def test_from_str(app):
"""from_str returns a TokenUser object for a good token"""
tok = FakeSerializer.prm(1)
with app.app_context():
eq_(
loader.token_loader.from_str(tok).permissions,
set([p.test_tokenauth.zig]))
def test_loader_good_header(app, client):
"""With a good Authorization header, the permissions in the DB are allowed"""
tok = FakeSerializer.prm(1)
auth = json.loads(
client.get('/test_tokenauth',
headers=[('Authorization', 'Bearer ' + tok)]).data)
eq_(auth['permissions'], ['test_tokenauth.zig'], auth)
def assert_prm_token(data, **attrs):
token = _get_token(data)
attrs['typ'] = 'prm'
attrs['id'] = id = token.id
attrs['token'] = FakeSerializer.prm(id)
attrs['disabled'] = False
_eq_token(token, attrs)
def assert_usr_token(data, **attrs):
token = _get_token(data)
attrs['typ'] = 'usr'
attrs['id'] = id = token.id
attrs['token'] = FakeSerializer.usr(id)
attrs['disabled'] = False
_eq_token(token, attrs)
def test_loader_good_header(app, client):
"""With a good Authorization header, the permissions in the DB are allowed"""
tok = FakeSerializer.prm(1)
auth = json.loads(
client.get('/test_tokenauth',
headers=[('Authorization', 'Bearer ' + tok)]).data)
eq_(auth['permissions'], ['test_tokenauth.zig'], auth)
def test_loader_good_header_Authentication(app, client):
"""The old 'Authentication' header can be used instead of 'Authorization'"""
# see https://github.com/mozilla/build-relengapi/pull/192/files
tok = FakeSerializer.prm(1)
auth = json.loads(
client.get('/test_tokenauth',
headers=[('Authentication', 'Bearer ' + tok)]).data)
eq_(auth['permissions'], ['test_tokenauth.zig'], auth)
def test_loader_good_header_Authentication(app, client):
"""The old 'Authentication' header can be used instead of 'Authorization'"""
# see https://github.com/mozilla/build-relengapi/pull/192/files
tok = FakeSerializer.prm(1)
auth = json.loads(
client.get('/test_tokenauth',
headers=[('Authentication', 'Bearer ' + tok)]).data)
eq_(auth['permissions'], ['test_tokenauth.zig'], auth)
def test_query_prm_token_exists(client):
"""Querying a permanent token, with base.tokens.prm.view, returns that token."""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.prm(1))
eq_(res.status_code, 200)
eq_(json.loads(res.data),
{'result': {'id': 1, 'description': 'Zig only', 'typ': 'prm',
'permissions': ['test_tokenauth.zig'],
'disabled': False}})
def test_query_prm_token_exists(client):
"""Querying a permanent token, with base.tokens.prm.view, returns that token."""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.prm(1))
eq_(res.status_code, 200)
assert_result(res.data,
{'id': 1, 'description': 'Zig only', 'typ': 'prm',
'permissions': ['test_tokenauth.zig'],
'disabled': False})
def assert_tmp_token(data, **attrs):
token = _get_token(data)
attrs['typ'] = 'tmp'
attrs['disabled'] = False
nbf = JAN_2014
exp = calendar.timegm(token.expires.utctimetuple())
attrs['token'] = FakeSerializer.tmp(
nbf=nbf, exp=exp, prm=token.permissions,
mta=token.metadata)
_eq_token(token, attrs)
def assert_tmp_token(data, **attrs):
token = _get_token(data)
attrs['typ'] = 'tmp'
attrs['disabled'] = False
nbf = JAN_2014
exp = calendar.timegm(token.expires.utctimetuple())
attrs['token'] = FakeSerializer.tmp(
nbf=nbf, exp=exp, prm=token.permissions,
mta=token.metadata)
_eq_token(token, attrs)
def app_setup(app):
# utility endpoint
@app.route('/test_tokenauth')
def test_route():
assert isinstance(current_user.permissions, set)
return json.dumps({
'id': current_user.get_id(),
'permissions': sorted(str(a) for a in current_user.permissions),
})
# fake out the serializer to make it easier to debug
app.tokenauth_serializer = FakeSerializer()
def test_query_tmp_token(client):
"""Querying a temporary token returns that token's info,
without requiring any special permissions"""
tok = FakeSerializer.tmp(
nbf=946684800, # Jan 1, 2000
exp=32503680000, # Jan 1, 3000
prm=['test_tokenauth.zag'],
mta={})
res = client.post_json('/tokenauth/tokens/query', tok)
