def test_login():
"""
This tests if we can log in successfully or fail correctly.
"""
try:
os.remove("test-login.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-login.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-login.authdb.sqlite-wal")
except Exception:
pass
get_test_authdb()
get_public_suffix_list()
# create the user
user_payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"pii_salt": "super-secret-salt",
"reqid": 1,
}
user_created = actions.create_new_user(
user_payload,
override_authdb_path="sqlite:///test-login.authdb.sqlite")
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert ("User account created. Please verify your email address to log in."
in user_created["messages"])
# create a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token1 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert session_token1["success"] is True
assert session_token1["session_token"] is not None
# try logging in now with correct password
login = actions.auth_user_login(
{
"session_token": session_token1["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
# this should fail because we haven't verified our email yet
assert login["success"] is False
# verify our email
emailverify = actions.set_user_emailaddr_verified(
{
"email": user_payload["email"],
"user_id": user_created["user_id"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert emailverify["success"] is True
assert emailverify["user_id"] == user_created["user_id"]
assert emailverify["is_active"] is True
assert emailverify["user_role"] == "authenticated"
# now make a new session token
session_payload = {
"user_id": emailverify["user_id"],
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert session_token2["success"] is True
assert session_token2["session_token"] is not None
# and now try to log in again
login = actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert login["success"] is True
# try logging in now with the wrong password
login = actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": "******",
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert login["success"] is False
# tests for no session token provided
login = actions.auth_user_login(
{
"session_token": "correcthorsebatterystaple",
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-login.authdb.sqlite",
)
assert login["success"] is False
try:
os.remove("test-login.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-login.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-login.authdb.sqlite-wal")
except Exception:
pass
def test_login_logout():
"""
See if we can login and log out correctly.
"""
try:
os.remove("test-loginlogout.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-loginlogout.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-loginlogout.authdb.sqlite-wal")
except Exception:
pass
get_test_authdb()
get_public_suffix_list()
# create the user
user_payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"pii_salt": "super-secret-salt",
"reqid": 1,
}
user_created = actions.create_new_user(
user_payload,
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert (
"User account created. Please verify your email address to log in."
in user_created["messages"]
)
# create a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {"pref_datasets_always_private": True},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token1 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert session_token1["success"] is True
assert session_token1["session_token"] is not None
# try logging in now with correct password
login = actions.auth_user_login(
{
"session_token": session_token1["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
# this should fail because we haven't verified our email yet
assert login["success"] is False
# verify our email
emailverify = actions.set_user_emailaddr_verified(
{
"email": user_payload["email"],
"user_id": user_created["user_id"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert emailverify["success"] is True
assert emailverify["user_id"] == user_created["user_id"]
assert emailverify["is_active"] is True
assert emailverify["user_role"] == "authenticated"
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {"pref_datasets_always_private": True},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert session_token2["success"] is True
assert session_token2["session_token"] is not None
# and now try to log in again
login = actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert login["success"] is True
# make sure the session token we used to log in is gone
# check if our session was deleted correctly
session_still_exists = actions.auth_session_exists(
{
"session_token": session_token2["session_token"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
)
assert session_still_exists["success"] is False
# start a new session with this user's user ID
authenticated_session_token = actions.auth_session_new(
{
"user_id": login["user_id"],
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {"pref_datasets_always_private": True},
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
# now see if we can log out
logged_out = actions.auth_user_logout(
{
"session_token": authenticated_session_token["session_token"],
"user_id": login["user_id"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert logged_out["success"] is True
# check if our session was deleted correctly
session_still_exists = actions.auth_session_exists(
{
"session_token": authenticated_session_token,
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-loginlogout.authdb.sqlite",
raiseonfail=True,
)
assert session_still_exists["success"] is False
try:
os.remove("test-loginlogout.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-loginlogout.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-loginlogout.authdb.sqlite-wal")
except Exception:
pass
def test_create_user_with_email(tmpdir):
"""
This creates a user and tries to send a verification code to their email.
