async def test_invalid_username(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "admin:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
# Cannot create any type of token with an invalid name.
for user in (
"<bootstrap>",
"<internal>",
"in+valid",
" invalid",
"invalid ",
"in/valid",
"in@valid",
"-invalid",
"invalid-",
"in--valid",
):
user_info.username = user
with pytest.raises(PermissionDeniedError):
await token_service.create_session_token(user_info,
scopes=[],
ip_address="127.0.0.1")
data.username = user
with pytest.raises(PermissionDeniedError):
await token_service.create_user_token(data,
user,
token_name="n",
scopes=[],
ip_address="127.0.0.1")
with pytest.raises(PermissionDeniedError):
await token_service.get_notebook_token(data,
ip_address="127.0.0.1")
with pytest.raises(PermissionDeniedError):
await token_service.get_internal_token(data,
service="s",
scopes=[],
ip_address="127.0.0.1")
with pytest.raises(ValidationError):
AdminTokenRequest(username=user, token_type=TokenType.service)
request = AdminTokenRequest(username="******",
token_type=TokenType.service)
request.username = user
with pytest.raises(PermissionDeniedError):
await token_service.create_token_from_admin_request(
request, data, ip_address="127.0.0.1")
async def test_list(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info, scopes=["user:token"], ip_address="127.0.0.1")
data = await token_service.get_data(session_token)
assert data
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some-token",
scopes=[],
ip_address="127.0.0.1",
)
other_user_info = TokenUserInfo(username="******",
name="Other Person",
uid=1313)
other_session_token = await token_service.create_session_token(
other_user_info, scopes=["admin:token"], ip_address="1.1.1.1")
admin_data = await token_service.get_data(other_session_token)
assert admin_data
async with factory.session.begin():
session_info = await token_service.get_token_info_unchecked(
session_token.key)
assert session_info
user_token_info = await token_service.get_token_info_unchecked(
user_token.key)
assert user_token_info
other_session_info = await token_service.get_token_info_unchecked(
other_session_token.key)
assert other_session_info
assert await token_service.list_tokens(data, "example") == sorted(
sorted((session_info, user_token_info), key=lambda t: t.token),
key=lambda t: t.created,
reverse=True,
)
assert await token_service.list_tokens(admin_data) == sorted(
sorted(
(session_info, other_session_info, user_token_info),
key=lambda t: t.token,
),
key=lambda t: t.created,
reverse=True,
)
# Regular users can't retrieve all tokens.
with pytest.raises(PermissionDeniedError):
await token_service.list_tokens(data)
async def add_expired_session_token(
user_info: TokenUserInfo,
*,
scopes: List[str],
ip_address: str,
session: AsyncSession,
) -> None:
"""Add an expired session token to the database.
This requires going beneath the service layer, since the service layer
rejects creation of expired tokens (since apart from testing this isn't a
sensible thing to want to do).
This does not add the token to Redis, since Redis will refuse to add it
with a negative expiration time, so can only be used for tests that
exclusively use the database.
Parameters
----------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information to associate with the token.
scopes : List[`str`]
The scopes of the token.
ip_address : `str`
The IP address from which the request came.
session : `sqlalchemy.ext.asyncio.AsyncSession`
The database session.
"""
token_db_store = TokenDatabaseStore(session)
token_change_store = TokenChangeHistoryStore(session)
token = Token()
created = current_datetime()
expires = created - timedelta(minutes=10)
data = TokenData(
token=token,
token_type=TokenType.session,
scopes=scopes,
created=created,
expires=expires,
**user_info.dict(),
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=scopes,
expires=expires,
actor=data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await token_db_store.add(data)
await token_change_store.add(history_entry)
async def create_session_token(self, user_info: TokenUserInfo, *,
scopes: List[str],
ip_address: str) -> Token:
"""Create a new session token.
Parameters
----------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information to associate with the token.
scopes : List[`str`]
The scopes of the token.
ip_address : `str`
The IP address from which the request came.
Returns
-------
token : `gafaelfawr.models.token.Token`
The newly-created token.
Raises
------
gafaelfawr.exceptions.PermissionDeniedError
If the provided username is invalid.
"""
self._validate_username(user_info.username)
scopes = sorted(scopes)
token = Token()
created = current_datetime()
expires = created + self._config.token_lifetime
data = TokenData(
token=token,
token_type=TokenType.session,
scopes=scopes,
created=created,
expires=expires,
**user_info.dict(),
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=scopes,
expires=expires,
actor=data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await self._token_redis_store.store_data(data)
with self._transaction_manager.transaction():
self._token_db_store.add(data)
self._token_change_store.add(history_entry)
return token
async def get_user_info(self, token: Token) -> Optional[TokenUserInfo]:
"""Get user information associated with a token."""
data = await self.get_data(token)
if not data:
return None
return TokenUserInfo(
username=data.username,
name=data.name,
uid=data.uid,
email=data.email,
groups=data.groups,
)
async def create_session_token(
factory: ComponentFactory,
*,
username: Optional[str] = None,
group_names: Optional[List[str]] = None,
scopes: Optional[List[str]] = None,
) -> TokenData:
"""Create a session token.
