async def test_middleware_doesnt_reissue_on_bad_response(loop, app, client):
async def handler_bad_response(request):
user_id = await auth.get_auth(request)
assert user_id == 'some_user'
return web.Response(status=400, text='bad_response')
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 15, 0, cookie_name='auth')
auth.setup(app, policy)
app.router.add_get('/bad_response', handler_bad_response)
cli = await client(app)
response = await cli.get('/remember')
text = await response.text()
data = response.cookies[policy.cookie_name]
assert text == 'remember'
# wait a second that the ticket value has changed
await asyncio.sleep(1.0, loop=loop)
response = await assert_response(cli.get('/auth'), 'auth')
assert data != response.cookies[policy.cookie_name]
data = response.cookies[policy.cookie_name]
await asyncio.sleep(1.0, loop=loop)
response = await assert_response(cli.get('/bad_response'), 'bad_response')
assert response.status == 400
assert policy.cookie_name not in response.cookies
def app(loop):
"""Default app fixture for tests."""
async def handler_remember(request):
user_identity = request.match_info['user']
await auth.remember(request, user_identity)
return web.Response(text='remember')
@autz_required('admin')
async def handler_admin(request):
return web.Response(text='admin')
@autz_required('guest')
async def handler_guest(request):
return web.Response(text='guest')
application = web.Application(loop=loop)
secret = b'01234567890abcdef'
storage = aiohttp_session.SimpleCookieStorage()
policy = auth.SessionTktAuthentication(secret, 15, cookie_name='auth')
aiohttp_session.setup(application, storage)
auth.setup(application, policy)
autz_policy = CustomAutzPolicy(admin_user_identity='alex')
autz.setup(application, autz_policy)
application.router.add_get('/remember/{user}', handler_remember)
application.router.add_get('/admin', handler_admin)
application.router.add_get('/guest', handler_guest)
yield application
async def test_middleware_setup(app):
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 15, cookie_name='auth')
auth.setup(app, policy)
middleware = auth.auth_middleware(policy)
assert app.middlewares[-1].__name__ == middleware.__name__
async def test_middleware_stores_auth_in_cookie(app, client):
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 15, cookie_name='auth')
auth.setup(app, policy)
cli = await client(app)
response = await cli.get('/remember')
text = await response.text()
assert text == 'remember'
assert policy.cookie_name in response.cookies
async def test_middleware_installed_no_session(app, client):
async def handler_test(request):
user_id = await auth.get_auth(request)
assert user_id is None
return web.Response(text='test')
app.router.add_get('/test', handler_test)
aiohttp_session.setup(app, aiohttp_session.SimpleCookieStorage())
auth.setup(app, auth.SessionTktAuthentication(urandom(16), 15))
cli = await client(app)
await assert_response(cli.get('/test'), 'test')
async def test_middleware_gets_auth_from_session(app, client):
secret = b'01234567890abcdef'
storage = aiohttp_session.SimpleCookieStorage()
policy = auth.SessionTktAuthentication(secret, 15, cookie_name='auth')
aiohttp_session.setup(app, storage)
auth.setup(app, policy)
cli = await client(app)
response = await cli.get('/remember')
assert await response.text() == 'remember'
await assert_response(cli.get('/auth'), 'auth')
async def test_middleware_stores_auth_in_session(app, client):
secret = b'01234567890abcdef'
storage = aiohttp_session.SimpleCookieStorage()
policy = auth.SessionTktAuthentication(secret, 15, cookie_name='auth')
aiohttp_session.setup(app, storage)
auth.setup(app, policy)
cli = await client(app)
response = await cli.get('/remember')
text = await response.text()
assert text == 'remember'
value = response.cookies.get(storage.cookie_name).value
assert policy.cookie_name in value
def setupAuth(self, app):
# setup session middleware in aiohttp fashion
storage = EncryptedCookieStorage(urandom(32))
aiohttp_session.setup(app, storage)
# Create an auth ticket mechanism that expires after 1 minute (60
# seconds), and has a randomly generated secret. Also includes the
# optional inclusion of the users IP address in the hash
policy = auth.SessionTktAuthentication(urandom(32),
60,
include_ip=True)
# setup aiohttp_auth.auth middleware in aiohttp fashion
auth.setup(app, policy)
app.middlewares.append(self.checkAuth)
app.router.add_route('GET', '/logout', self.logout)
def app(loop):
"""Default app fixture for tests."""
