def test_intranet_ips_v5(self):
os.environ['INTRANET_CDIRS'] = '127.0.0.1/24,2001:0db8::/32'
auth.reload_env_vars()
assert auth.ip_inside_intranet('127.0.0.1')
assert auth.ip_inside_intranet(
'2001:0db8:85a3:0000:0000:8a2e:0370:7334')
assert not auth.ip_inside_intranet(
'2001:0db9:85a3:0000:0000:8a2e:0370:7334')
def test_intranet_ips(self):
os.environ['INTRANET_CDIRS'] = '127.0.0.1/24'
auth.reload_env_vars()
assert auth.ip_inside_intranet('127.0.0.1')
assert auth.ip_inside_intranet('127.0.0.10')
assert not auth.ip_inside_intranet('127.0.1.0')
assert not auth.ip_inside_intranet('192.0.0.1')
os.environ['INTRANET_CDIRS'] = '127.0.0.1,192.0.0.1/16'
auth.reload_env_vars()
assert auth.ip_inside_intranet('127.0.0.1')
assert not auth.ip_inside_intranet('127.0.0.10')
assert auth.ip_inside_intranet('192.0.0.1')
assert auth.ip_inside_intranet('192.0.1.1')
assert auth.ip_inside_intranet('192.0.255.1')
assert not auth.ip_inside_intranet('192.1.0.1')
def tearDown(self):
os.environ["INTRANET_CDIRS"] = self.intranet_cdirs
auth.reload_env_vars()
def setUp(self):
super().setUp()
self.intranet_cdirs = os.environ["INTRANET_CDIRS"]
os.environ['INTRANET_CDIRS'] = "127.0.0.1/24"
auth.reload_env_vars()
def test_require_scope(self):
os.environ['INTRANET_CDIRS'] = '127.0.0.1/24'
auth.reload_env_vars()
@auth.require_scope('edit:events')
def route():
return 'ok'
with self.subTest("permits a whitelisted IP"):
with app.test_request_context(
'/', environ_base={'REMOTE_ADDR': '127.0.0.1'}):
assert route() == 'ok'
with self.subTest("denies a non-whitelisted IP"):
with app.test_request_context(
'/', environ_base={'REMOTE_ADDR': '127.0.1.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
self.assertEqual(http_error.exception.code, 401)
with self.subTest("reads the client IP instead of the proxy"):
with app.test_request_context(
'/', headers={'X-Forwarded-For': '127.0.0.1'}):
assert route() == 'ok'
with app.test_request_context(
'/', headers={'X-Forwarded-For': '127.0.0.255'}):
assert route() == 'ok'
with app.test_request_context(
'/',
environ_base={'REMOTE_ADDR': '127.0.0.1'},
headers={'X-Forwarded-For': '127.0.1.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
self.assertEqual(http_error.exception.code, 401)
with self.subTest("detects attempt to spoof the client IP"):
with app.test_request_context(
'/', headers={'X-Forwarded-For': '127.0.0.1,192.168.0.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
# Test auth cookie
with self.subTest("off-whitelist IP, no cookie"):
with app.test_request_context(
'/', environ_base={'REMOTE_ADDR': '127.0.1.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
self.assertEqual(http_error.exception.code, 401)
with self.subTest("off-whitelist IP, correct cookie"):
with app.test_request_context(
'/',
headers={
"COOKIE": f"access_token={auth.create_access_token()}"
},
environ_base={'REMOTE_ADDR': '127.0.1.1'}):
assert route() == 'ok'
with self.subTest("off-whitelist IP, incorrect cookie"):
with app.test_request_context(
'/',
headers={"COOKIE": "access_token=invalid-token"},
environ_base={'REMOTE_ADDR': '127.0.1.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
self.assertEqual(http_error.exception.code, 401)
with self.subTest("off-whitelist IP, authorization header"):
with app.test_request_context(
'/',
headers={
"Authorization": f"Bearer {auth.create_access_token()}"
},
environ_base={'REMOTE_ADDR': '127.0.1.1'}):
assert route() == 'ok'
with app.test_request_context(
'/',
headers={"Authorization": "Bearer invalid-token"},
environ_base={'REMOTE_ADDR': '127.0.1.1'}):
with self.assertRaises(HTTPException) as http_error:
route()
self.assertEqual(http_error.exception.code, 401)