"""
test_authdb_url = get_test_authdb(tmpdir)
get_public_suffix_list()
# 0. start the email server
email_server, maildir = generate_email_server(tmpdir)
email_server.start()
time.sleep(3.0)
# 1a. create a new session
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {"pref_datasets_always_private": True},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
session_token_info = actions.auth_session_new(
session_payload, raiseonfail=True, override_authdb_path=test_authdb_url
)
# 1b. create a new user
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url
)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
assert user_created["send_verification"] is True
assert (
"User account created. Please verify your email address to log in."
in user_created["messages"]
)
token_key = Fernet.generate_key()
# 2. generate a verification token and send them an email
verify_token = tokens.generate_email_token(
session_payload["ip_address"],
session_payload["user_agent"],
"*****@*****.**",
session_token_info["session_token"],
token_key,
)
# this uses the payload method of sending SMTP settings to the backend
# function
verification_email_info = actions.send_signup_verification_email(
{
"email_address": "*****@*****.**",
"session_token": session_token_info["session_token"],
"created_info": user_created,
"server_name": "Authnzerver",
"server_baseurl": "https://localhost/auth",
"account_verify_url": "/users/verify",
"verification_token": verify_token,
"verification_expiry": 900,
"emailuser": None,
"emailpass": None,
"emailserver": "localhost",
"emailport": 9487,
"emailsender": "Authnzerver <*****@*****.**>",
"reqid": 1337,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert verification_email_info["success"] is True
assert verification_email_info["email_address"] == "*****@*****.**"
# 3. check the mailbox to see if the email was received
mailbox = Maildir(maildir)
email_found = False
for _, message in mailbox.items():
if "Please verify your account sign up request" in message["Subject"]:
email_found = True
assert message["From"] == "Authnzerver <*****@*****.**>"
assert message["To"] == "*****@*****.**"
assert (
"\n".join(textwrap.wrap(verify_token.decode()))
in message.as_string()
)
break
assert email_found is True
# now verify that the token from the email contains the same info we
# provided
received_token_base64 = re.findall(
r"enter this code:([\S\n]+)into the account verification",
message.as_string(),
)
received_token_base64 = received_token_base64[0]
received_token_base64 = received_token_base64.replace("\n", "")
received_token_valid = tokens.verify_email_token(
received_token_base64,
session_payload["ip_address"],
session_payload["user_agent"],
session_token_info["session_token"],
"*****@*****.**",
token_key,
match_returned_items=("ipa", "usa", "stk", "ema"),
)
assert received_token_valid is True
# 4. set the user's email address as verified
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 123,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 5. send a password forgot email to the user
# 5a. create a new session for the user first
session_payload = {
"user_id": 4,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {"pref_datasets_always_private": True},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
session_token_info = actions.auth_session_new(
session_payload, raiseonfail=True, override_authdb_path=test_authdb_url
)
# 5b. now send a forgot-password email
forgotpass_token = tokens.generate_email_token(
session_payload["ip_address"],
session_payload["user_agent"],
"*****@*****.**",
session_token_info["session_token"],
token_key,
)
# this uses the config object method of sending SMTP settings to the backend
# function
config_obj = SimpleNamespace()
config_obj.emailuser = None
config_obj.emailpass = None
config_obj.emailserver = "localhost"
config_obj.emailport = 9487
config_obj.emailsender = "Authnzerver <*****@*****.**>"
forgotpass_email_info = actions.send_forgotpass_verification_email(
{
"email_address": "*****@*****.**",
"session_token": session_token_info["session_token"],
"server_name": "Authnzerver",
"server_baseurl": "https://localhost/auth",
"password_forgot_url": "/password/reset-step1",
"verification_token": forgotpass_token,
"verification_expiry": 900,
"reqid": 1337,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
config=config_obj,
)
assert forgotpass_email_info["success"] is True
assert forgotpass_email_info["email_address"] == "*****@*****.**"
# 6. check the mailbox to see if the forgot password email was received
mailbox = Maildir(maildir)
email_found = False
for _, message in mailbox.items():
if "Please verify your password reset request" in message["Subject"]:
email_found = True
assert message["From"] == "Authnzerver <*****@*****.**>"
assert message["To"] == "*****@*****.**"
assert (
"\n".join(textwrap.wrap(forgotpass_token.decode()))
in message.as_string()
)
break
assert email_found is True
# now verify that the token from the email contains the same info we
# provided
received_token_base64 = re.findall(
r"enter this code:([\S\n]+)into the password reset",
message.as_string(),
)
received_token_base64 = received_token_base64[0]
received_token_base64 = received_token_base64.replace("\n", "")
received_token_valid = tokens.verify_email_token(
received_token_base64,
session_payload["ip_address"],
session_payload["user_agent"],
session_token_info["session_token"],
"*****@*****.**",
token_key,
match_returned_items=("ipa", "usa", "stk", "ema"),
)
assert received_token_valid is True
#
# clean up
#
email_server.stop()
def test_login_timing():
"""This tests obfuscating the presence/absence of users based on password
checks.
