def test_read_token_from_header(self, app, db, user_class, client):
"""
This test verifies that a token may be properly read from a flask
request's header using the configuration settings for header name and
type
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.encrypt_password('abides'),
roles='admin,operator',
)
db.session.add(the_dude)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
client.get(
'/unprotected',
headers={
'Content-Type': 'application/json',
DEFAULT_JWT_HEADER_NAME: DEFAULT_JWT_HEADER_TYPE + ' ' + token,
},
)
assert guard.read_token_from_header() == token
def test_encode_jwt_token(self, app, user_class):
"""
This test verifies that the encode_jwt_token correctly encodes jwt
data based on a user instance
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.encrypt_password('abides'),
roles='admin,operator',
)
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
token_data = jwt.decode(
token, guard.encode_key, algorithms=guard.allowed_algorithms,
)
assert token_data['iat'] == moment.int_timestamp
assert token_data['exp'] == (
moment + DEFAULT_JWT_ACCESS_LIFESPAN
).int_timestamp
assert token_data['rf_exp'] == (
moment + DEFAULT_JWT_REFRESH_LIFESPAN
).int_timestamp
assert token_data['id'] == the_dude.id
assert token_data['rls'] == 'admin,operator'
def test_read_token_from_header(self, app, db, user_class, client):
"""
This test verifies that a token may be properly read from a flask
request's header using the configuration settings for header name and
type
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username="******",
password=guard.hash_password("abides"),
roles="admin,operator",
)
db.session.add(the_dude)
db.session.commit()
with plummet.frozen_time('2017-05-21 18:39:55'):
token = guard.encode_jwt_token(the_dude)
client.get(
"/unprotected",
headers={
"Content-Type": "application/json",
DEFAULT_JWT_HEADER_NAME: DEFAULT_JWT_HEADER_TYPE + " " + token,
},
)
assert guard.read_token_from_header() == token
assert guard.read_token() == token
def test_get_user_from_registration_token(self, app, user_class, db):
"""
This test verifies that a user can be extracted from an email based
registration token. Also verifies that a token that has expired
cannot be used to fetch a user. Also verifies that a registration
token may not be refreshed
"""
app.config['TESTING'] = True
default_guard = Praetorian(app, user_class)
# create our default test user
the_dude = user_class(
username='******',
email='*****@*****.**',
password=default_guard.hash_password('abides'),
)
db.session.add(the_dude)
db.session.commit()
reg_token = default_guard.encode_jwt_token(
the_dude,
bypass_user_check=True,
is_registration_token=True,
)
extracted_user = default_guard.get_user_from_registration_token(
reg_token)
assert extracted_user == the_dude
"""
test to ensure a registration token that is expired
sets off an 'ExpiredAccessError' exception
"""
moment = pendulum.parse('2019-01-30 16:30:00')
with freezegun.freeze_time(moment):
expired_reg_token = default_guard.encode_jwt_token(
the_dude,
bypass_user_check=True,
override_access_lifespan=pendulum.Duration(minutes=1),
is_registration_token=True,
)
moment = pendulum.parse('2019-01-30 16:40:00')
with freezegun.freeze_time(moment):
with pytest.raises(ExpiredAccessError):
default_guard.get_user_from_registration_token(
expired_reg_token)
def test_refresh_jwt_token(self, app, db, user_class):
"""
This test verifies that the refresh_jwt_token properly generates
a refreshed jwt token. It ensures that a token who's access permission
has not expired may not be refreshed. It also ensures that a token
who's access permission has expired must not have an expired refresh
permission for a new token to be issued
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.encrypt_password('abides'),
roles='admin,operator',
)
db.session.add(the_dude)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
new_moment = (
pendulum.parse('2017-05-21 18:39:55')
.add_timedelta(DEFAULT_JWT_ACCESS_LIFESPAN)
.add(minutes=1)
)
with freezegun.freeze_time(new_moment):
new_token = guard.refresh_jwt_token(token)
new_token_data = jwt.decode(
new_token, guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert new_token_data['iat'] == new_moment.int_timestamp
assert new_token_data['exp'] == (
new_moment + DEFAULT_JWT_ACCESS_LIFESPAN
).int_timestamp
assert new_token_data['rf_exp'] == (
moment + DEFAULT_JWT_REFRESH_LIFESPAN
).int_timestamp
assert new_token_data['id'] == the_dude.id
assert new_token_data['rls'] == 'admin,operator'
def test_read_token_from_cookie(self, app, db, user_class, client,
use_cookie):
"""
This test verifies that a token may be properly read from a flask
request's cookies using the configuration settings for cookie
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username="******",
password=guard.hash_password("abides"),
roles="admin,operator",
)
db.session.add(the_dude)
db.session.commit()
with plummet.frozen_time('2017-05-21 18:39:55'):
token = guard.encode_jwt_token(the_dude)
with use_cookie(token):
client.get("/unprotected", )
assert guard.read_token_from_cookie() == token
assert guard.read_token() == token
def test_read_token_from_cookie(self, app, db, user_class, client):
"""
This test verifies that a token may be properly read from a flask
request's cookies using the configuration settings for cookie
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.hash_password('abides'),
roles='admin,operator',
)
db.session.add(the_dude)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
client.set_cookie('localhost', DEFAULT_JWT_COOKIE_NAME, token)
client.get('/unprotected', )
assert guard.read_token_from_cookie() == token
def test_refresh_jwt_token(
self,
app,
db,
user_class,
validating_user_class,
):
"""
This test::
* verifies that the refresh_jwt_token properly generates
a refreshed jwt token.
