Esempio n. 1
0
class VerifyTokenTest(unittest.TestCase):

    @classmethod
    def setUpClass(self):
        # Populate OpenID config cache.
        with mock.patch('kinto.plugins.openid.utils.requests.get') as m:
            m.return_value.json.return_value = {'userinfo_endpoint': 'http://uinfo',
                                                'jwks_uri': 'https://jwks'}
            fetch_openid_config('https://fxa')

    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://fxa', client_id='abc')

    def test_fetches_userinfo_if_id_token_is_none(self):
        self.mocked_get.return_value.json.side_effect = [
            {"sub": "me"},
        ]
        payload = self.policy._verify_token(access_token='abc')
        assert payload["sub"] == "me"

    def test_returns_none_if_fetching_userinfo_fails(self):
        self.mocked_get.return_value.raise_for_status.side_effect = ValueError
        payload = self.policy._verify_token(access_token='abc')
        assert payload is None
Esempio n. 2
0
class VerifyTokenTest(unittest.TestCase):
    @classmethod
    def setUpClass(self):
        # Populate OpenID config cache.
        with mock.patch('kinto.plugins.openid.utils.requests.get') as m:
            m.return_value.json.return_value = {
                'userinfo_endpoint': 'http://uinfo',
                'jwks_uri': 'https://jwks'
            }
            fetch_openid_config('https://fxa')

    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://fxa',
                                          client_id='abc')

    def test_fetches_userinfo_if_id_token_is_none(self):
        self.mocked_get.return_value.json.side_effect = [
            {
                "sub": "me"
            },
        ]
        payload = self.policy._verify_token(access_token='abc')
        assert payload["sub"] == "me"

    def test_returns_none_if_fetching_userinfo_fails(self):
        self.mocked_get.return_value.raise_for_status.side_effect = ValueError
        payload = self.policy._verify_token(access_token='abc')
        assert payload is None
Esempio n. 3
0
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://fxa',
                                          client_id='abc')
Esempio n. 4
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp',
                                          client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert 'Bearer ' in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = 'bearer+oidc'
        h = self.policy.forget(self.request)
        assert 'bearer+oidc ' in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers['Authorization'] = 'avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        self.verify.assert_called_with('xyz')

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = {'sub': 'me'}
        self.policy.unauthenticated_userid(self.request) == 'me'

    def test_payload_is_stored_in_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        assert self.request.registry.cache.set.called
Esempio n. 5
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert 'Bearer ' in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = 'bearer+oidc'
        h = self.policy.forget(self.request)
        assert 'bearer+oidc ' in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers['Authorization'] = 'avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        self.verify.assert_called_with('xyz')

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = {'sub': 'me'}
        self.policy.unauthenticated_userid(self.request) == 'me'

    def test_payload_is_stored_in_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        assert self.request.registry.cache.set.called
Esempio n. 6
0
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}
Esempio n. 7
0
    def setUp(self):
        mocked = mock.patch("kinto.plugins.openid.requests.get")
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer="https://idp", client_id="abc")

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, "_verify_token")
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {"sub": "userid"}
Esempio n. 8
0
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}
Esempio n. 9
0
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://fxa', client_id='abc')
Esempio n. 10
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert 'Bearer ' in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = 'bearer+oidc'
        h = self.policy.forget(self.request)
        assert 'bearer+oidc ' in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers['Authorization'] = 'avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        self.verify.assert_called_with('xyz')

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = {'sub': 'me'}
        assert self.policy.unauthenticated_userid(self.request) == 'me'

    def test_payload_is_stored_in_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        assert self.request.registry.cache.set.called

    def test_payload_is_read_from_cache_but_differently_by_access_token(self):
        # State to keep track of cache keys queried.
        cache_keys_used = []

        def mocked_cache_get(cache_key):
            # This makes sure the same cache key is not used twice
            assert cache_key not in cache_keys_used
            cache_keys_used.append(cache_key)
            if len(cache_keys_used) == 1:
                return {'sub': 'me'}
            elif len(cache_keys_used) == 2:
                return {'sub': 'you'}

        self.request.registry.cache.get.side_effect = mocked_cache_get

        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'me'

        # Change the Authorization header the second time
        self.request.headers['Authorization'] = 'Bearer abc'
        assert self.policy.unauthenticated_userid(self.request) == 'you'
Esempio n. 11
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch('kinto.plugins.openid.requests.get')
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer='https://idp',
                                          client_id='abc')

