add_callback(responses.GET, centos_url, callback=bearer_unauthorized_callback)
responses.add(responses.GET, centos_url, status=200, json='centos-success')
responses.add(responses.GET, centos_url, status=200, json='centos-success-also')
auth = HTTPBearerAuth()
assert requests.get(fedora_url, auth=auth).json() == 'fedora-success'
assert requests.get(fedora_url, auth=auth).json() == 'fedora-success-also'
assert requests.get(centos_url, auth=auth).json() == 'centos-success'
assert requests.get(centos_url, auth=auth).json() == 'centos-success-also'
assert len(responses.calls) == 8
def test_initialization(self, verify):
username = '******'
password = '******'
access = ('pull', 'push')
auth = HTTPBearerAuth(username=username, password=password, verify=verify, access=access)
assert auth.username == username
assert auth.password == password
assert auth.verify == verify
assert auth.access == access
def test_request_global_access(self, partial_url):
responses.add(responses.GET, BEARER_REALM_URL, json={'token': BEARER_TOKEN},
match_querystring=True)
repo_url = 'https://registry.example.com/{}'.format(partial_url)
responses.add_callback(responses.GET, repo_url, callback=bearer_unauthorized_callback)
responses.add(responses.GET, repo_url, status=200, json='success')
auth = HTTPBearerAuth()
assert requests.get(repo_url, auth=auth).json() == 'success'
def test_repo_extracted_from_url(self, partial_url, repo):
responses.add(responses.GET, '{}?scope=repository:{}:pull'.format(BEARER_REALM_URL, repo),
json={'token': BEARER_TOKEN}, match_querystring=True)
repo_url = 'https://registry.example.com/v2/{}/{}'.format(repo, partial_url)
responses.add_callback(responses.GET, repo_url, callback=bearer_unauthorized_callback)
responses.add(responses.GET, repo_url, status=200, json='success')
auth = HTTPBearerAuth()
assert requests.get(repo_url, auth=auth).json() == 'success'
def test_not_bearer_auth(self):
url = 'https://registry.example.com/v2/fedora/tags/list'
def unsupported_callback(request):
headers = {'www-authenticate': 'Spam realm={}'.format(BEARER_REALM_URL)}
return (401, headers, json.dumps('unauthorized'))
responses.add_callback(responses.GET, url, callback=unsupported_callback)
responses.add(responses.GET, url, status=200, json='success') # Not actually called
auth = HTTPBearerAuth()
response = requests.get(url, auth=auth)
assert response.json() == 'unauthorized'
assert response.status_code == 401
assert len(responses.calls) == 1
def test_non_401_error_propagated(self):
def bearer_teapot_callback(request):
headers = {'www-authenticate': 'Bearer realm={}'.format(BEARER_REALM_URL)}
return (418, headers, json.dumps("I'm a teapot!"))
url = 'https://registry.example.com/v2/fedora/tags/list'
responses.add_callback(responses.GET, url, callback=bearer_teapot_callback)
responses.add(responses.GET, url, status=200, json='success') # Not actually called
auth = HTTPBearerAuth()
response = requests.get(url, auth=auth)
assert response.json() == "I'm a teapot!"
assert response.status_code == 418
assert len(responses.calls) == 1