Parameters
----------
factory : `gafaelfawr.factory.ComponentFactory`
Factory used to create services to add the token.
username : `str`, optional
Override the username of the generated token.
group_namess : List[`str`], optional
Group memberships the generated token should have.
scopes : List[`str`], optional
Scope for the generated token.
Returns
-------
data : `gafaelfawr.models.token.TokenData`
The data for the generated token.
"""
if not username:
username = "******"
if group_names:
groups = [TokenGroup(name=g, id=1000) for g in group_names]
else:
groups = []
user_info = TokenUserInfo(
username=username,
name="Some User",
email="*****@*****.**",
uid=1000,
groups=groups,
)
if not scopes:
scopes = ["user:token"]
token_service = factory.create_token_service()
async with factory.session.begin():
token = await token_service.create_session_token(
user_info, scopes=scopes, ip_address="127.0.0.1"
)
data = await token_service.get_data(token)
assert data
return data
async def create_user_info(self, code: str, state: str) -> TokenUserInfo:
"""Given the code from an authentication, create the user information.
Parameters
----------
code : `str`
Code returned by a successful authentication.
state : `str`
The same random string used for the redirect URL.
Returns
-------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information corresponding to that authentication.
Raises
------
httpx.HTTPError
An HTTP client error occurred trying to talk to the authentication
provider.
gafaelfawr.exceptions.GitHubException
GitHub responded with an error to a request.
"""
self._logger.info("Getting user information from GitHub")
github_token = await self._get_access_token(code, state)
user_info = await self._get_user_info(github_token)
groups = []
invalid_groups = {}
for team in user_info.teams:
try:
groups.append(TokenGroup(name=team.group_name, id=team.gid))
except ValidationError as e:
invalid_groups[team.group_name] = str(e)
if invalid_groups:
self._logger.warning("Ignoring invalid groups",
invalid_groups=invalid_groups)
return TokenUserInfo(
username=user_info.username.lower(),
name=user_info.name,
email=user_info.email,
uid=user_info.uid,
groups=groups,
)
async def test_success_minimal(setup: SetupTest) -> None:
user_info = TokenUserInfo(username="******", uid=1234)
token_service = setup.factory.create_token_service()
token = await token_service.create_session_token(user_info,
scopes=["read:all"],
ip_address="127.0.0.1")
r = await setup.client.get(
"/auth",
params={"scope": "read:all"},
headers={"Authorization": f"Bearer {token}"},
)
assert r.status_code == 200
assert r.headers["X-Auth-Request-Token-Scopes"] == "read:all"
assert r.headers["X-Auth-Request-Scopes-Accepted"] == "read:all"
assert r.headers["X-Auth-Request-Scopes-Satisfy"] == "all"
assert r.headers["X-Auth-Request-User"] == "user"
assert r.headers["X-Auth-Request-Uid"] == "1234"
assert "X-Auth-Request-Name" not in r.headers
assert "X-Auth-Request-Email" not in r.headers
assert "X-Auth-Request-Groups" not in r.headers
async def _selenium_startup(token_path: str) -> None:
"""Startup hook for the app run in Selenium testing mode."""
config = await config_dependency()
user_info = TokenUserInfo(username="******", name="Test User", uid=1000)
scopes = list(config.known_scopes.keys())
async with ComponentFactory.standalone() as factory:
async with factory.session.begin():
# Add an expired token so that we can test display of expired
# tokens.
await add_expired_session_token(
user_info,
scopes=scopes,
ip_address="127.0.0.1",
session=factory.session,
)
# Add the valid session token.
token_service = factory.create_token_service()
token = await token_service.create_session_token(
user_info, scopes=scopes, ip_address="127.0.0.1")
with open(token_path, "w") as f:
f.write(str(token))
async def test_token_info(setup: SetupTest) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
email="*****@*****.**",
uid=45613,
groups=[TokenGroup(name="foo", id=12313)],
)
token_service = setup.factory.create_token_service()
session_token = await token_service.create_session_token(
user_info, scopes=["exec:admin", "user:token"], ip_address="127.0.0.1")
r = await setup.client.get(
"/auth/api/v1/token-info",
headers={"Authorization": f"bearer {session_token}"},
)
assert r.status_code == 200
data = r.json()
assert data == {
"token": session_token.key,
"username": "******",
"token_type": "session",
"scopes": ["exec:admin", "user:token"],
"created": ANY,
"expires": ANY,
}
now = datetime.now(tz=timezone.utc)
created = datetime.fromtimestamp(data["created"], tz=timezone.utc)
assert now - timedelta(seconds=2) <= created <= now
expires = created + timedelta(minutes=setup.config.issuer.exp_minutes)
assert datetime.fromtimestamp(data["expires"], tz=timezone.utc) == expires
r = await setup.client.get(
"/auth/api/v1/user-info",
headers={"Authorization": f"bearer {session_token}"},
)
assert r.status_code == 200
session_user_info = r.json()
