def test_auth_token_not_provided(self, master_ar_process_perclass):
log_messages = {
"No auth token in request.": SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass, EXHIBITOR_PATH, 401, assert_stderr=log_messages)
def test_if_iam_broken_resp_code_is_handled(
self,
master_ar_process_perclass,
valid_user_header,
mocker,
):
mocker.send_command(
endpoint_id='http://127.0.0.1:8101',
func_name='always_bork',
aux_data=True,
)
log_messages = {
'UID from the valid DC/OS authentication token: `bozydar`':
SearchCriteria(1, True),
"Unexpected response from IAM: ":
SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
500,
assert_stderr=log_messages,
headers=valid_user_header,
)
def test_valid_auth_token(self, master_ar_process, valid_user_header):
log_messages = {
"UID from valid JWT: `bozydar`": SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process,
EXHIBITOR_PATH,
200,
assert_stderr=log_messages,
headers=valid_user_header,
)
def test_if_known_user_is_permitted_access(
self, mocker, master_ar_process, path, valid_user_header):
is_auth_location = path.startswith("/acs/api/v1")
with assert_iam_queried_for_uid(
mocker, 'bozydar', expect_two_iam_calls=is_auth_location):
assert_endpoint_response(
master_ar_process,
path,
200,
headers=valid_user_header,
)
def test_valid_auth_token(self, master_ar_process_perclass, valid_user_header):
log_messages = {
"UID from the valid DC/OS authentication token: `bozydar`":
SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
200,
assert_error_log=log_messages,
headers=valid_user_header,
)
def test_if_unknown_user_is_forbidden_access(
self, mocker, master_ar_process, path, valid_user_header):
log_messages = {
'User not found: `bozydar`':
SearchCriteria(1, True)}
with iam_denies_all_requests(mocker):
with assert_iam_queried_for_uid(mocker, 'bozydar'):
assert_endpoint_response(
master_ar_process,
path,
401,
headers=valid_user_header,
assert_stderr=log_messages)
def test_valid_auth_token_without_exp(
self,
master_ar_process_perclass,
jwt_generator,
):
# We accept "forever tokens"
token = jwt_generator(uid='test', skip_exp_claim=True)
auth_header = {'Authorization': 'token={}'.format(token)}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
200,
headers=auth_header,
)
def test_invalid_auth_token_in_cookie(self, master_ar_process_perclass):
log_messages = {
"No auth token in request.": SearchCriteria(0, True),
"Invalid token. Reason: invalid jwt string":
SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": "invalid"},
)
def test_valid_auth_token_in_cookie(self, master_ar_process, jwt_generator):
log_messages = {
"No auth token in request.": SearchCriteria(0, True),
"Invalid token. Reason: invalid jwt string":
SearchCriteria(0, True),
"UID from valid JWT: `test`": SearchCriteria(1, True),
}
token = jwt_generator(uid='test')
assert_endpoint_response(
master_ar_process,
EXHIBITOR_PATH,
200,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_if_master_ar_sets_correct_useragent_while_quering_iam(
self, master_ar_process_pertest, mocker, valid_user_header):
mocker.send_command(endpoint_id='http://127.0.0.1:8101',
func_name='record_requests')
assert_endpoint_response(
master_ar_process_pertest,
'/mesos_dns/v1/reflect/me',
200,
headers=valid_user_header,
)
r_reqs = mocker.send_command(endpoint_id='http://127.0.0.1:8101',
func_name='get_recorded_requests')
assert len(r_reqs) == 1
verify_header(r_reqs[0]['headers'], 'User-Agent', 'Master Admin Router')
def test_forged_auth_token(
self,
master_ar_process_perclass,
forged_user_header,
):