* ensures that a token who's access permission has not expired may
not be refreshed.
* ensures that a token who's access permission has expired must not
have an expired refresh permission for a new token to be issued.
* ensures that if an override_access_lifespan argument is supplied
that it is used instead of the instance's access_lifespan.
* ensures that the access_lifespan may not exceed the refresh
lifespan.
* ensures that if the user_class has the instance method
validate(), it is called an any exceptions it raises are wrapped
in an InvalidUserError.
* verifies that if a user is no longer identifiable that a
MissingUserError is raised
* verifies that any custom claims in the original token's
payload are also packaged in the new token's payload
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.encrypt_password('abides'),
roles='admin,operator',
)
db.session.add(the_dude)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
new_moment = (pendulum.parse('2017-05-21 18:39:55') +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) +
pendulum.Duration(minutes=1))
with freezegun.freeze_time(new_moment):
new_token = guard.refresh_jwt_token(token)
new_token_data = jwt.decode(
new_token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert new_token_data['iat'] == new_moment.int_timestamp
assert new_token_data['exp'] == (
new_moment +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp
assert new_token_data['rf_exp'] == (moment + pendulum.Duration(
**DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp
assert new_token_data['id'] == the_dude.id
assert new_token_data['rls'] == 'admin,operator'
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
new_moment = (pendulum.parse('2017-05-21 18:39:55') +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) +
pendulum.Duration(minutes=1))
with freezegun.freeze_time(new_moment):
new_token = guard.refresh_jwt_token(
token,
override_access_lifespan=pendulum.Duration(hours=2),
)
new_token_data = jwt.decode(
new_token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert new_token_data['exp'] == (
new_moment + pendulum.Duration(hours=2)).int_timestamp
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(
the_dude,
override_refresh_lifespan=pendulum.Duration(hours=2),
override_access_lifespan=pendulum.Duration(minutes=30),
)
new_moment = moment + pendulum.Duration(minutes=31)
with freezegun.freeze_time(new_moment):
new_token = guard.refresh_jwt_token(
token,
override_access_lifespan=pendulum.Duration(hours=2),
)
new_token_data = jwt.decode(
new_token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert new_token_data['exp'] == new_token_data['rf_exp']
expiring_interval = (pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) +
pendulum.Duration(minutes=1))
validating_guard = Praetorian(app, validating_user_class)
brandt = validating_user_class(
username='******',
password=guard.encrypt_password("can't watch"),
is_active=True,
)
db.session.add(brandt)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(brandt)
new_moment = moment + expiring_interval
with freezegun.freeze_time(new_moment):
validating_guard.refresh_jwt_token(token)
brandt.is_active = False
db.session.merge(brandt)
db.session.commit()
new_moment = new_moment + expiring_interval
with freezegun.freeze_time(new_moment):
with pytest.raises(InvalidUserError) as err_info:
validating_guard.refresh_jwt_token(token)
expected_message = 'The user is not valid or has had access revoked'
assert expected_message in str(err_info.value)
expiring_interval = (pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) +
pendulum.Duration(minutes=1))
guard = Praetorian(app, user_class)
bunny = user_class(
username='******',
password=guard.encrypt_password("can't blow that far"),
)
db.session.add(bunny)
db.session.commit()
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(bunny)
db.session.delete(bunny)
db.session.commit()
new_moment = moment + expiring_interval
with freezegun.freeze_time(new_moment):
with pytest.raises(MissingUserError) as err_info:
validating_guard.refresh_jwt_token(token)
expected_message = 'Could not find the requested user'
assert expected_message in str(err_info.value)
moment = pendulum.parse('2018-08-14 09:05:24')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(
the_dude,
duder='brief',
el_duderino='not brief',
)
new_moment = (pendulum.parse('2018-08-14 09:05:24') +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) +
pendulum.Duration(minutes=1))
with freezegun.freeze_time(new_moment):
new_token = guard.refresh_jwt_token(token)
new_token_data = jwt.decode(
new_token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert new_token_data['iat'] == new_moment.int_timestamp
assert new_token_data['exp'] == (
new_moment +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp
assert new_token_data['rf_exp'] == (moment + pendulum.Duration(
**DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp
assert new_token_data['id'] == the_dude.id
assert new_token_data['rls'] == 'admin,operator'
assert new_token_data['duder'] == 'brief'
assert new_token_data['el_duderino'] == 'not brief'
def test_encode_jwt_token(self, app, user_class, validating_user_class):
"""
This test::
* verifies that the encode_jwt_token correctly encodes jwt
data based on a user instance.
