def test_does_authorize_valid_requests(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/index' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_does_raise_not_authorized_error(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/index' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.raises(NotAuthorizedError): authorizer.authorize(path, event, context)
def test_does_authorize_valid_requests(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/index' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_does_raise_not_authorized_error(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/index' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.raises(NotAuthorizedError): authorizer.authorize(path, event, context)
def test_can_understand_explicit_auth_policy(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/explicit' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_cannot_access_view_without_permission(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/secret' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) with pytest.raises(ForbiddenError): authorizer.authorize(path, event, context)
def test_cannot_access_view_without_permission(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/secret' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) with pytest.raises(ForbiddenError): authorizer.authorize(path, event, context)
def test_can_understand_explicit_auth_policy(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/explicit' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_authorize_empty_path(self, lambda_context_args, demo_app_auth, create_event): # Ensures that / routes work since that is a special case in the # API Gateway arn generation where an extra / is appended to the end # of the arn. authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_authorize_empty_path(self, lambda_context_args, demo_app_auth, create_event): # Ensures that / routes work since that is a special case in the # API Gateway arn generation where an extra / is appended to the end # of the arn. authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/' event = create_event(path, 'GET', {}) event['headers']['authorization'] = 'allow' context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_understand_cognito_token(self, lambda_context_args, demo_app_auth, create_event): # Ensures that / routes work since that is a special case in the # API Gateway arn generation where an extra / is appended to the end # of the arn. authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/cognito' event = create_event(path, 'GET', {}) event["headers"]["authorization"] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhYWFhYWFhYS1iYmJiLWNjY2MtZGRkZC1lZWVlZWVlZWVlZWUiLCJhdWQiOiJ4eHh4eHh4eHh4eHhleGFtcGxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTAwMDA5NDAwLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3VzLWVhc3QtMV9leGFtcGxlIiwiY29nbml0bzp1c2VybmFtZSI6ImphbmVkb2UiLCJleHAiOjE1ODQ3MjM2MTYsImdpdmVuX25hbWUiOiJKYW5lIiwiaWF0IjoxNTAwMDA5NDAwLCJlbWFpbCI6ImphbmVkb2VAZXhhbXBsZS5jb20iLCJqdGkiOiJkN2UxMTMzYS0xZTNhLTQyMzEtYWU3Yi0yOGQ4NWVlMGIxNGQifQ.p35Yj9KJD5RbfPWGL08IJHgson8BhdGLPQqUOiF0-KM" # noqa context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize(path, event, context) principal_id = event['requestContext']['authorizer']['principalId'] assert principal_id == 'janedoe'
def test_can_understand_explicit_deny_policy(self, demo_app_auth, lambda_context_args, create_event): # Our auto-generated policies from the AuthResponse object do not # contain any Deny clauses, however we also allow the user to return # a dictionary that is transated into a policy, so we have to # account for the ability for a user to set an explicit deny policy. # It should behave exactly as not getting permission added with an # allow. authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/explicit' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.raises(NotAuthorizedError): authorizer.authorize(path, event, context)
def test_can_understand_explicit_deny_policy(self, demo_app_auth, lambda_context_args, create_event): # Our auto-generated policies from the AuthResponse object do not # contain any Deny clauses, however we also allow the user to return # a dictionary that is transated into a policy, so we have to # account for the ability for a user to set an explicit deny policy. # It should behave exactly as not getting permission added with an # allow. authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/explicit' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.raises(NotAuthorizedError): authorizer.authorize(path, event, context)
def test_does_authorize_unsupported_authorizer(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/iam' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.warns(None) as recorded_warnings: new_event, new_context = authorizer.authorize(path, event, context) assert event == new_event assert context == new_context assert len(recorded_warnings) == 1 warning = recorded_warnings[0] assert issubclass(warning.category, UserWarning) assert ('IAMAuthorizer is not a supported in local ' 'mode. All requests made against a route will be authorized' ' to allow local testing.') in str(warning.message)
def test_does_authorize_unsupported_authorizer(self, demo_app_auth, lambda_context_args, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/iam' event = create_event(path, 'GET', {}) context = LambdaContext(*lambda_context_args) with pytest.warns(None) as recorded_warnings: new_event, new_context = authorizer.authorize(path, event, context) assert event == new_event assert context == new_context assert len(recorded_warnings) == 1 warning = recorded_warnings[0] assert issubclass(warning.category, UserWarning) assert ('IAMAuthorizer is not a supported in local ' 'mode. All requests made against a route will be authorized' ' to allow local testing.') in str(warning.message)
def test_can_call_method_without_auth(self, lambda_context_args, create_event): demo = app.Chalice('app-name') @demo.route('/index') def index_view(): return {} path = '/index' authorizer = LocalGatewayAuthorizer(demo) original_event = create_event(path, 'GET', {}) original_context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize( path, original_event, original_context) # Assert that when the authorizer.authorize is called and there is no # authorizer defined for a particular route that it is a noop. assert original_event == event assert original_context == context
def test_can_call_method_without_auth(self, lambda_context_args, create_event): demo = app.Chalice('app-name') @demo.route('/index') def index_view(): return {} path = '/index' authorizer = LocalGatewayAuthorizer(demo) original_event = create_event(path, 'GET', {}) original_context = LambdaContext(*lambda_context_args) event, context = authorizer.authorize( path, original_event, original_context) # Assert that when the authorizer.authorize is called and there is no # authorizer defined for a particular route that it is a noop. assert original_event == event assert original_context == context
def test_does_authorize_unsupported_cognito_token(self, lambda_context_args, demo_app_auth, create_event): authorizer = LocalGatewayAuthorizer(demo_app_auth) path = '/cognito' event = create_event(path, 'GET', {}) event["headers"]["authorization"] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhYWFhYWFhYS1iYmJiLWNjY2MtZGRkZC1lZWVlZWVlZWVlZWUiLCJhdWQiOiJ4eHh4eHh4eHh4eHhleGFtcGxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTAwMDA5NDAwLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3VzLWVhc3QtMV9leGFtcGxlIiwiZXhwIjoxNTg0NzIzNjE2LCJnaXZlbl9uYW1lIjoiSmFuZSIsImlhdCI6MTUwMDAwOTQwMCwiZW1haWwiOiJqYW5lZG9lQGV4YW1wbGUuY29tIiwianRpIjoiZDdlMTEzM2EtMWUzYS00MjMxLWFlN2ItMjhkODVlZTBiMTRkIn0.SN5n-A3kxboNYg0sGIOipVUksCdn6xRJmAK9kSZof10" # noqa context = LambdaContext(*lambda_context_args) with pytest.warns(None) as recorded_warnings: new_event, new_context = authorizer.authorize(path, event, context) assert event == new_event assert context == new_context assert len(recorded_warnings) == 1 warning = recorded_warnings[0] assert issubclass(warning.category, UserWarning) assert ('CognitoUserPoolAuthorizer for machine-to-machine ' 'communicaiton is not supported in local mode. All requests ' 'made against a route will be authorized to allow local ' 'testing.') in str(warning.message)