def test_update_visa_empty_passport_returned(
mock_discovery,
mock_get_token,
mock_userinfo,
config,
db_session,
rsa_private_key,
rsa_public_key,
kid,
):
"""
Test to handle empty passport sent from RAS
"""
mock_discovery.return_value = "https://ras/token_endpoint"
new_token = "refresh12345abcdefg"
token_response = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": new_token,
}
mock_get_token.return_value = token_response
userinfo_response = {
"sub": "abcd-asdj-sajpiasj12iojd-asnoin",
"name": "",
"preferred_username": "******",
"UID": "",
"UserID": "admin_user",
"email": "",
"passport_jwt_v11": "",
}
mock_userinfo.return_value = userinfo_response
test_user = add_test_user(db_session)
add_visa_manually(db_session, test_user, rsa_private_key, kid)
add_refresh_token(db_session, test_user)
visa_query = db_session.query(GA4GHVisaV1).filter_by(
user=test_user).first()
initial_visa = visa_query.ga4gh_visa
assert initial_visa
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
pkey_cache = {
"https://stsstg.nih.gov": {
kid: rsa_public_key,
}
}
ras_client.update_user_visas(test_user, pkey_cache=pkey_cache)
query_visa = db_session.query(GA4GHVisaV1).first()
assert query_visa == None
def test_update_visa_empty_visa_returned(
mock_discovery,
mock_get_token,
mock_userinfo,
config,
db_session,
rsa_private_key,
kid,
kid_2,
):
"""
Test to check if the db is emptied if the ras userinfo sends back an empty visa
"""
mock_discovery.return_value = "https://ras/token_endpoint"
new_token = "refresh12345abcdefg"
token_response = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": new_token,
}
mock_get_token.return_value = token_response
userinfo_response = {
"sub": "abcd-asdj-sajpiasj12iojd-asnoin",
"name": "",
"preferred_username": "******",
"UID": "",
"UserID": "admin_user",
"email": "",
}
userinfo_response["ga4gh_passport_v1"] = []
mock_userinfo.return_value = userinfo_response
test_user = add_test_user(db_session)
add_visa_manually(db_session, test_user, rsa_private_key, kid)
add_refresh_token(db_session, test_user)
visa_query = db_session.query(GA4GHVisaV1).filter_by(
user=test_user).first()
initial_visa = visa_query.ga4gh_visa
assert initial_visa
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
ras_client.update_user_visas(test_user)
query_visa = db_session.query(GA4GHVisaV1).first()
assert query_visa == None
def test_update_visa_token(
mock_discovery,
mock_get_token,
mock_userinfo,
config,
db_session,
rsa_private_key,
kid,
kid_2,
):
"""
Test to check visa table is updated when getting new visa
"""
mock_discovery.return_value = "https://ras/token_endpoint"
new_token = "refresh12345abcdefg"
token_response = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": new_token,
}
mock_get_token.return_value = token_response
userinfo_response = {
"sub": "abcd-asdj-sajpiasj12iojd-asnoin",
"name": "",
"preferred_username": "******",
"UID": "",
"UserID": "admin_user",
"email": "",
}
test_user = add_test_user(db_session)
add_visa_manually(db_session, test_user, rsa_private_key, kid)
add_refresh_token(db_session, test_user)
visa_query = db_session.query(GA4GHVisaV1).filter_by(
user=test_user).first()
initial_visa = visa_query.ga4gh_visa
assert initial_visa
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
new_visa = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"exp": int(time.time()) + 1000,
"scope": "openid ga4gh_passport_v1 email profile",
"jti": "jtiajoidasndokmasdl",
"txn": "sapidjspa.asipidja",
"name": "",
"ga4gh_visa_v1": {
"type": "https://ras.nih.gov/visas/v1",
"asserted": int(time.time()),
"value": "https://nig/passport/dbgap",
"source": "https://ncbi/gap",
},
}
headers = {"kid": kid_2}
encoded_visa = jwt.encode(new_visa,
key=rsa_private_key,
headers=headers,
algorithm="RS256").decode("utf-8")
userinfo_response["ga4gh_passport_v1"] = [encoded_visa]
mock_userinfo.return_value = userinfo_response
ras_client.update_user_visas(test_user)
query_visa = db_session.query(GA4GHVisaV1).first()
assert query_visa.ga4gh_visa
assert query_visa.ga4gh_visa == encoded_visa
def test_update_visa_fetch_pkey(
mock_discovery,
mock_get_token,
mock_userinfo,
mock_httpx_get,
db_session,
rsa_private_key,
kid,
):
"""
Test that when the RAS client's pkey cache is empty, the client's
update_user_visas can fetch and serialize the visa issuer's public keys and
validate a visa using the correct key.
"""
mock_discovery.return_value = "https://ras/token_endpoint"
mock_get_token.return_value = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": "refresh12345abcdefg",
}
# New visa that will be returned by userinfo
new_visa = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"exp": int(time.time()) + 1000,
"scope": "openid ga4gh_passport_v1 email profile",
"jti": "jtiajoidasndokmasdl",
"txn": "sapidjspa.asipidja",
"name": "",
"ga4gh_visa_v1": {
"type": "https://ras.nih.gov/visas/v1",
"asserted": int(time.time()),
"value": "https://nig/passport/dbgap",
"source": "https://ncbi/gap",
},
}
headers = {"kid": kid}
encoded_visa = jwt.encode(new_visa,
key=rsa_private_key,
headers=headers,
algorithm="RS256").decode("utf-8")
passport_header = {
"type": "JWT",
"alg": "RS256",
"kid": kid,
}
new_passport = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"scope": "openid ga4gh_passport_v1 email profile",
"exp": int(time.time()) + 1000,
"ga4gh_passport_v1": [encoded_visa],
}
encoded_passport = jwt.encode(new_passport,
key=rsa_private_key,
headers=passport_header,
algorithm="RS256").decode("utf-8")
