def test_fail_invalidated_tokens_after_update(self, api_client_mgmt, api_client_int, init_users_f):
users = [
init_users_f[0],
init_users_f[1]
]
update = {
"email": "*****@*****.**",
"current_password": "******"
}
_, r = api_client_mgmt.login(users[0].email, "correcthorsebatterystaple")
assert r.status_code == 200
token_one = r.text
auth = {"Authorization": "Bearer " + token_one}
_, r = api_client_mgmt.login(users[1].email, "correcthorsebatterystaple")
assert r.status_code == 200
token_two = r.text
_, r = api_client_int.verify(token_two)
assert r.status_code == 200
# test update
_, r = api_client_mgmt.update_user(users[1].id, update, auth)
assert r.status_code == 204
# verify tokens
_, r = api_client_int.verify(token_one)
assert r.status_code == 200
with pytest.raises(bravado.exception.HTTPError) as excinfo:
_, r = api_client_int.verify(token_two)
assert excinfo.value.response.status_code == 401
def verify_token(api_client_int, token, status_code):
try:
_, r = api_client_int.verify(token)
except bravado.exception.HTTPError as herr:
assert herr.response.status_code == status_code
else:
assert r.status_code == status_code
def test_tamper_claims(self, api_client_int, init_users, user_tokens):
for user, token in zip(init_users, user_tokens):
hdr, claims, sign = explode_jwt(token)
claims['mender.tenant'] = 'foobar'
tampered = '.'.join([urlsafe_b64encode(json.dumps(hdr).encode()).decode(),
urlsafe_b64encode(json.dumps(claims).encode()).decode(),
urlsafe_b64encode(sign).decode()])
try:
_, r = api_client_int.verify(tampered)
except bravado.exception.HTTPError as herr:
assert herr.response.status_code == 401
def _do_test_ok(
self,
api_client_int,
api_client_mgmt,
init_users,
token_request,
tenant_id=None,
):
user = init_users[0]
_, r = api_client_mgmt.login(user.email, "correcthorsebatterystaple")
assert r.status_code == 200
user_token = r.text
auth = {"Authorization": "Bearer " + user_token}
_, r = api_client_mgmt.create_token(token_request, auth)
assert r.status_code == 200
personal_access_token = r.text
# check if the token is valid
_, r = api_client_int.verify(personal_access_token)
assert r.status_code == 200
# get tokens
tokens, r = api_client_mgmt.list_tokens(auth)
assert r.status_code == 200
assert len(tokens) == 1
# revoke token
r = api_client_mgmt.delete_token(tokens[0].id, auth)
assert r.status_code == 204
# verify token has been removed
tokens, r = api_client_mgmt.list_tokens(auth)
assert r.status_code == 200
assert len(tokens) == 0
with pytest.raises(bravado.exception.HTTPError) as e:
_, r = api_client_int.verify(personal_access_token)
assert e.response.status_code == 401
def test_ok(self, api_client_int, api_client_mgmt, init_users):
email = "*****@*****.**"
password = "******"
# log in
_, r = api_client_mgmt.login(email, password)
assert r.status_code == 200
token = r.text
# token is valid
_, r = api_client_int.verify(token)
assert r.status_code == 200
# log out
_, r = api_client_mgmt.logout(auth={"Authorization": "Bearer {}".format(token)})
assert r.status_code == 202
# token is not valid anymore
try:
_, r = api_client_int.verify(token)
except bravado.exception.HTTPError as herr:
assert herr.response.status_code == 401
def test_bad_x_original(self, api_client_int, init_users, user_tokens):
user, token = init_users[0], user_tokens[0]
try:
_, r = api_client_int.verify(token, uri='/foobar')
except bravado.exception.HTTPError as herr:
assert herr.response.status_code == 500
def test_ok(self, api_client_int, init_users, user_tokens):
for user, token in zip(init_users, user_tokens):
_, r = api_client_int.verify(token)
assert r.status_code == 200
def test_fail(self, api_client_int, init_users, token):
try:
_, r = api_client_int.verify(token)
except bravado.exception.HTTPError as herr:
assert herr.response.status_code == 401
