def test_enforce(self): """ Test the Enforcer object. """ with self.assertRaises(scitokens.scitokens.EnforcementError): print(scitokens.Enforcer(None)) enf = scitokens.Enforcer(self._test_issuer) enf.add_validator("foo", self.always_accept) self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token["scp"] = "read:/" self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu") enf.add_validator("foo", self.always_accept) self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token["scp"] = "read:/foo/bar" self.assertFalse(enf.test(self._token, "read", "/foo"), msg=enf.last_failure) self._token["site"] = "T2_US_Example" self.assertFalse(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, site="T2_US_Example") enf.add_validator("foo", self.always_accept) self.assertTrue(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure) self.assertFalse(enf.test(self._token, "write", "/foo/bar"), msg=enf.last_failure) with self.assertRaises(scitokens.scitokens.InvalidPathError): print(enf.test(self._token, "write", "~/foo"))
def test_enforce(self): def always_accept(value): if value or not value: return True enf = scitokens.Enforcer(self._test_issuer) enf.add_validator("foo", always_accept) self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token["authz"] = "read" self._token["path"] = "/" self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu") enf.add_validator("foo", always_accept) self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token["path"] = "/foo/bar" self.assertFalse(enf.test(self._token, "read", "/foo"), msg=enf.last_failure) self._token["site"] = "T2_US_Example" self.assertFalse(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, site="T2_US_Example") enf.add_validator("foo", always_accept) self.assertTrue(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)
def test_aud(self): """ Test the audience claim """ self._token['scp'] = 'read:/' enf = scitokens.Enforcer(self._test_issuer) enf.add_validator("foo", lambda path : True) self._token['aud'] = "https://example.unl.edu" self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu") enf.add_validator("foo", lambda path : True) self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
def test_multiple_aud(self): """ Test multiple aud """ self._token['scp'] = 'read:/' # Test multiple audiences enf = scitokens.Enforcer( self._test_issuer, audience=["https://example.unl.edu", "https://another.com"]) enf.add_validator("foo", self.always_accept) self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token['aud'] = "https://another.com" self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token['aud'] = "https://doesnotwork.com" self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure) self._token2['scope'] = 'read:/' self._token2["aud"] = ["https://example.com", "https://another.com"] enf = scitokens.Enforcer(self._test_issuer, audience="https://example.com") self.assertTrue(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) self._token2["aud"] = ["notexist", "https://another.com"] self.assertFalse(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) self._token2["aud"] = ["https://example.com", "https://another.com"] enf = scitokens.Enforcer(self._test_issuer, audience=["https://example.com", "blah.com"]) self.assertTrue(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) self._token2["aud"] = ["notexist", "https://another.com"] self.assertFalse(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) self._token2["aud"] = ["https://example.com", "https://another.com"] enf = scitokens.Enforcer(self._test_issuer, audience=["https://example.com", "blah.com"]) self.assertTrue(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) enf = scitokens.Enforcer(self._test_issuer, audience=["foo.com", "blah.com"]) self.assertFalse(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure)
def test_opt(self): """ Testing the version attribute """ self._token['opt'] = "This is optional information, and should always return true" self._token['scope'] = "write:/home/example" enf = scitokens.Enforcer(issuer="local") self.assertTrue(enf.test(self._token, "write", "/home/example/test_file"))
def test_enforce_v2(self): """ Test the Enforcer object for profile scitokens:2.0 Also, there is a non-validated attribute, foo. In 1.0, non-validated attributes cause a validation error. In 2.0, they are ignored. """ with self.assertRaises(scitokens.scitokens.EnforcementError): print(scitokens.Enforcer(None)) # No audience specified enf = scitokens.Enforcer(self._test_issuer) self.assertFalse(enf.test(self._token2, "read", "/"), msg=enf.last_failure) self._token2["scp"] = "read:/" self.assertFalse(enf.test(self._token2, "read", "/"), msg=enf.last_failure) # Token is set to to ANY, so any audience will work enf = scitokens.Enforcer(self._test_issuer, audience="https://example.unl.edu") self._token2["scp"] = "read:/" self.assertTrue(enf.test(self._token2, "read", "/"), msg=enf.last_failure) # Change the audience from ANY to https://example.com self._token2["aud"] = "https://example.com" self.assertFalse(enf.test(self._token2, "read", "/"), msg=enf.last_failure) # Change back to ANY self._token2["aud"] = "ANY" self.assertTrue(enf.test(self._token2, "read", "/"), msg=enf.last_failure) self._token2["scp"] = "read:/foo/bar" self.assertFalse(enf.test(self._token2, "read", "/foo"), msg=enf.last_failure) self.assertFalse(enf.test(self._token2, "write", "/foo/bar"), msg=enf.last_failure) with self.assertRaises(scitokens.scitokens.InvalidPathError): print(enf.test(self._token2, "write", "~/foo"))