eq_(res.status_code, 200)
assert_result(res.data, {
'typ': 'tmp',
'not_before': '2000-01-01T00:00:00+00:00',
'expires': '3000-01-01T00:00:00+00:00',
'metadata': {},
'permissions': ['test_tokenauth.zag'],
'disabled': False,
})
def test_query_usr_token_forbidden(client):
"""Querying a user token without permission results in a 403"""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.usr(2))
eq_(res.status_code, 403)
def test_query_usr_token_success_mine(client):
"""Querying a user token with base.tokens.usr.view.my returns the
token if the emails match"""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.usr(2))
assert_result(res.data, usr_json)
def test_query_token_missing(client):
"""Querying a permanent token that does not exist returns status 404"""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.prm(99))
eq_(res.status_code, 404)
def test_query_usr_token_success_all(client):
"""Querying a user token with base.tokens.usr.view.all returns the token."""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.usr(2))
eq_(json.loads(res.data), {'result': usr_json})
def test_query_usr_token_forbidden_not_mine(client):
"""Querying a user token with base.tokens.usr.view.my gives 403
if the token email doesn't match the request email"""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.usr(2))
eq_(res.status_code, 403)
def test_query_usr_token_forbidden(client):
"""Querying a user token without permission results in a 403"""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.usr(2))
eq_(res.status_code, 403)
def test_query_prm_token_forbidden_wrong_perm(client):
"""Querying a permanent token requires base.tokens.prm.view"""
res = client.post_json('/tokenauth/tokens/query',
FakeSerializer.prm(1))
eq_(res.status_code, 403)
def test_query_token_missing(client):
"""Querying a permanent token that does not exist returns status 404"""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.prm(99))
eq_(res.status_code, 404)
def test_from_str_no_type(app):
"""from_str does not return a user for a token with no 'typ'"""
tok = FakeSerializer.dumps({})
with app.app_context():
eq_(loader.token_loader.from_str(tok), None)
def test_from_str_no_type(app):
"""from_str does not return a user for a token with no 'typ'"""
tok = FakeSerializer.dumps({})
with app.app_context():
eq_(loader.token_loader.from_str(tok), None)
def test_query_prm_token_forbidden_wrong_perm(client):
"""Querying a permanent token requires base.tokens.prm.view"""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.prm(1))
eq_(res.status_code, 403)
def test_from_str_bad_type(app):
"""from_str does not return a user for a token with a bogus typ"""
tok = FakeSerializer.dumps({'iss': 'ra2', 'typ': 'booogus'})
with app.app_context():
eq_(loader.token_loader.from_str(tok), None)
def test_query_usr_token_success_mine(client):
"""Querying a user token with base.tokens.usr.view.my returns the
token if the emails match"""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.usr(2))
eq_(json.loads(res.data), {'result': usr_json})
def test_from_str(app):
"""from_str returns a TokenUser object for a good token"""
tok = FakeSerializer.prm(1)
with app.app_context():
eq_(loader.token_loader.from_str(tok).permissions,
set([p.test_tokenauth.zig]))
def test_query_usr_token_forbidden_not_mine(client):
"""Querying a user token with base.tokens.usr.view.my gives 403
if the token email doesn't match the request email"""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.usr(2))
eq_(res.status_code, 403)
def test_from_str_bad_type(app):
"""from_str does not return a user for a token with a bogus typ"""
tok = FakeSerializer.dumps({'iss': 'ra2', 'typ': 'booogus'})
with app.app_context():
eq_(loader.token_loader.from_str(tok), None)
def test_query_usr_token_success_all(client):
"""Querying a user token with base.tokens.usr.view.all returns the token."""
res = client.post_json('/tokenauth/tokens/query', FakeSerializer.usr(2))
assert_result(res.data, usr_json)