# Different validators emit different log messages, so we create two
# tests - one for open, one for EE, each one having different log
# message.
log_messages = {
"Invalid token": SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=forged_user_header,
)
def test_valid_auth_token_without_uid(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"Invalid token. Reason: Missing one of claims - \[ uid \]":
SearchCriteria(1, True),
}
token = jwt_generator(uid='test', skip_uid_claim=True)
auth_header = {'Authorization': 'token={}'.format(token)}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=auth_header,
)
def test_missmatched_auth_token_algo_in_cookie(
self,
master_ar_process_perclass,
mismatch_alg_jwt_generator,
repo_is_ee,
):
log_messages = {
("Invalid token. Reason: whitelist unsupported alg: " + jwt_type_str(not repo_is_ee)):
SearchCriteria(1, True),
}
token = mismatch_alg_jwt_generator(uid='user')
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_expired_auth_token(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"Invalid token. Reason: 'exp' claim expired at ":
SearchCriteria(1, True),
}
token = jwt_generator(uid='test', exp=time.time() - 15)
auth_header = {'Authorization': 'token={}'.format(token)}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=auth_header,
)
def test_valid_auth_token_in_cookie(self, master_ar_process_perclass,
jwt_generator):
log_messages = {
"No auth token in request.":
SearchCriteria(0, True),
"Invalid token. Reason: invalid jwt string":
SearchCriteria(0, True),
"UID from the valid DC/OS authentication token: `test`":
SearchCriteria(1, True),
}
token = jwt_generator(uid='test')
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
200,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_missmatched_auth_token_algo_in_cookie(
self,
master_ar_process_perclass,
mismatch_alg_jwt_generator,
repo_is_ee,
):
log_messages = {
("Invalid token. Reason: whitelist unsupported alg: " +
jwt_type_str(not repo_is_ee)): SearchCriteria(1, True),
}
token = mismatch_alg_jwt_generator(uid='user')
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_valid_auth_token_without_uid(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"Invalid token. Reason: Missing one of claims - \[ uid \]":
SearchCriteria(1, True),
}
token = jwt_generator(uid='test', skip_uid_claim=True)
auth_header = {'Authorization': 'token={}'.format(token)}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=auth_header,
)
def test_expired_auth_token(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"Invalid token. Reason: 'exp' claim expired at ":
SearchCriteria(1, True),
}
token = jwt_generator(uid='test', exp=time.time() - 15)
auth_header = {'Authorization': 'token={}'.format(token)}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=auth_header,
)
def test_valid_auth_token_priority(
self,
master_ar_process_perclass,
valid_user_header,
jwt_generator,
):
log_messages = {
"uid=bozydar": SearchCriteria(1, True),
"uid=test": SearchCriteria(0, True),
}
token = jwt_generator(uid='test')
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
200,
assert_error_log=log_messages,
headers=valid_user_header,
cookies={"dcos-acs-auth-cookie": token},
)
def test_valid_auth_token_priority(
self,
master_ar_process,
valid_user_header,
jwt_generator,
):
log_messages = {
"UID from valid JWT: `bozydar`": SearchCriteria(1, True),
"UID from valid JWT: `test`": SearchCriteria(0, True),
}
token = jwt_generator(uid='test')
assert_endpoint_response(
master_ar_process,
EXHIBITOR_PATH,
200,
assert_stderr=log_messages,
headers=valid_user_header,
cookies={"dcos-acs-auth-cookie": token},
)
def test_valid_auth_token_priority(
self,
master_ar_process,
valid_user_header,
valid_jwt_generator,
):
log_messages = {
"UID from valid JWT: `bozydar`": SearchCriteria(1, True),
"UID from valid JWT: `test`": SearchCriteria(0, True),
}
token = valid_jwt_generator(uid='test')
assert_endpoint_response(
master_ar_process,
EXHIBITOR_PATH,
200,
assert_stderr=log_messages,
headers=valid_user_header,
cookies={"dcos-acs-auth-cookie": token},
)
def test_forged_auth_token(
self,
master_ar_process_perclass,
forged_user_header,
):
# Different validators emit different log messages, so we create two
# tests - one for open, one for EE, each one having different log
# message.
log_messages = {
"Invalid token. Reason: signature mismatch":
SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
headers=forged_user_header,
)
def test_valid_auth_token_in_cookie_with_null_uid(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"No auth token in request.": SearchCriteria(0, True),
"Invalid token. Reason: invalid jwt string":
SearchCriteria(0, True),
"Unexpected token payload: missing uid.": SearchCriteria(1, True),
}
token = jwt_generator(uid=None)
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_valid_auth_token_in_cookie_with_null_uid(
self,
master_ar_process_perclass,
jwt_generator,
):
log_messages = {
"No auth token in request.": SearchCriteria(0, True),
"Invalid token. Reason: invalid jwt string":
SearchCriteria(0, True),
"Unexpected token payload: missing uid.":
SearchCriteria(1, True),
}
token = jwt_generator(uid=None)
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
401,
assert_stderr=log_messages,
cookies={"dcos-acs-auth-cookie": token},
)
def test_if_iam_broken_resp_code_is_handled(
self,
master_ar_process_perclass,
valid_user_header,
mocker,
):
mocker.send_command(
endpoint_id='http://127.0.0.1:8101',
func_name='always_bork',
aux_data=True,
)
log_messages = {
'UID from valid JWT: `bozydar`': SearchCriteria(1, True),
"Unexpected response from IAM: ": SearchCriteria(1, True),
}
assert_endpoint_response(
master_ar_process_perclass,
EXHIBITOR_PATH,
500,
assert_stderr=log_messages,
headers=valid_user_header,
)
def test_if_unauthn_user_is_granted_access(
self, agent_ar_process_perclass, unauthed_path):
assert_endpoint_response(agent_ar_process_perclass, unauthed_path, 200)
def test_if_unauthn_user_is_granted_access(self, agent_ar_process_perclass,
unauthed_path):
assert_endpoint_response(agent_ar_process_perclass, unauthed_path, 200)
def test_if_unauthn_user_is_granted_access(self,
master_ar_process_perclass,
path):
assert_endpoint_response(master_ar_process_perclass, path, 200)