assert session_user_info == {
"username": "******",
"name": "Example Person",
"email": "*****@*****.**",
"uid": 45613,
"groups": [{
"name": "foo",
"id": 12313,
}],
}
# Check the same with a user token, which has some additional associated
# data.
expires = now + timedelta(days=100)
data = await token_service.get_data(session_token)
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some-token",
scopes=["exec:admin"],
expires=expires,
ip_address="127.0.0.1",
)
r = await setup.client.get(
"/auth/api/v1/token-info",
headers={"Authorization": f"bearer {user_token}"},
)
assert r.status_code == 200
data = r.json()
assert data == {
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "some-token",
"scopes": ["exec:admin"],
"created": ANY,
"expires": int(expires.timestamp()),
}
r = await setup.client.get(
"/auth/api/v1/user-info",
headers={"Authorization": f"bearer {user_token}"},
)
assert r.status_code == 200
assert r.json() == session_user_info
# Test getting a list of tokens for a user.
state = State(token=session_token)
r = await setup.client.get(
"/auth/api/v1/users/example/tokens",
cookies={COOKIE_NAME: state.as_cookie()},
)
async def test_create_delete_modify(setup: SetupTest,
caplog: LogCaptureFixture) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
email="*****@*****.**",
uid=45613,
groups=[TokenGroup(name="foo", id=12313)],
)
token_service = setup.factory.create_token_service()
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
csrf = await setup.login(session_token)
expires = current_datetime() + timedelta(days=100)
r = await setup.client.post(
"/auth/api/v1/users/example/tokens",
headers={"X-CSRF-Token": csrf},
json={
"token_name": "some token",
"scopes": ["read:all"],
"expires": int(expires.timestamp()),
},
)
assert r.status_code == 201
assert r.json() == {"token": ANY}
user_token = Token.from_str(r.json()["token"])
token_url = r.headers["Location"]
assert token_url == f"/auth/api/v1/users/example/tokens/{user_token.key}"
r = await setup.client.get(token_url)
assert r.status_code == 200
info = r.json()
assert info == {
"token": user_token.key,
"username": "******",
"token_name": "some token",
"token_type": "user",
"scopes": ["read:all"],
"created": ANY,
"expires": int(expires.timestamp()),
}
# Check that this is the same information as is returned by the token-info
# route. This is a bit tricky to do since the cookie will take precedence
# over the Authorization header, but we can't just delete the cookie since
# we'll lose the CSRF token. Save the cookie and delete it, and then
# later restore it.
cookie = setup.client.cookies.pop(COOKIE_NAME)
r = await setup.client.get(
"/auth/api/v1/token-info",
headers={"Authorization": f"bearer {user_token}"},
)
assert r.status_code == 200
assert r.json() == info
setup.client.cookies.set(COOKIE_NAME, cookie, domain=TEST_HOSTNAME)
# Listing all tokens for this user should return the user token and a
# session token.
r = await setup.client.get("/auth/api/v1/users/example/tokens")
assert r.status_code == 200
assert r.json() == sorted(
[
{
"token": session_token.key,
"username": "******",
"token_type": "session",
"scopes": ["exec:admin", "read:all", "user:token"],
"created": ANY,
"expires": ANY,
},
info,
],
key=lambda t: t["token"],
)
# Change the name, scope, and expiration of the token.
caplog.clear()
new_expires = current_datetime() + timedelta(days=200)
r = await setup.client.patch(
token_url,
headers={"X-CSRF-Token": csrf},
json={
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
},
)
assert r.status_code == 201
assert r.json() == {
"token": user_token.key,
"username": "******",
"token_name": "happy token",
"token_type": "user",
"scopes": ["exec:admin"],
"created": ANY,
"expires": int(new_expires.timestamp()),
}
# Check the logging. Regression test for a bug where new expirations
# would be logged as raw datetime objects instead of timestamps.
log = json.loads(caplog.record_tuples[0][2])
assert log == {
"expires": int(new_expires.timestamp()),
"event": "Modified token",
"key": user_token.key,
"level": "info",
"logger": "gafaelfawr",
"method": "PATCH",
"path": token_url,
"remote": "127.0.0.1",
"request_id": ANY,
"scope": "exec:admin read:all user:token",
"token": session_token.key,
"token_name": "happy token",
"token_scope": "exec:admin",
"token_source": "cookie",
"user": "******",
"user_agent": ANY,
}
# Delete the token.
r = await setup.client.delete(token_url, headers={"X-CSRF-Token": csrf})
assert r.status_code == 204
r = await setup.client.get(token_url)
assert r.status_code == 404
# Deleting again should return 404.
r = await setup.client.delete(token_url, headers={"X-CSRF-Token": csrf})
assert r.status_code == 404
# This user should now have only one token.
r = await setup.client.get("/auth/api/v1/users/example/tokens")
assert r.status_code == 200
assert len(r.json()) == 1
# We should be able to see the change history for the token.
r = await setup.client.get(token_url + "/change-history")
assert r.status_code == 200
assert r.json() == [
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
"actor": "example",
"action": "revoke",
"ip_address": "127.0.0.1",
"event_time": ANY,
},
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
"actor": "example",
"action": "edit",
"old_token_name": "some token",
"old_scopes": ["read:all"],
"old_expires": int(expires.timestamp()),
"ip_address": "127.0.0.1",
"event_time": ANY,
},
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "some token",
"scopes": ["read:all"],
"expires": int(expires.timestamp()),
"actor": "example",
"action": "create",
"ip_address": "127.0.0.1",
"event_time": ANY,
},
]
async def test_internal_token(setup: SetupTest) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = setup.factory.create_token_service()
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="2001:db8::45",
)
assert await token_service.get_user_info(internal_token) == user_info
info = token_service.get_token_info_unchecked(internal_token.key)
assert info and info == TokenInfo(
token=internal_token.key,
username=user_info.username,
token_type=TokenType.internal,
service="some-service",
scopes=["read:all"],
created=info.created,
last_used=None,
expires=data.expires,
parent=session_token.key,
)
assert_is_now(info.created)
# Cannot request a scope that the parent token doesn't have.
with pytest.raises(InvalidScopesError):
await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:some"],
ip_address="127.0.0.1",
)