mock_userinfo.return_value = {
"passport_jwt_v11": encoded_passport,
}
# Mock the call to the jwks endpoint so it returns the test app's keypairs,
# one of which is rsa_private_key (and its corresponding public key), which
# we just used to sign new_visa.
keys = [
keypair.public_key_to_jwk() for keypair in flask.current_app.keypairs
]
mock_httpx_get.return_value = httpx.Response(200, json={"keys": keys})
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
test_user = add_test_user(db_session)
# Pass in an empty pkey cache so that the client will have to hit the jwks endpoint.
ras_client.update_user_visas(test_user, pkey_cache={})
# Check that the new visa passed validation, indicating a successful pkey fetch
query_visa = db_session.query(GA4GHVisaV1).first()
assert query_visa.ga4gh_visa == encoded_visa
def test_update_visa_token_with_invalid_visa(
mock_discovery,
mock_get_token,
mock_userinfo,
config,
db_session,
rsa_private_key,
rsa_public_key,
kid,
):
"""
Test to check the following case:
Received visa: [good1, bad2, good3]
Processed/stored visa: [good1, good3]
"""
mock_discovery.return_value = "https://ras/token_endpoint"
new_token = "refresh12345abcdefg"
token_response = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": new_token,
}
mock_get_token.return_value = token_response
userinfo_response = {
"sub": "abcd-asdj-sajpiasj12iojd-asnoin",
"name": "",
"preferred_username": "******",
"UID": "",
"UserID": "admin_user",
"email": "",
}
test_user = add_test_user(db_session)
add_visa_manually(db_session, test_user, rsa_private_key, kid)
add_refresh_token(db_session, test_user)
visa_query = db_session.query(GA4GHVisaV1).filter_by(
user=test_user).first()
initial_visa = visa_query.ga4gh_visa
assert initial_visa
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
new_visa = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"exp": int(time.time()) + 1000,
"scope": "openid ga4gh_passport_v1 email profile",
"jti": "jtiajoidasndokmasdl",
"txn": "sapidjspa.asipidja",
"name": "",
"ga4gh_visa_v1": {
"type": "https://ras.nih.gov/visas/v1",
"asserted": int(time.time()),
"value": "https://nig/passport/dbgap",
"source": "https://ncbi/gap",
},
}
headers = {"kid": kid}
encoded_visa = jwt.encode(new_visa,
key=rsa_private_key,
headers=headers,
algorithm="RS256").decode("utf-8")
passport_header = {
"type": "JWT",
"alg": "RS256",
"kid": kid,
}
new_passport = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"scope": "openid ga4gh_passport_v1 email profile",
"exp": int(time.time()) + 1000,
}
new_passport["ga4gh_passport_v1"] = [encoded_visa, [], encoded_visa]
encoded_passport = jwt.encode(new_passport,
key=rsa_private_key,
headers=passport_header,
algorithm="RS256").decode("utf-8")
userinfo_response["passport_jwt_v11"] = encoded_passport
mock_userinfo.return_value = userinfo_response
pkey_cache = {
"https://stsstg.nih.gov": {
kid: rsa_public_key,
}
}
ras_client.update_user_visas(test_user, pkey_cache=pkey_cache)
query_visas = db_session.query(GA4GHVisaV1).filter_by(user=test_user).all()
assert len(query_visas) == 2
for query_visa in query_visas:
assert query_visa.ga4gh_visa
assert query_visa.ga4gh_visa == encoded_visa
def test_update_visa_empty_visa_returned(
mock_discovery,
mock_get_token,
mock_userinfo,
config,
db_session,
rsa_private_key,
kid,
):
"""
Test to check if the db is emptied if the ras userinfo sends back an empty visa
"""
mock_discovery.return_value = "https://ras/token_endpoint"
new_token = "refresh12345abcdefg"
token_response = {
"access_token": "abcdef12345",
"id_token": "id12345abcdef",
"refresh_token": new_token,
}
mock_get_token.return_value = token_response
userinfo_response = {
"sub": "abcd-asdj-sajpiasj12iojd-asnoin",
"name": "",
"preferred_username": "******",
"UID": "",
"UserID": "admin_user",
"email": "",
}
passport_header = {
"type": "JWT",
"alg": "RS256",
"kid": kid,
}
new_passport = {
"iss": "https://stsstg.nih.gov",
"sub": "abcde12345aspdij",
"iat": int(time.time()),
"scope": "openid ga4gh_passport_v1 email profile",
"exp": int(time.time()) + 1000,
"ga4gh_passport_v1": [],
}
encoded_passport = jwt.encode(new_passport,
key=rsa_private_key,
headers=passport_header,
algorithm="RS256").decode("utf-8")
userinfo_response["passport_jwt_v11"] = encoded_passport
mock_userinfo.return_value = userinfo_response
test_user = add_test_user(db_session)
add_visa_manually(db_session, test_user, rsa_private_key, kid)
add_refresh_token(db_session, test_user)
visa_query = db_session.query(GA4GHVisaV1).filter_by(
user=test_user).first()
initial_visa = visa_query.ga4gh_visa
assert initial_visa
oidc = config.get("OPENID_CONNECT", {})
ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
ras_client.update_user_visas(test_user, pkey_cache={})
query_visa = db_session.query(GA4GHVisaV1).first()
assert query_visa == None