This may fail randomly if the testing service is under load.
"""
try:
os.remove("test-timing.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-timing.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-timing.authdb.sqlite-wal")
except Exception:
pass
get_test_authdb()
get_public_suffix_list()
# create the user
user_payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"pii_salt": "super-secret-salt",
"reqid": 1,
}
user_created = actions.create_new_user(
user_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert ("User account created. Please verify your email address to log in."
in user_created["messages"])
# create a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token1 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
assert session_token1["success"] is True
assert session_token1["session_token"] is not None
# try logging in now with correct password
login = actions.auth_user_login(
{
"session_token": session_token1["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
# this should fail because we haven't verified our email yet
assert login["success"] is False
# verify our email
emailverify = actions.set_user_emailaddr_verified(
{
"email": user_payload["email"],
"user_id": user_created["user_id"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
assert emailverify["success"] is True
assert emailverify["user_id"] == user_created["user_id"]
assert emailverify["is_active"] is True
assert emailverify["user_role"] == "authenticated"
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
assert session_token2["success"] is True
assert session_token2["session_token"] is not None
# and now try to log in again
login = actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
assert login["success"] is True
# basic tests for timing attacks
# incorrect passwords
incorrect_timings = []
for _ in range(500):
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
start = time.time()
actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": secrets.token_urlsafe(16),
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
end = time.time()
incorrect_timings.append(end - start)
# correct passwords
correct_timings = []
for _ in range(500):
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
start = time.time()
actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
end = time.time()
correct_timings.append(end - start)
# wronguser passwords
wronguser_timings = []
for _ in range(500):
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
start = time.time()
actions.auth_user_login(
{
"session_token": session_token2["session_token"],
"email": secrets.token_urlsafe(16),
"password": secrets.token_urlsafe(16),
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
end = time.time()
wronguser_timings.append(end - start)
# broken requests
broken_timings = []
for _ in range(500):
# now make a new session token
session_payload = {
"user_id": 2,
"user_agent": "Mozzarella Killerwhale",
"expires": datetime.utcnow() + timedelta(hours=1),
"ip_address": "1.1.1.1",
"extra_info_json": {
"pref_datasets_always_private": True
},
"pii_salt": "super-secret-salt",
"reqid": 1,
}
# check creation of session
session_token2 = actions.auth_session_new(
session_payload,
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
start = time.time()
actions.auth_user_login(
{
"session_token": "correcthorsebatterystaple",
"email": user_payload["email"],
"password": user_payload["password"],
"pii_salt": "super-secret-salt",
"reqid": 1,
},
override_authdb_path="sqlite:///test-timing.authdb.sqlite",
)
end = time.time()
broken_timings.append(end - start)
correct_median = statistics.median(correct_timings)
incorrect_median = statistics.median(incorrect_timings)
broken_median = statistics.median(broken_timings)
wronguser_median = statistics.median(wronguser_timings)
# all timings should match within 10 milliseconds or so
assert abs(correct_median - incorrect_median) < 0.01
assert abs(correct_median - broken_median) < 0.01
assert abs(correct_median - wronguser_median) < 0.01
try:
os.remove("test-timing.authdb.sqlite")
except Exception:
pass
try:
os.remove("test-timing.authdb.sqlite-shm")
except Exception:
pass
try:
os.remove("test-timing.authdb.sqlite-wal")
except Exception:
pass
def test_issue_apikey(tmpdir):
"""
Test if issuing an API key works.
"""
delete_test_authdb(tmpdir)
test_authdb_url = get_test_authdb(tmpdir)
teardown()
get_public_suffix_list()
# 1. create a new user
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
# 2. verify their email
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 2,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 3. generate an API key
apikey_issue_payload = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint",
"apiversion": 1,
"expires_seconds": 7,
"not_valid_before": 1,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 2,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
apikey_info = actions.issue_apikey_nosession(
apikey_issue_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_info["success"] is True
for key in ("apikey", "expires", "refresh_token", "refresh_token_expires"):
assert key in apikey_info
apikey = json.loads(apikey_info["apikey"])
assert apikey["ipa"] == apikey_issue_payload["ip_address"]
assert apikey["uid"] == apikey_issue_payload["user_id"]
assert apikey["rol"] == apikey_issue_payload["user_role"]
teardown()
def test_refresh_apikey(tmpdir):
"""
This tests refreshing an API key.
