def test_required_claims(self, claim):
"""
Verify that tokens that do not carry 'exp' or 'iat' claims are rejected
"""
authentication = JwtAuthentication()
user = UserFactory()
jwt_payload = self.default_payload(user)
del jwt_payload[claim]
jwt_value = self.generate_token(jwt_payload)
request = APIRequestFactory().get('dummy', HTTP_AUTHORIZATION='JWT {}'.format(jwt_value))
with self.assertRaises(AuthenticationFailed):
authentication.authenticate(request)
def test_no_preferred_username(self):
"""
Ensure the service gracefully handles an inability to extract a username from the id token.
"""
# with preferred_username: all good
authentication = JwtAuthentication()
user = authentication.authenticate_credentials({'preferred_username': self.USERNAME})
self.assertEqual(user.username, self.USERNAME)
# missing preferred_username: exception
authentication = JwtAuthentication()
with self.assertRaises(AuthenticationFailed):
authentication.authenticate_credentials({})
def test_required_claims(self, claim):
"""
Verify that tokens that do not carry 'exp' or 'iat' claims are rejected
"""
authentication = JwtAuthentication()
user = UserFactory()
jwt_payload = self.default_payload(user)
del jwt_payload[claim]
jwt_value = self.generate_token(jwt_payload)
request = APIRequestFactory().get(
'dummy', HTTP_AUTHORIZATION=f'JWT {jwt_value}')
with self.assertRaises(AuthenticationFailed):
authentication.authenticate(request)
def test_admin_user(self):
"""
Ensure the service gracefully handles an admin role from the id token.
"""
authentication = JwtAuthentication()
user = authentication.authenticate_credentials(
{
'preferred_username': self.USERNAME,
'administrator': True
}
)
self.assertEqual(user.username, self.USERNAME)
self.assertEqual(len(user.groups.all()), 1)
self.assertEqual(user.groups.all()[0].name, Role.ADMINS)
def test_admin_user(self):
"""
Ensure the service gracefully handles an admin role from the id token.
"""
authentication = JwtAuthentication()
user = authentication.authenticate_credentials({
'preferred_username':
self.USERNAME,
'administrator':
True
})
self.assertEqual(user.username, self.USERNAME)
self.assertEqual(len(user.groups.all()), 1)
self.assertEqual(user.groups.all()[0].name, Role.ADMINS)
def test_leeway(self, claim, offset):
"""
Verify that the service allows the specified amount of leeway (in
seconds) when nonzero and validating "exp" and "iat" claims.
"""
authentication = JwtAuthentication()
user = UserFactory()
jwt_value = self.generate_id_token(user, **{claim: int(time.time()) + offset})
request = APIRequestFactory().get('dummy', HTTP_AUTHORIZATION='JWT {}'.format(jwt_value))
# with no leeway, these requests should not be authenticated
with mock.patch.object(drf_jwt_settings, 'JWT_LEEWAY', 0):
with self.assertRaises(AuthenticationFailed):
authentication.authenticate(request)
# with enough leeway, these requests should be authenticated
with mock.patch.object(drf_jwt_settings, 'JWT_LEEWAY', abs(offset)):
self.assertEqual(
(user, jwt_value),
authentication.authenticate(request)
)
def test_leeway(self, claim, offset):
"""
Verify that the service allows the specified amount of leeway (in
seconds) when nonzero and validating "exp" and "iat" claims.
"""
authentication = JwtAuthentication()
user = UserFactory()
jwt_value = self.generate_id_token(
user, **{claim: int(time.time()) + offset})
request = APIRequestFactory().get(
'dummy', HTTP_AUTHORIZATION='JWT {}'.format(jwt_value))
# with no leeway, these requests should not be authenticated
with mock.patch.object(drf_jwt_settings, 'JWT_LEEWAY', 0):
with self.assertRaises(AuthenticationFailed):
authentication.authenticate(request)
# with enough leeway, these requests should be authenticated
with mock.patch.object(drf_jwt_settings, 'JWT_LEEWAY', abs(offset)):
self.assertEqual((user, jwt_value),
authentication.authenticate(request))
def test_no_preferred_username(self):
"""
Ensure the service gracefully handles an inability to extract a username from the id token.
"""
# with preferred_username: all good
authentication = JwtAuthentication()
user = authentication.authenticate_credentials(
{'preferred_username': self.USERNAME})
self.assertEqual(user.username, self.USERNAME)
# missing preferred_username: exception
authentication = JwtAuthentication()
with self.assertRaises(AuthenticationFailed):
authentication.authenticate_credentials({})