# Creating another internal token from the same parent token with the same
# parameters just returns the same internal token as before.
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token == new_internal_token
history = token_service.get_change_history(
data, token=internal_token.key, username=data.username
)
assert history.entries == [
TokenChangeHistoryEntry(
token=internal_token.key,
username=data.username,
token_type=TokenType.internal,
parent=data.token.key,
service="some-service",
scopes=["read:all"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="2001:db8::45",
event_time=info.created,
)
]
# A different scope or a different service results in a new token.
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["exec:admin"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
new_internal_token = await token_service.get_internal_token(
data,
service="another-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
# Check that the expiration time is capped by creating a user token that
# doesn't expire and then creating a notebook token from it. Use this to
# test a token with empty scopes.
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some token",
scopes=["exec:admin"],
expires=None,
ip_address="127.0.0.1",
)
data = await token_service.get_data(user_token)
assert data
new_internal_token = await token_service.get_internal_token(
data, service="some-service", scopes=[], ip_address="127.0.0.1"
)
assert new_internal_token != internal_token
info = token_service.get_token_info_unchecked(new_internal_token.key)
assert info and info.scopes == []
expires = info.created + timedelta(minutes=setup.config.issuer.exp_minutes)
assert info.expires == expires
async def test_create_delete_modify(
client: AsyncClient, factory: ComponentFactory, caplog: LogCaptureFixture
) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
email="*****@*****.**",
uid=45613,
groups=[TokenGroup(name="foo", id=12313)],
)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
csrf = await set_session_cookie(client, session_token)
expires = current_datetime() + timedelta(days=100)
r = await client.post(
"/auth/api/v1/users/example/tokens",
headers={"X-CSRF-Token": csrf},
json={
"token_name": "some token",
"scopes": ["read:all"],
"expires": int(expires.timestamp()),
},
)
assert r.status_code == 201
assert r.json() == {"token": ANY}
user_token = Token.from_str(r.json()["token"])
token_url = r.headers["Location"]
assert token_url == f"/auth/api/v1/users/example/tokens/{user_token.key}"
r = await client.get(token_url)
assert r.status_code == 200
info = r.json()
assert info == {
"token": user_token.key,
"username": "******",
"token_name": "some token",
"token_type": "user",
"scopes": ["read:all"],
"created": ANY,
"expires": int(expires.timestamp()),
}
# Check that this is the same information as is returned by the token-info
# route. This is a bit tricky to do since the cookie will take precedence
# over the Authorization header, but we can't just delete the cookie since
# we'll lose the CSRF token. Save the cookie and delete it, and then
# later restore it.
cookie = client.cookies.pop(COOKIE_NAME)
r = await client.get(
"/auth/api/v1/token-info",
headers={"Authorization": f"bearer {user_token}"},
)
assert r.status_code == 200
assert r.json() == info
client.cookies.set(COOKIE_NAME, cookie, domain=TEST_HOSTNAME)
# Listing all tokens for this user should return the user token and a
# session token.
r = await client.get("/auth/api/v1/users/example/tokens")
assert r.status_code == 200
data = r.json()
# Adjust for sorting, which will be by creation date and then token.
assert len(data) == 2
if data[0] == info:
session_info = data[1]
else:
assert data[1] == info
session_info = data[0]
assert session_info == {
"token": session_token.key,
"username": "******",
"token_type": "session",
"scopes": ["exec:admin", "read:all", "user:token"],
"created": ANY,
"expires": ANY,
}
# Change the name, scope, and expiration of the token.
caplog.clear()
new_expires = current_datetime() + timedelta(days=200)
r = await client.patch(
token_url,
headers={"X-CSRF-Token": csrf},
json={
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
},
)
assert r.status_code == 201
assert r.json() == {
"token": user_token.key,
"username": "******",
"token_name": "happy token",
"token_type": "user",
"scopes": ["exec:admin"],
"created": ANY,
"expires": int(new_expires.timestamp()),
}
# Check the logging. Regression test for a bug where new expirations
# would be logged as raw datetime objects instead of timestamps.
assert parse_log(caplog) == [
{
"expires": int(new_expires.timestamp()),
"event": "Modified token",
"httpRequest": {
"requestMethod": "PATCH",
"requestUrl": f"https://{TEST_HOSTNAME}{token_url}",
"remoteIp": "127.0.0.1",
},
"key": user_token.key,
"scope": "exec:admin read:all user:token",
"severity": "info",
"token": session_token.key,
"token_name": "happy token",
"token_scope": "exec:admin",
"token_source": "cookie",
"user": "******",
}
]
# Delete the token.
r = await client.delete(token_url, headers={"X-CSRF-Token": csrf})
assert r.status_code == 204
r = await client.get(token_url)
