def test_jwt_can_authorize_request_token_in_qs(app):
"""Test basic JWT authorizer functionality
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token()
with app.test_request_context(f'/myorg/myrepo/objects/batch?jwt={token}',
method='POST'):
identity = authz(flask.request)
assert identity.id == 'some-user-id'
def test_jwt_can_authorize_request_symmetric_key(app):
"""Test basic JWT authorizer functionality
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token()
with app.test_request_context('/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization":
f'Bearer {token}'}):
identity = authz(flask.request)
assert identity.id == 'some-user-id'
def test_jwt_expired_throws_401(app):
"""If we get a JWT token who's expired, we should raise a 401 error
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token(lifetime=-600) # expired 10 minutes ago
with app.test_request_context('/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization":
f'Bearer {token}'}):
with pytest.raises(Unauthorized):
authz(flask.request)
def test_jwt_scopes_authorize_actions(app, scopes, auth_check, expected):
"""Test that JWT token scopes can control authorization
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token(scopes=scopes)
with app.test_request_context('/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization":
f'Bearer {token}'}):
identity = authz(flask.request)
assert identity.is_authorized(**auth_check) is expected
def test_jwt_with_wrong_kid_doesnt_authorize_request(app):
"""JWT authorizer only considers a JWT token if it has the right key ID in the header
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY,
algorithm='HS256',
key_id='must-be-this-key')
token = _get_test_token()
with app.test_request_context('/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization":
f'Bearer {token}'}):
identity = authz(flask.request)
assert None is identity
def test_jwt_pre_authorize_action():
authz = JWTAuthenticator(private_key=JWT_HS_KEY,
algorithm='HS256',
default_lifetime=120)
identity = DefaultIdentity(name='joe',
email='*****@*****.**',
id='babab0ba')
header = authz.get_authz_header(identity,
'myorg',
'somerepo',
actions={'read'})
auth_type, token = header['Authorization'].split(' ')
assert 'Bearer' == auth_type
payload = jwt.decode(token, JWT_HS_KEY, algorithms='HS256')
assert payload['sub'] == 'babab0ba'
assert payload['scopes'] == 'obj:myorg/somerepo/*:read'
# Check that now() - expiration time is within 5 seconds of 120 seconds
assert abs((datetime.fromtimestamp(payload['exp']) -
datetime.now()).seconds - 120) < 5
def test_jwt_can_authorize_request_token_as_basic_password(app):
"""Test that we can pass a JWT token as 'Basic' authorization password
"""
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token()
auth_value = base64.b64encode(b':'.join([b'_jwt',
token.encode('ascii')
])).decode('ascii')
with app.test_request_context(
'/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization": f'Basic {auth_value}'}):
identity = authz(flask.request)
assert identity.id == 'some-user-id'
def test_jwt_scopes_authorize_actions_with_anon_user(app):
"""Test that authorization works even if we don't have any user ID / email / name
"""
scopes = ['obj:myorg/myrepo/*']
authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256')
token = _get_test_token(scopes=scopes, sub=None, name=None, email=None)
with app.test_request_context('/myorg/myrepo/objects/batch',
method='POST',
headers={"Authorization":
f'Bearer {token}'}):
identity = authz(flask.request)
assert identity.is_authorized(organization='myorg',
repo='myrepo',
permission=Permission.READ)