- before it expires
- after it expires
- with an unexpired correct refresh token
- with the incorrect refresh token
- with an expired refresh token
"""
delete_test_authdb(tmpdir)
test_authdb_url = get_test_authdb(tmpdir)
teardown()
get_public_suffix_list()
# 1. create a new user
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
# 2. verify their email
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 2,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 3. generate an API key
apikey_issue_payload = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint",
"apiversion": 1,
"expires_seconds": 6,
"not_valid_before": 1,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 1,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
apikey_info = actions.issue_apikey_nosession(
apikey_issue_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_info["success"] is True
for key in ("apikey", "expires", "refresh_token", "refresh_token_expires"):
assert key in apikey_info
apikey = json.loads(apikey_info["apikey"])
assert apikey["ipa"] == apikey_issue_payload["ip_address"]
assert apikey["uid"] == apikey_issue_payload["user_id"]
assert apikey["rol"] == apikey_issue_payload["user_role"]
# 4. refresh the key immediately - this should fail because of refresh_nbf
apikey_refresh_payload = {
"apikey_dict": apikey,
"user_id": 4,
"user_role": "authenticated",
"refresh_token": apikey_info["refresh_token"],
"ip_address": "1.2.3.4",
"expires_seconds": 4,
"not_valid_before": 1,
"refresh_expires": 10,
"refresh_nbf": 1,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
refreshed_apikey = actions.refresh_apikey_nosession(
apikey_refresh_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert refreshed_apikey["success"] is False
# 5. now try to refresh within the lifetime of the key but with incorrect
# refresh token - should fail
time.sleep(2)
apikey_refresh_payload["refresh_token"] = "haha wrong token"
refreshed_apikey = actions.refresh_apikey_nosession(
apikey_refresh_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert refreshed_apikey["success"] is False
# 6. now try to refresh with correct refresh token - should pass
apikey_refresh_payload["refresh_token"] = apikey_info["refresh_token"]
refreshed_apikey = actions.refresh_apikey_nosession(
apikey_refresh_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert refreshed_apikey["success"] is True
# 7. now try to refresh after the key expires - should pass
time.sleep(6)
refreshed_apikey_dict = json.loads(refreshed_apikey["apikey"])
apikey_refresh_payload = {
"apikey_dict": refreshed_apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"refresh_token": refreshed_apikey["refresh_token"],
"ip_address": "1.2.3.4",
"expires_seconds": 4,
"not_valid_before": 1,
"refresh_expires": 5,
"refresh_nbf": 1,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
refreshed_apikey = actions.refresh_apikey_nosession(
apikey_refresh_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert refreshed_apikey["success"] is True
# 8. now try to refresh after the refresh token expires - should fail
time.sleep(6)
refreshed_apikey = actions.refresh_apikey_nosession(
apikey_refresh_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert refreshed_apikey["success"] is False
teardown()
def test_revoke_all_apikeys(tmpdir):
"""
This tests if all API keys for a user can be revoked.
"""
delete_test_authdb(tmpdir)
test_authdb_url = get_test_authdb(tmpdir)
teardown()
get_public_suffix_list()
# 1. create a new user
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
# 2. verify their email
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 2,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 3. generate a couple of API keys
apikey_payload_one = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint-one",
"apiversion": 1,
"expires_seconds": 7,
"not_valid_before": 1,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 2,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
apikey_info_one = actions.issue_apikey_nosession(
apikey_payload_one,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
apikey_one = json.loads(apikey_info_one["apikey"])
apikey_payload_two = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint-two",
"apiversion": 1,
"expires_seconds": 7,
"not_valid_before": 1,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 2,
"reqid": 3,
"pii_salt": "super-secret-salt",
}
apikey_info_two = actions.issue_apikey_nosession(
apikey_payload_two,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
apikey_two = json.loads(apikey_info_two["apikey"])
time.sleep(2)
# 1. try to revoke all API keys with an incorrect API key
good_tkn = apikey_one["tkn"]
apikey_one["tkn"] = "haha-bad-token"
revoke_one = actions.revoke_all_apikeys_nosession(
{
"apikey_dict": apikey_one,
"user_id": 4,
"user_role": "authenticated",
"reqid": 2,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert revoke_one["success"] is False
# 2. try to revoke all API keys with a correct API key
revoke_two = actions.revoke_all_apikeys_nosession(
{
"apikey_dict": apikey_two,
"user_id": 4,
"user_role": "authenticated",
"reqid": 2,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert revoke_two["success"] is True
# 3. make sure we can't use any API key afterwards
apikey_one["tkn"] = good_tkn
verify_one = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_one,
"user_id": 4,
"user_role": "authenticated",
"reqid": 3,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert verify_one["success"] is False
verify_two = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_two,
"user_id": 4,
"user_role": "authenticated",
"reqid": 4,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert verify_two["success"] is False
teardown()
def test_revoke_apikey(tmpdir):
"""
This tests if an apikey can be revoked.