assert r.status_code == 404
# Deleting again should return 404.
r = await client.delete(token_url, headers={"X-CSRF-Token": csrf})
assert r.status_code == 404
# This user should now have only one token.
r = await client.get("/auth/api/v1/users/example/tokens")
assert r.status_code == 200
assert len(r.json()) == 1
# We should be able to see the change history for the token.
r = await client.get(token_url + "/change-history")
assert r.status_code == 200
assert r.json() == [
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
"actor": "example",
"action": "revoke",
"ip_address": "127.0.0.1",
"event_time": ANY,
},
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "happy token",
"scopes": ["exec:admin"],
"expires": int(new_expires.timestamp()),
"actor": "example",
"action": "edit",
"old_token_name": "some token",
"old_scopes": ["read:all"],
"old_expires": int(expires.timestamp()),
"ip_address": "127.0.0.1",
"event_time": ANY,
},
{
"token": user_token.key,
"username": "******",
"token_type": "user",
"token_name": "some token",
"scopes": ["read:all"],
"expires": int(expires.timestamp()),
"actor": "example",
"action": "create",
"ip_address": "127.0.0.1",
"event_time": ANY,
},
]
async def create_user_info(self, code: str, state: str) -> TokenUserInfo:
"""Given the code from a successful authentication, get a token.
Parameters
----------
code : `str`
Code returned by a successful authentication.
state : `str`
The same random string used for the redirect URL.
Returns
-------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information corresponding to that authentication.
Raises
------
gafaelfawr.exceptions.OIDCException
The OpenID Connect provider responded with an error to a request.
httpx.HTTPError
An HTTP client error occurred trying to talk to the authentication
provider.
jwt.exceptions.InvalidTokenError
The token returned by the OpenID Connect provider was invalid.
"""
data = {
"grant_type": "authorization_code",
"client_id": self._config.client_id,
"client_secret": self._config.client_secret,
"code": code,
"redirect_uri": self._config.redirect_url,
}
self._logger.info("Retrieving ID token from %s",
self._config.token_url)
r = await self._http_client.post(
self._config.token_url,
data=data,
headers={"Accept": "application/json"},
)
# If the call failed, try to extract an error from the reply. If that
# fails, just raise an exception for the HTTP status.
try:
result = r.json()
except Exception:
if r.status_code != 200:
r.raise_for_status()
else:
msg = "Response from {self._config.token_url} not valid JSON"
raise OIDCException(msg)
if r.status_code != 200 and "error" in result:
msg = result["error"] + ": " + result["error_description"]
raise OIDCException(msg)
elif r.status_code != 200:
r.raise_for_status()
if "id_token" not in result:
msg = f"No id_token in token reply from {self._config.token_url}"
raise OIDCException(msg)
# Extract and verify the token.
unverified_token = OIDCToken(encoded=result["id_token"])
try:
token = await self._verifier.verify_oidc_token(unverified_token)
except (jwt.InvalidTokenError, VerifyTokenException) as e:
msg = f"OpenID Connect token verification failed: {str(e)}"
raise OIDCException(msg)
# Extract information from it to create the user information.
groups = []
invalid_groups = {}
try:
for oidc_group in token.claims.get("isMemberOf", []):
if "name" not in oidc_group:
continue
name = oidc_group["name"]
if "id" not in oidc_group:
invalid_groups[name] = "missing id"
continue
gid = int(oidc_group["id"])
try:
groups.append(TokenGroup(name=name, id=gid))
except ValidationError as e:
invalid_groups[name] = str(e)
except Exception as e:
msg = f"isMemberOf claim is invalid: {str(e)}"
raise OIDCException(msg)
return TokenUserInfo(
username=token.username,
name=token.claims.get("name"),
email=token.claims.get("email"),
uid=token.uid,
groups=groups,
)
async def test_user_token(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
expires = current_datetime() + timedelta(days=2)
# Scopes are provided not in sorted order to ensure they're sorted when
# creating the token.
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
"example",
token_name="some-token",
scopes=["read:all", "exec:admin"],
expires=expires,
ip_address="192.168.0.1",
)
assert await token_service.get_user_info(user_token) == user_info
info = await token_service.get_token_info_unchecked(user_token.key)
assert info and info == TokenInfo(
token=user_token.key,
username=user_info.username,
token_name="some-token",
token_type=TokenType.user,
scopes=["exec:admin", "read:all"],
created=info.created,
last_used=None,
expires=int(expires.timestamp()),
parent=None,
)
assert_is_now(info.created)
assert await token_service.get_data(user_token) == TokenData(
token=user_token,
username=user_info.username,
token_type=TokenType.user,
scopes=["exec:admin", "read:all"],
created=info.created,
expires=info.expires,
name=user_info.name,
uid=user_info.uid,
)
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=user_token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="some-token",
scopes=["exec:admin", "read:all"],
expires=info.expires,
actor=data.username,
action=TokenChange.create,
ip_address="192.168.0.1",
event_time=info.created,
)
]
async def test_internal_token(config: Config,
factory: ComponentFactory) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
async with factory.session.begin():
internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="2001:db8::45",
)
assert await token_service.get_user_info(internal_token) == user_info
info = await token_service.get_token_info_unchecked(internal_token.key)
assert info and info == TokenInfo(
token=internal_token.key,
username=user_info.username,
token_type=TokenType.internal,
service="some-service",
scopes=["read:all"],
created=info.created,
last_used=None,
expires=data.expires,
parent=session_token.key,
)
assert_is_now(info.created)
# Cannot request a scope that the parent token doesn't have.
with pytest.raises(InvalidScopesError):
await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:some"],
ip_address="127.0.0.1",
)