def test_sub(self): """ Verify that tokens with the `sub` set are accepted. """ self._token['sub'] = 'Some Great User' enf = scitokens.Enforcer(self._test_issuer) enf.add_validator("foo", self.always_accept) self._token['scope'] = 'read:/' acls = enf.generate_acls(self._token) self.assertTrue(len(acls), 1)
def test_create_to_validate(self): """ End-to-end test of SciToken creation, verification, and validation. """ self._token['scope'] = "write:/home/example" serialized_token = self._token.serialize(issuer="local") token = scitokens.SciToken.deserialize(serialized_token, public_key = self._public_pem, insecure=True) enf = scitokens.Enforcer(issuer="local") self.assertTrue(enf.test(token, "write", "/home/example/test_file"), msg=enf.last_failure) self.assertFalse(enf.test(token, "read", "/home/example/test_file")) self.assertFalse(enf.test(token, "write", "/home/other/test_file"))
def test_ver(self): """ Testing the version attribute """ self._token['ver'] = 1 self._token['scope'] = "write:/home/example" enf = scitokens.Enforcer(issuer="local") self.assertTrue(enf.test(self._token, "write", "/home/example/test_file")) # Now set it to a number it shouldn't understand self._token['ver'] = 9999 self.assertFalse(enf.test(self._token, "write", "/home/example/test_file"))
def generateEnforcer(self, issuer, aud=None, validators=None): ''' Generates a Scitoken enforcer. :param issuer: Issuer of the scitokens. :param aud: Audience for the scitokens (similar to JWT audience : 'aud' claim identifies the recipients that the JWT is intended for) :param validators: :return: An enforcer object for the specified issuer. :rtype: Enforcer object ''' self.enf = scitokens.Enforcer(issuer=issuer, audience=aud) if validators is not None: for claim, validator in validators: self.enf.add_validator(claim, validator) return self.enf
def test_gen_acls(self): """ Test the generation of ACLs """ enf = scitokens.Enforcer(self._test_issuer) enf.add_validator("foo", self.always_accept) self._token['scope'] = 'read:/' acls = enf.generate_acls(self._token) self.assertTrue(len(acls), 1) self.assertEqual(acls[0], ('read', '/')) self._token['scope'] = 'read:/ write:/foo' acls = enf.generate_acls(self._token) self.assertTrue(len(acls), 2) self.assertTrue(('read', '/') in acls) self.assertTrue(('write', '/foo') in acls) self._token['scope'] = 'read:/foo read://bar write:/foo write://bar' acls = enf.generate_acls(self._token) self.assertTrue(len(acls), 4) self.assertTrue(('read', '/foo') in acls) self.assertTrue(('write', '/foo') in acls) self.assertTrue(('read', '/bar') in acls) self.assertTrue(('write', '/bar') in acls) self._token['exp'] = time.time() - 600 with self.assertRaises(scitokens.scitokens.ClaimInvalid): print(enf.generate_acls(self._token)) self.assertTrue(enf.last_failure) self._token['exp'] = time.time() + 600 self._token['scope'] = 'read:foo' with self.assertRaises( scitokens.scitokens.InvalidAuthorizationResource): print(enf.generate_acls(self._token)) self._token['scope'] = 'read' with self.assertRaises( scitokens.scitokens.InvalidAuthorizationResource): print(enf.generate_acls(self._token))
def test_v2(self): """ Test the requirements for a v2 """ # First, delete the aud del self._token2["aud"] enf = scitokens.Enforcer(self._test_issuer, audience="https://example.unl.edu") self._token2["scope"] = "read:/foo/bar" # Should fail, audience is required for 2.0 token self.assertFalse(enf.test(self._token2, "read", "/foo/bar"), msg=enf.last_failure) # Now set the audience to ANY self._token2["aud"] = "ANY" self.assertTrue(enf.test(self._token2, "read", "/foo/bar"), msg=enf.last_failure) # Now to the correct audience self._token2["aud"] = "https://example.unl.edu" self.assertTrue(enf.test(self._token2, "read", "/foo/bar"), msg=enf.last_failure) # Now to the wrong audience self._token2["aud"] = "https://example.com" self.assertFalse(enf.test(self._token2, "read", "/foo/bar"), msg=enf.last_failure) # Arbitrary claims are allowed now in v2 self._token2["madeupclaim"] = "claimsdontmatter" self._token2["aud"] = "ANY" self.assertTrue(enf.test(self._token2, "read", "/foo/bar"), msg=enf.last_failure) # Arbitrary claims should fail in 1.0 self._token["madeupclaim"] = "claimsdontmatter" self._token["aud"] = "ANY" self.assertFalse(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)