- by the original user
- by another user who somehow gets the API key
"""
delete_test_authdb(tmpdir)
test_authdb_url = get_test_authdb(tmpdir)
teardown()
get_public_suffix_list()
# 1. create a couple of new users
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
payload = {
"full_name": "Another Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 2,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 5
# 2. verify their emails
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 3,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 4,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 5
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 3. generate an API key for the first user
apikey_issue_payload = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint",
"apiversion": 1,
"expires_seconds": 6,
"not_valid_before": 2,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 2,
"reqid": 5,
"pii_salt": "super-secret-salt",
}
apikey_info = actions.issue_apikey_nosession(
apikey_issue_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_info["success"] is True
apikey_dict = json.loads(apikey_info["apikey"])
time.sleep(2)
# 4. try to revoke the API key as a different user
# this should fail
apikey_revocation = actions.revoke_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 5,
"user_role": "authenticated",
"reqid": 6,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_revocation["success"] is False
# 5. try to revoke the API key as the correct user
# this should pass
apikey_revocation = actions.revoke_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"reqid": 7,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_revocation["success"] is True
# 6. try to verify the API key after it has been revoked
# this should fail
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"reqid": 8,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_verification["success"] is False
# 7. try to verify the API key as a different user - this should fail anyway
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 5,
"user_role": "authenticated",
"reqid": 9,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_verification["success"] is False
teardown()
def test_verify_apikey(tmpdir):
"""
This tests if the issued API key can be verified:
- within expiry time
- within expiry but with other user
- after expiry time
"""
delete_test_authdb(tmpdir)
test_authdb_url = get_test_authdb(tmpdir)
teardown()
get_public_suffix_list()
# 1. create a couple of new users
payload = {
"full_name": "Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 1,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 4
payload = {
"full_name": "Another Test User",
"email": "*****@*****.**",
"password": "******",
"reqid": 2,
"pii_salt": "super-secret-salt",
}
user_created = actions.create_new_user(
payload, raiseonfail=True, override_authdb_path=test_authdb_url)
assert user_created["success"] is True
assert user_created["user_email"] == "*****@*****.**"
assert user_created["user_id"] == 5
# 2. verify their emails
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 3,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 4
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
email_verified_info = actions.set_user_emailaddr_verified(
{
"email": "*****@*****.**",
"reqid": 4,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert email_verified_info["success"] is True
assert email_verified_info["user_id"] == 5
assert email_verified_info["is_active"] is True
assert email_verified_info["user_role"] == "authenticated"
# 3. generate an API key for the first user
apikey_issue_payload = {
"issuer": "authnzerver",
"audience": "test-service",
"subject": "/test-endpoint",
"apiversion": 1,
"expires_seconds": 6,
"not_valid_before": 2,
"user_id": 4,
"user_role": "authenticated",
"ip_address": "1.2.3.4",
"refresh_expires": 10,
"refresh_nbf": 2,
"reqid": 4,
"pii_salt": "super-secret-salt",
}
apikey_info = actions.issue_apikey_nosession(
apikey_issue_payload,
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_info["success"] is True
apikey_dict = json.loads(apikey_info["apikey"])
# 4. try to verify the API key immediately - should fail because of
# not-before
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"reqid": 5,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_verification["success"] is False
# 5. wait 3 seconds, then verify again - this should pass
time.sleep(3)
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"reqid": 6,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_verification["success"] is True
# 6. try to verify the API key as a different user - this should fail
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 5,
"user_role": "authenticated",
"reqid": 6,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
override_permissions_json=permissions_json,
)
assert apikey_verification["success"] is False
# 7. wait 6 seconds, then try to reverify the API key as the original user
# it should have expired by now so this should fail
time.sleep(6)
apikey_verification = actions.verify_apikey_nosession(
{
"apikey_dict": apikey_dict,
"user_id": 4,
"user_role": "authenticated",
"reqid": 7,
"pii_salt": "super-secret-salt",
},
raiseonfail=True,
override_authdb_path=test_authdb_url,
)
assert apikey_verification["success"] is False
teardown()