# Creating another internal token from the same parent token with the same
# parameters just returns the same internal token as before.
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token == new_internal_token
# Try again with the cache cleared to force a database lookup.
await token_service._token_cache.clear()
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token == new_internal_token
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=internal_token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=internal_token.key,
username=data.username,
token_type=TokenType.internal,
parent=data.token.key,
service="some-service",
scopes=["read:all"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="2001:db8::45",
event_time=info.created,
)
]
# It's possible we'll have a race condition where two workers both create
# an internal token at the same time with the same parameters. Gafaelfawr
# 3.0.2 had a regression where, once that had happened, it could not
# retrieve the internal token because it didn't expect multiple results
# from the query. Simulate this and make sure it's handled properly. The
# easiest way to do this is to use the internals of the token service.
second_internal_token = Token()
created = current_datetime()
expires = created + config.token_lifetime
internal_token_data = TokenData(
token=second_internal_token,
username=data.username,
token_type=TokenType.internal,
scopes=["read:all"],
created=created,
expires=expires,
name=data.name,
email=data.email,
uid=data.uid,
groups=data.groups,
)
await token_service._token_redis_store.store_data(internal_token_data)
async with factory.session.begin():
await token_service._token_db_store.add(internal_token_data,
service="some-service",
parent=data.token.key)
await token_service._token_cache.clear()
async with factory.session.begin():
dup_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert dup_internal_token in (internal_token, second_internal_token)
# A different scope or a different service results in a new token.
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["exec:admin"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="another-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
# Check that the expiration time is capped by creating a user token that
# doesn't expire and then creating a notebook token from it. Use this to
# test a token with empty scopes.
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some token",
scopes=["exec:admin"],
expires=None,
ip_address="127.0.0.1",
)
data = await token_service.get_data(user_token)
assert data
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data, service="some-service", scopes=[], ip_address="127.0.0.1")
assert new_internal_token != internal_token
info = await token_service.get_token_info_unchecked(
new_internal_token.key)
assert info and info.scopes == []
expires = info.created + timedelta(minutes=config.issuer.exp_minutes)
assert info.expires == expires
async def test_notebook_token(setup: SetupTest) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = setup.factory.create_token_service()
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
token = await token_service.get_notebook_token(data, ip_address="1.0.0.1")
assert await token_service.get_user_info(token) == user_info
info = token_service.get_token_info_unchecked(token.key)
assert info and info == TokenInfo(
token=token.key,
username=user_info.username,
token_type=TokenType.notebook,
scopes=["exec:admin", "read:all", "user:token"],
created=info.created,
last_used=None,
expires=data.expires,
parent=session_token.key,
)
assert_is_now(info.created)
assert await token_service.get_data(token) == TokenData(
token=token,
username=user_info.username,
token_type=TokenType.notebook,
scopes=["exec:admin", "read:all", "user:token"],
created=info.created,
expires=data.expires,
name=user_info.name,
uid=user_info.uid,
groups=user_info.groups,
)
# Creating another notebook token from the same parent token just returns
# the same notebook token as before.
new_token = await token_service.get_notebook_token(
data, ip_address="127.0.0.1"
)
assert token == new_token
history = token_service.get_change_history(
data, token=token.key, username=data.username
)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.notebook,
parent=data.token.key,
scopes=["exec:admin", "read:all", "user:token"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="1.0.0.1",
event_time=info.created,
)
]
# Check that the expiration time is capped by creating a user token that
# doesn't expire and then creating a notebook token from it.
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some token",
scopes=[],
expires=None,
ip_address="127.0.0.1",
)
data = await token_service.get_data(user_token)
assert data
new_token = await token_service.get_notebook_token(
data, ip_address="127.0.0.1"
)
assert new_token != token
info = token_service.get_token_info_unchecked(new_token.key)
assert info
expires = info.created + timedelta(minutes=setup.config.issuer.exp_minutes)
assert info.expires == expires
async def test_wrong_user(setup: SetupTest) -> None:
token_data = await setup.create_session_token()
csrf = await setup.login(token_data.token)
token_service = setup.factory.create_token_service()
user_info = TokenUserInfo(username="******",
name="Some Other Person",
uid=137123)
other_session_token = await token_service.create_session_token(
user_info, scopes=["user:token"], ip_address="127.0.0.1")
other_session_data = await token_service.get_data(other_session_token)
assert other_session_data
other_token = await token_service.create_user_token(
other_session_data,
"other-person",
token_name="foo",
scopes=[],
ip_address="127.0.0.1",
)
# Get a token list.
r = await setup.client.get("/auth/api/v1/users/other-person/tokens")
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
# Create a new user token.
r = await setup.client.post(
"/auth/api/v1/users/other-person/tokens",
headers={"X-CSRF-Token": csrf},
json={"token_name": "happy token"},
)
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
# Get an individual token.
r = await setup.client.get(
f"/auth/api/v1/users/other-person/tokens/{other_token.key}")