* verifies that if a user specifies an override for the access
lifespan it is used in lieu of the instance's access_lifespan.
* verifies that the access_lifespan cannot exceed the refresh
lifespan.
* ensures that if the user_class has the instance method
validate(), it is called an any exceptions it raises are wrapped
in an InvalidUserError
* verifies that custom claims may be encoded in the token and
validates that the custom claims do not collide with reserved
claims
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username='******',
password=guard.encrypt_password('abides'),
roles='admin,operator',
)
moment = pendulum.parse('2017-05-21 18:39:55')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(the_dude)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data['iat'] == moment.int_timestamp
assert token_data['exp'] == (
moment +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp
assert token_data['rf_exp'] == (moment + pendulum.Duration(
**DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp
assert token_data['id'] == the_dude.id
assert token_data['rls'] == 'admin,operator'
moment = pendulum.parse('2017-05-21 18:39:55')
override_access_lifespan = pendulum.Duration(minutes=1)
override_refresh_lifespan = pendulum.Duration(hours=1)
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(
the_dude,
override_access_lifespan=override_access_lifespan,
override_refresh_lifespan=override_refresh_lifespan,
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data['iat'] == moment.int_timestamp
assert token_data['exp'] == (
moment + override_access_lifespan).int_timestamp
assert token_data['rf_exp'] == (
moment + override_refresh_lifespan).int_timestamp
assert token_data['id'] == the_dude.id
assert token_data['rls'] == 'admin,operator'
moment = pendulum.parse('2017-05-21 18:39:55')
override_access_lifespan = pendulum.Duration(hours=1)
override_refresh_lifespan = pendulum.Duration(minutes=1)
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(
the_dude,
override_access_lifespan=override_access_lifespan,
override_refresh_lifespan=override_refresh_lifespan,
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data['iat'] == moment.int_timestamp
assert token_data['exp'] == token_data['rf_exp']
assert token_data['rf_exp'] == (
moment + override_refresh_lifespan).int_timestamp
assert token_data['id'] == the_dude.id
assert token_data['rls'] == 'admin,operator'
validating_guard = Praetorian(app, validating_user_class)
brandt = validating_user_class(
username='******',
password=guard.encrypt_password("can't watch"),
is_active=True,
)
validating_guard.encode_jwt_token(brandt)
brandt.is_active = False
with pytest.raises(InvalidUserError) as err_info:
validating_guard.encode_jwt_token(brandt)
expected_message = 'The user is not valid or has had access revoked'
assert expected_message in str(err_info.value)
moment = pendulum.parse('2018-08-18 08:55:12')
with freezegun.freeze_time(moment):
token = guard.encode_jwt_token(
the_dude,
duder='brief',
el_duderino='not brief',
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data['iat'] == moment.int_timestamp
assert token_data['exp'] == (
moment +
pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp
assert token_data['rf_exp'] == (moment + pendulum.Duration(
**DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp
assert token_data['id'] == the_dude.id
assert token_data['rls'] == 'admin,operator'
assert token_data['duder'] == 'brief'
assert token_data['el_duderino'] == 'not brief'
with pytest.raises(ClaimCollisionError) as err_info:
guard.encode_jwt_token(the_dude, exp='nice marmot')
expected_message = 'custom claims collide'
assert expected_message in str(err_info.value)
def test_encode_jwt_token(self, app, user_class, validating_user_class):
"""
This test::
* verifies that the encode_jwt_token correctly encodes jwt
data based on a user instance.