async def handler_remember(request):
await auth.remember(request, 'some_user')
return web.Response(text='remember')
application = web.Application(loop=loop)
secret = b'01234567890abcdef'
storage = aiohttp_session.SimpleCookieStorage()
policy = auth.SessionTktAuthentication(secret, 15, cookie_name='auth')
aiohttp_session.setup(application, storage)
auth.setup(application, policy)
application.router.add_get('/remember', handler_remember)
yield application
async def test_middleware_cannot_store_auth_in_cookie_when_response_prepared(
app, client):
async def handler_test(request):
await auth.remember(request, 'some_user')
response = web.Response(text='test')
await response.prepare(request)
return response
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 15, cookie_name='auth')
auth.setup(app, policy)
app.router.add_get('/test', handler_test)
cli = await client(app)
with pytest.raises(Exception):
await assert_response(cli.get('/test'), 'test')
async def test_middleware_forget_with_cookies(app, client):
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 120, cookie_name='auth')
auth.setup(app, policy)
cli = await client(app)
response = await assert_response(cli.get('/remember'), 'remember')
assert policy.cookie_name in response.cookies
response = await assert_response(cli.get('/forget'), 'forget')
# aiohttp set cookie_name with empty string when del_cookie
# assert policy.cookie_name not in response.cookies
assert response.cookies[policy.cookie_name].value == ''
with pytest.raises(AssertionError):
await assert_response(cli.get('/auth'), 'auth')
async def test_middleware_auth_required_decorator(app, client):
@auth.auth_required
async def handler_test(request):
return web.Response(text='test')
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 120, cookie_name='auth')
auth.setup(app, policy)
app.router.add_get('/test', handler_test)
cli = await client(app)
response = await assert_response(cli.get('/test'), '401: Unauthorized')
assert response.status == 401
response = await assert_response(cli.get('/remember'), 'remember')
response = await assert_response(cli.get('/test'), 'test')
assert response.status == 200
async def test_middleware_forget_with_session(app, client):
secret = b'01234567890abcdef'
storage = aiohttp_session.SimpleCookieStorage()
policy = auth.SessionTktAuthentication(secret, 15, cookie_name='auth')
aiohttp_session.setup(app, storage)
auth.setup(app, policy)
cli = await client(app)
response = await assert_response(cli.get('/remember'), 'remember')
value = response.cookies.get(storage.cookie_name).value
assert policy.cookie_name in value
response = await assert_response(cli.get('/forget'), 'forget')
value = response.cookies.get(storage.cookie_name).value
assert policy.cookie_name not in value
with pytest.raises(AssertionError):
await assert_response(cli.get('/auth'), 'auth')
async def test_middleware_reissues_ticket_auth(loop, app, client):
secret = b'01234567890abcdef'
policy = auth.CookieTktAuthentication(secret, 15, 0, cookie_name='auth')
auth.setup(app, policy)
cli = await client(app)
response = await cli.get('/remember')
text = await response.text()
assert text == 'remember'
data = response.cookies[policy.cookie_name]
# wait a second that the ticket value has changed
await asyncio.sleep(1.0, loop=loop)
response = await assert_response(cli.get('/auth'), 'auth')
assert data != response.cookies[policy.cookie_name]
async def web_server():
web_app = web.Application(client_max_size=30000000,
middlewares=[error_middleware])
storage = EncryptedCookieStorage(urandom(32))
aiohttp_session.setup(web_app, storage)
policy = auth.SessionTktAuthentication(urandom(32),
86400000,
include_ip=True)
auth.setup(web_app, policy)
web_app.add_routes(routes)
aiohttp_jinja2.setup(
web_app, loader=jinja2.FileSystemLoader('book/webserver/template'))
web_app['static_root_url'] = '/static'
web_app.router.add_static("/static", "book/webserver/template/static")
web_app.router.add_route("*", "/ws/", WebSocketAsync)
web_app.router.add_static("/js", STATIC_DIR)
web_app.router.add_static("/", ".")
WebSocketAsync.add_route("list_people", ws_routes.list_people.list_people)
WebSocketAsync.add_route("get_people", ws_routes.get_people.get_people)
WebSocketAsync.add_route("delete_people",
ws_routes.delete_people.delete_people)
WebSocketAsync.add_route("create_people",
ws_routes.create_people.create_people)
WebSocketAsync.add_route("update_people",
ws_routes.update_people.update_people)
WebSocketAsync.add_route("update_password",
ws_routes.user_profile.update_password)
WebSocketAsync.add_route("list_users",
ws_routes.user_profile.list_all_users)
WebSocketAsync.add_route("create_user", ws_routes.user_profile.create_user)
WebSocketAsync.add_route("edit_user", ws_routes.user_profile.edit_user)
WebSocketAsync.add_route("remove_user", ws_routes.user_profile.remove_user)
return web_app