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
# Get the history of an individual token.
r = await setup.client.get(
f"/auth/api/v1/users/other-person/tokens/{other_token.key}"
"/change-history")
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
# Ensure you can't see someone else's token under your username either.
r = await setup.client.get(
f"/auth/api/v1/users/{token_data.username}/tokens/{other_token.key}")
assert r.status_code == 404
# Or their history.
r = await setup.client.get(
f"/auth/api/v1/users/{token_data.username}/tokens/{other_token.key}"
"/change-history")
assert r.status_code == 404
# Delete a token.
r = await setup.client.delete(
f"/auth/api/v1/users/other-person/tokens/{other_token.key}",
headers={"X-CSRF-Token": csrf},
)
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
r = await setup.client.delete(
f"/auth/api/v1/users/{token_data.username}/tokens/{other_token.key}",
headers={"X-CSRF-Token": csrf},
)
assert r.status_code == 404
# Modify a token.
r = await setup.client.patch(
f"/auth/api/v1/users/other-person/tokens/{other_token.key}",
json={"token_name": "happy token"},
headers={"X-CSRF-Token": csrf},
)
assert r.status_code == 403
assert r.json()["detail"][0]["type"] == "permission_denied"
r = await setup.client.patch(
f"/auth/api/v1/users/{token_data.username}/tokens/{other_token.key}",
json={"token_name": "happy token"},
headers={"X-CSRF-Token": csrf},
)
assert r.status_code == 404
async def test_token_from_admin_request(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
token = await token_service.create_session_token(
user_info, scopes=[], ip_address="127.0.0.1")
data = await token_service.get_data(token)
assert data
expires = current_datetime() + timedelta(days=2)
request = AdminTokenRequest(
username="******",
token_type=TokenType.user,
token_name="some token",
scopes=["read:all"],
expires=expires,
name="Other User",
uid=1345,
groups=[TokenGroup(name="some-group", id=4133)],
)
# Cannot create a token via admin request because the authentication
# information is missing the admin:token scope.
with pytest.raises(PermissionDeniedError):
await token_service.create_token_from_admin_request(
request, data, ip_address="127.0.0.1")
# Get a token with an appropriate scope.
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info, scopes=["admin:token"], ip_address="127.0.0.1")
admin_data = await token_service.get_data(session_token)
assert admin_data
# Test a few more errors.
request.scopes = ["bogus:scope"]
with pytest.raises(InvalidScopesError):
await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
request.scopes = ["read:all"]
request.expires = current_datetime()
with pytest.raises(InvalidExpiresError):
await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
request.expires = expires
# Try a successful request.
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
user_data = await token_service.get_data(token)
assert user_data and user_data == TokenData(
token=token, created=user_data.created, **request.dict())
assert_is_now(user_data.created)
async with factory.session.begin():
history = await token_service.get_change_history(
admin_data, token=token.key, username=request.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=request.username,
token_type=TokenType.user,
token_name=request.token_name,
scopes=["read:all"],
expires=request.expires,
actor=admin_data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=user_data.created,
)
]
# Non-admins can't see other people's tokens.
with pytest.raises(PermissionDeniedError):
await token_service.get_change_history(data,
token=token.key,
username=request.username)
# Now request a service token with minimal data instead.
request = AdminTokenRequest(username="******",
token_type=TokenType.service)
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
service_data = await token_service.get_data(token)
assert service_data and service_data == TokenData(
token=token, created=service_data.created, **request.dict())
assert_is_now(service_data.created)
async with factory.session.begin():
history = await token_service.get_change_history(
admin_data, token=token.key, username=request.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=request.username,
token_type=TokenType.service,
scopes=[],
expires=None,
actor=admin_data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=service_data.created,
)
]
async def test_session_token(config: Config,
factory: ComponentFactory) -> None:
token_service = factory.create_token_service()
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[
TokenGroup(name="group", id=1000),
TokenGroup(name="another", id=3134),
],
)
async with factory.session.begin():
token = await token_service.create_session_token(
user_info, scopes=["user:token"], ip_address="127.0.0.1")
data = await token_service.get_data(token)
assert data and data == TokenData(
token=token,
username="******",
token_type=TokenType.session,
scopes=["user:token"],
created=data.created,
expires=data.expires,
name="Example Person",
uid=4137,
groups=[
TokenGroup(name="group", id=1000),
TokenGroup(name="another", id=3134),
],
)
assert_is_now(data.created)
expires = data.created + timedelta(minutes=config.issuer.exp_minutes)
assert data.expires == expires
async with factory.session.begin():
info = await token_service.get_token_info_unchecked(token.key)
assert info and info == TokenInfo(
token=token.key,
username=user_info.username,
token_name=None,
token_type=TokenType.session,
scopes=data.scopes,
created=int(data.created.timestamp()),
last_used=None,
expires=int(data.expires.timestamp()),
parent=None,
)
assert await token_service.get_user_info(token) == user_info
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=["user:token"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=data.created,
)
]
# Test a session token with scopes.
async with factory.session.begin():
token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(token)
assert data and data.scopes == ["exec:admin", "read:all"]
info = await token_service.get_token_info_unchecked(token.key)
assert info and info.scopes == ["exec:admin", "read:all"]
async def build_history(
setup: SetupTest,
) -> List[TokenChangeHistoryEntry]:
"""Perform a bunch of token manipulations and return the history entries.