* verifies that if a user specifies an override for the access
lifespan it is used in lieu of the instance's access_lifespan.
* verifies that the access_lifespan cannot exceed the refresh
lifespan.
* ensures that if the user_class has the instance method
validate(), it is called an any exceptions it raises are wrapped
in an InvalidUserError
* verifies that custom claims may be encoded in the token and
validates that the custom claims do not collide with reserved
claims
"""
guard = Praetorian(app, user_class)
the_dude = user_class(
username="******",
password=guard.hash_password("abides"),
roles="admin,operator",
)
moment = plummet.momentize('2017-05-21 18:39:55')
with plummet.frozen_time(moment):
token = guard.encode_jwt_token(the_dude)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data["iat"] == moment.int_timestamp
assert (token_data["exp"] == (
moment + DEFAULT_JWT_ACCESS_LIFESPAN).int_timestamp)
assert (token_data[REFRESH_EXPIRATION_CLAIM] == (
moment + DEFAULT_JWT_REFRESH_LIFESPAN).int_timestamp)
assert token_data["id"] == the_dude.id
assert token_data["rls"] == "admin,operator"
override_access_lifespan = pendulum.Duration(minutes=1)
override_refresh_lifespan = pendulum.Duration(hours=1)
moment = plummet.momentize('2017-05-21 18:39:55')
with plummet.frozen_time(moment):
token = guard.encode_jwt_token(
the_dude,
override_access_lifespan=override_access_lifespan,
override_refresh_lifespan=override_refresh_lifespan,
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data["iat"] == moment.int_timestamp
assert (token_data["exp"] == (
moment + override_access_lifespan).int_timestamp)
assert (token_data[REFRESH_EXPIRATION_CLAIM] == (
moment + override_refresh_lifespan).int_timestamp)
assert token_data["id"] == the_dude.id
assert token_data["rls"] == "admin,operator"
override_access_lifespan = pendulum.Duration(hours=1)
override_refresh_lifespan = pendulum.Duration(minutes=1)
moment = plummet.momentize('2017-05-21 18:39:55')
with plummet.frozen_time(moment):
token = guard.encode_jwt_token(
the_dude,
override_access_lifespan=override_access_lifespan,
override_refresh_lifespan=override_refresh_lifespan,
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data["iat"] == moment.int_timestamp
assert token_data["exp"] == token_data[REFRESH_EXPIRATION_CLAIM]
assert (token_data[REFRESH_EXPIRATION_CLAIM] == (
moment + override_refresh_lifespan).int_timestamp)
assert token_data["id"] == the_dude.id
assert token_data["rls"] == "admin,operator"
validating_guard = Praetorian(app, validating_user_class)
brandt = validating_user_class(
username="******",
password=guard.hash_password("can't watch"),
is_active=True,
)
validating_guard.encode_jwt_token(brandt)
brandt.is_active = False
with pytest.raises(InvalidUserError) as err_info:
validating_guard.encode_jwt_token(brandt)
expected_message = "The user is not valid or has had access revoked"
assert expected_message in str(err_info.value)
moment = plummet.momentize('2018-08-18 08:55:12')
with plummet.frozen_time(moment):
token = guard.encode_jwt_token(
the_dude,
duder="brief",
el_duderino="not brief",
)
token_data = jwt.decode(
token,
guard.encode_key,
algorithms=guard.allowed_algorithms,
)
assert token_data["iat"] == moment.int_timestamp
assert (token_data["exp"] == (
moment + DEFAULT_JWT_ACCESS_LIFESPAN).int_timestamp)
assert (token_data[REFRESH_EXPIRATION_CLAIM] == (
moment + DEFAULT_JWT_REFRESH_LIFESPAN).int_timestamp)
assert token_data["id"] == the_dude.id
assert token_data["rls"] == "admin,operator"
assert token_data["duder"] == "brief"
assert token_data["el_duderino"] == "not brief"
with pytest.raises(ClaimCollisionError) as err_info:
guard.encode_jwt_token(the_dude, exp="nice marmot")
expected_message = "custom claims collide"
assert expected_message in str(err_info.value)
