def test_token_user_does_not_has_perm(many_feature):
jwt = get_jwt(features=many_feature[0])
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert not token_user.has_perm('not_a_permission')
assert not token_user.has_perm(many_feature[1][0].split('.')[0]) # doesn't match on just feature
assert not token_user.has_perm(many_feature[1][0].split('.')[1]) # doesn't match on just permission
def test_token_user_cache_fallback_life():
iat = datetime_to_epoch(aware_utcnow())
jwt = get_jwt(exp=iat+15, iat=iat)
token = UntypedToken(jwt)
token.payload['iat'] = None
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_life() == 300
def test_passive_jwt_auth(username):
with pytest.raises(exceptions.AuthenticationFailed):
passive_credentials_auth('')
user = passive_credentials_auth(get_jwt(username=username))
assert user.is_authenticated
assert not user.is_staff
assert not user.is_superuser
assert user.username == '*****@*****.**'
assert user.token.get('organization_id', None) is None
def test_organization_jwt_auth(username, organization_id):
user = passive_credentials_auth(get_jwt(username=username, organization_id=organization_id))
assert user.token.get('organization_id', None) == organization_id
def test_token_user_has_perms(many_feature):
jwt = get_jwt(features=many_feature[0])
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user.has_perms(many_feature[1])
def test_token_user_get_many_permission(many_feature):
jwt = get_jwt(features=many_feature[0])
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user.get_all_permissions() == many_feature[1]
def test_token_user_get_no_permissions():
jwt = get_jwt()
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user.get_all_permissions() == []
def test_token_user_cache_calculated_life():
iat = datetime_to_epoch(aware_utcnow())
jwt = get_jwt(exp=iat+15, iat=iat)
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_life() == 15
def test_token_user_cache_life():
jwt = get_jwt()
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_life() == 300
def test_token_user_sub_exp_cache_key():
"""If no jti or at_hash is included in get_jwt then use {sub}.{exp} as cache key"""
jwt = get_jwt(jti=0, sub=uuid4().hex)
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_key() == f'{token_user.token.get("sub")}.{token_user.token.get("exp")}'
def test_token_user_at_hash_cache_key():
"""If no jti is included in get_jwt then use at_hash as cache key if exists"""
jwt = get_jwt(jti=0, at_hash=uuid4().hex)
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_key() == token_user.token.get('at_hash')
def test_token_user_jti_cache_key():
"""By default, the jti is included in get_jwt and is used as cache key"""
jwt = get_jwt()
token = UntypedToken(jwt)
token_user = PermissionedTokenUser(token)
assert token_user._get_permission_cache_key() == token_user.token.get('jti')