Assume that all token manipulations generate the correct history entries,
since that's tested in other tests. The only point of this function is to
build enough history that we can make interesting paginated queries of it.
"""
token_service = setup.factory.create_token_service()
user_info_one = TokenUserInfo(username="******")
token_one = await token_service.create_session_token(
user_info_one,
scopes=["exec:test", "read:all", "user:token"],
ip_address="192.0.2.3",
)
token_data_one = await token_service.get_data(token_one)
assert token_data_one
await token_service.get_internal_token(
token_data_one,
"foo",
scopes=["exec:test", "read:all"],
ip_address="192.0.2.4",
)
internal_token_one_bar = await token_service.get_internal_token(
token_data_one, "bar", scopes=["read:all"], ip_address="192.0.2.3"
)
token_data_internal_one_bar = await token_service.get_data(
internal_token_one_bar
)
assert token_data_internal_one_bar
await token_service.get_internal_token(
token_data_internal_one_bar, "baz", scopes=[], ip_address="10.10.10.10"
)
notebook_token_one = await token_service.get_notebook_token(
token_data_one, ip_address="198.51.100.5"
)
token_data_notebook_one = await token_service.get_data(notebook_token_one)
assert token_data_notebook_one
await token_service.get_internal_token(
token_data_notebook_one,
"foo",
scopes=["exec:test"],
ip_address="10.10.10.20",
)
user_info_two = TokenUserInfo(username="******")
token_two = await token_service.create_session_token(
user_info_two,
scopes=["read:some", "user:token"],
ip_address="192.0.2.20",
)
token_data_two = await token_service.get_data(token_two)
assert token_data_two
user_token_two = await token_service.create_user_token(
token_data_two,
token_data_two.username,
token_name="some token",
scopes=["read:some", "user:token"],
ip_address="192.0.2.20",
)
token_data_user_two = await token_service.get_data(user_token_two)
assert token_data_user_two
await token_service.get_internal_token(
token_data_user_two,
"foo",
scopes=["read:some"],
ip_address="10.10.10.10",
)
assert await token_service.modify_token(
user_token_two.key,
token_data_user_two,
token_data_user_two.username,
ip_address="192.0.2.20",
token_name="happy token",
)
request = AdminTokenRequest(
username="******",
token_type=TokenType.service,
scopes=["admin:token"],
)
service_token = await token_service.create_token_from_admin_request(
request,
TokenData.bootstrap_token(),
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
)
service_token_data = await token_service.get_data(service_token)
assert service_token_data
assert await token_service.modify_token(
user_token_two.key,
service_token_data,
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
scopes=["admin:token", "read:all"],
)
assert await token_service.modify_token(
user_token_two.key,
service_token_data,
ip_address="2001:db8:034a:ea78:4278:4562:6578:af42",
token_name="other name",
expires=current_datetime() + timedelta(days=30),
scopes=["read:all"],
)
assert await token_service.delete_token(
token_one.key,
service_token_data,
username=token_data_one.username,
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
)
# Spread out the timestamps so that we can test date range queries. Every
# other entry has the same timestamp as the previous entry to test that
# queries handle entries with the same timestamp.
entries = (
setup.session.query(TokenChangeHistory)
.order_by(TokenChangeHistory.id)
.all()
)
event_time = current_datetime() - timedelta(seconds=len(entries) * 5)
with setup.transaction():
for i, entry in enumerate(entries):
entry.event_time = event_time
if i % 2 != 0:
event_time += timedelta(seconds=5)
history = token_service.get_change_history(service_token_data)
assert history.count == 20
assert len(history.entries) == 20
return history.entries
async def test_modify(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some-token",
scopes=[],
ip_address="127.0.0.1",
)
expires = current_datetime() + timedelta(days=50)
async with factory.session.begin():
await token_service.modify_token(
user_token.key,
data,
token_name="happy token",
ip_address="127.0.0.1",
)
await token_service.modify_token(
user_token.key,
data,
scopes=["read:all"],
expires=expires,
ip_address="192.168.0.4",
)
info = await token_service.get_token_info_unchecked(user_token.key)
assert info and info == TokenInfo(
token=user_token.key,
username="******",
token_type=TokenType.user,
token_name="happy token",
scopes=["read:all"],
created=info.created,
expires=expires,
last_used=None,
parent=None,
)
async with factory.session.begin():
await token_service.modify_token(
user_token.key,
data,
expires=None,
no_expire=True,
ip_address="127.0.4.5",
)
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=user_token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="happy token",
scopes=["read:all"],
expires=None,
actor=data.username,
action=TokenChange.edit,
old_expires=expires,
ip_address="127.0.4.5",
event_time=history.entries[0].event_time,
),
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="happy token",
scopes=["read:all"],
expires=expires,
actor=data.username,
action=TokenChange.edit,
old_scopes=[],
old_expires=None,
ip_address="192.168.0.4",
event_time=history.entries[1].event_time,
),
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="happy token",
scopes=[],
expires=None,
actor=data.username,
action=TokenChange.edit,
old_token_name="some-token",
ip_address="127.0.0.1",
event_time=history.entries[2].event_time,
),
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="some-token",
scopes=[],
expires=None,
actor=data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=info.created,
),
]
