def test_enforces_tls():
url = "http://not.secure"
HttpChallengeCache.set_challenge_for_url(url, HttpChallenge(url, "Bearer authorization=_, resource=_"))
credential = Mock()
pipeline = Pipeline(transport=Mock(), policies=[ChallengeAuthPolicy(credential)])
with pytest.raises(ServiceRequestError):
pipeline.run(HttpRequest("GET", url))
def test_policy_updates_cache():
"""
It's possible for the challenge returned for a request to change, e.g. when a vault is moved to a new tenant.
When the policy receives a 401, it should update the cached challenge for the requested URL, if one exists.
"""
# ensure the test starts with an empty cache
HttpChallengeCache.clear()
url = "https://azure.service/path"
first_scope = "https://first-scope"
first_token = "first-scope-token"
second_scope = "https://second-scope"
second_token = "second-scope-token"
challenge_fmt = 'Bearer authorization="https://login.authority.net/tenant", resource={}'
# mocking a tenant change:
# 1. first request -> respond with challenge
# 2. second request should be authorized according to the challenge -> respond with success
# 3. third request should match the second -> respond with a new challenge
# 4. fourth request should be authorized according to the new challenge -> respond with success
# 5. fifth request should match the fourth -> respond with success
transport = validating_transport(
requests=(
Request(url),
Request(url, required_headers={"Authorization": "Bearer {}".format(first_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(first_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(second_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(second_token)}),
),
responses=(
mock_response(status_code=401, headers={"WWW-Authenticate": challenge_fmt.format(first_scope)}),
mock_response(status_code=200),
mock_response(status_code=401, headers={"WWW-Authenticate": challenge_fmt.format(second_scope)}),
mock_response(status_code=200),
mock_response(status_code=200),
),
)
tokens = (t for t in [first_token] * 2 + [second_token] * 2)
credential = Mock(get_token=lambda _: AccessToken(next(tokens), 0))
pipeline = Pipeline(policies=[ChallengeAuthPolicy(credential=credential)], transport=transport)
# policy should complete and cache the first challenge
pipeline.run(HttpRequest("GET", url))
# The next request will receive a challenge. The policy should handle it and update the cache entry.
pipeline.run(HttpRequest("GET", url))
def test_challenge_cache():
url_a = get_random_url()
challenge_a = HttpChallenge(url_a, "Bearer authorization=authority A, resource=resource A")
url_b = get_random_url()
challenge_b = HttpChallenge(url_b, "Bearer authorization=authority B, resource=resource B")
for url, challenge in zip((url_a, url_b), (challenge_a, challenge_b)):
HttpChallengeCache.set_challenge_for_url(url, challenge)
assert HttpChallengeCache.get_challenge_for_url(url) == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path?with-query=string") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + ":443") == challenge
HttpChallengeCache.remove_challenge_for_url(url)
assert not HttpChallengeCache.get_challenge_for_url(url)
async def test_policy():
# ensure the test starts with an empty cache
HttpChallengeCache.clear()
expected_scope = "https://challenge.resource/.default"
expected_token = "expected_token"
challenge = Mock(
status_code=401,
headers={
"WWW-Authenticate":
'Bearer authorization="https://login.authority.net/tenant", resource={}'
.format(expected_scope)
},
)
success = Mock(status_code=200)
data = {"spam": "eggs"}
responses = (r for r in (challenge, success))
async def send(request):
response = next(responses)
if response is challenge:
# this is the first request
assert not request.body
assert request.headers["Content-Length"] == "0"
elif response is success:
# this is the second request
assert request.body == data
assert expected_token in request.headers["Authorization"]
return response
async def get_token(*scopes):
print("get token")
assert len(scopes) is 1
assert scopes[0] == expected_scope
return AccessToken(expected_token, 0)
credential = Mock(get_token=get_token)
pipeline = AsyncPipeline(
policies=[AsyncChallengeAuthPolicy(credential=credential)],
transport=Mock(send=send))
await pipeline.run(HttpRequest("POST", "https://azure.service", data=data))
def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super(KeyClientTests, self).tearDown()
def wrapper():
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
return fn()
def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super(KeysTestCase, self).tearDown()
def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super(KeyVaultKeyTest, self).tearDown()
def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super(TestCryptoExamples, self).tearDown()
def test_challenge_cache():
# ensure the test starts with an empty cache
HttpChallengeCache.clear()
url_a = "https://azure.service.a"
challenge_a = HttpChallenge(url_a, "Bearer authorization=authority A, resource=resource A")
url_b = "https://azure.service.b"
challenge_b = HttpChallenge(url_b, "Bearer authorization=authority B, resource=resource B")
for url, challenge in zip((url_a, url_b), (challenge_a, challenge_b)):
HttpChallengeCache.set_challenge_for_url(url, challenge)
assert HttpChallengeCache.get_challenge_for_url(url) == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path?with-query=string") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + ":443") == challenge
HttpChallengeCache.remove_challenge_for_url(url)
assert not HttpChallengeCache.get_challenge_for_url(url)