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, '_verify_token')
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {'sub': 'userid'}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert 'Bearer ' in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = 'bearer+oidc'
        h = self.policy.forget(self.request)
        assert 'bearer+oidc ' in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers['Authorization'] = 'avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        self.verify.assert_called_with('xyz')

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        self.request.registry.cache.get.return_value = {'sub': 'me'}
        assert self.policy.unauthenticated_userid(self.request) == 'me'

    def test_payload_is_stored_in_cache(self):
        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'userid'
        assert self.request.registry.cache.set.called

    def test_payload_is_read_from_cache_but_differently_by_access_token(self):
        # State to keep track of cache keys queried.
        cache_keys_used = []

        def mocked_cache_get(cache_key):
            # This makes sure the same cache key is not used twice
            assert cache_key not in cache_keys_used
            cache_keys_used.append(cache_key)
            if len(cache_keys_used) == 1:
                return {'sub': 'me'}
            elif len(cache_keys_used) == 2:
                return {'sub': 'you'}

        self.request.registry.cache.get.side_effect = mocked_cache_get

        self.request.headers['Authorization'] = 'Bearer xyz'
        assert self.policy.unauthenticated_userid(self.request) == 'me'

        # Change the Authorization header the second time
        self.request.headers['Authorization'] = 'Bearer abc'
        assert self.policy.unauthenticated_userid(self.request) == 'you'
Esempio n. 12
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch("kinto.plugins.openid.requests.get")
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer="https://idp",
                                          client_id="abc")

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, "_verify_token")
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {"sub": "userid"}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert "Bearer " in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = "bearer+oidc"
        h = self.policy.forget(self.request)
        assert "bearer+oidc " in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers["Authorization"] = "avrbnnbrbr"
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers["Authorization"] = "Basic avrbnnbrbr"
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "userid"
        self.verify.assert_called_with("xyz")

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        self.request.registry.cache.get.return_value = {"sub": "me"}
        assert self.policy.unauthenticated_userid(self.request) == "me"

    def test_payload_is_stored_in_cache(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "userid"
        assert self.request.registry.cache.set.called

    def test_payload_is_read_from_cache_but_differently_by_access_token(self):
        # State to keep track of cache keys queried.
        cache_keys_used = []

        def mocked_cache_get(cache_key):
            # This makes sure the same cache key is not used twice
            assert cache_key not in cache_keys_used
            cache_keys_used.append(cache_key)
            if len(cache_keys_used) == 1:
                return {"sub": "me"}
            elif len(cache_keys_used) == 2:
                return {"sub": "you"}

        self.request.registry.cache.get.side_effect = mocked_cache_get

        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "me"

        # Change the Authorization header the second time
        self.request.headers["Authorization"] = "Bearer abc"
        assert self.policy.unauthenticated_userid(self.request) == "you"
Esempio n. 13
0
class PolicyTest(unittest.TestCase):
    def setUp(self):
        mocked = mock.patch("kinto.plugins.openid.requests.get")
        self.mocked_get = mocked.start()
        self.addCleanup(mocked.stop)

        self.policy = OpenIDConnectPolicy(issuer="https://idp", client_id="abc")

        self.request = DummyRequest()
        self.request.registry.cache.get.return_value = None

        mocked = mock.patch.object(self.policy, "_verify_token")
        self.verify = mocked.start()
        self.addCleanup(mocked.stop)
        self.verify.return_value = {"sub": "userid"}

    def test_returns_none_if_no_authorization(self):
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_header_type_in_forget(self):
        h = self.policy.forget(self.request)
        assert "Bearer " in h[0][1]

    def test_header_type_can_be_configured(self):
        self.policy.header_type = "bearer+oidc"
        h = self.policy.forget(self.request)
        assert "bearer+oidc " in h[0][1]

    def test_returns_none_if_no_authorization_prefix(self):
        self.request.headers["Authorization"] = "avrbnnbrbr"
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_returns_none_if_bad_prefix(self):
        self.request.headers["Authorization"] = "Basic avrbnnbrbr"
        assert self.policy.unauthenticated_userid(self.request) is None

    def test_can_specify_only_opaque_access_token(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "userid"
        self.verify.assert_called_with("xyz")

    def test_returns_none_if_no_cache_and_invalid_access_token(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        self.request.registry.cache.get.return_value = None
        self.verify.return_value = None
        assert self.policy.unauthenticated_userid(self.request) is None
        assert not self.request.registry.cache.set.called

    def test_payload_is_read_from_cache(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        self.request.registry.cache.get.return_value = {"sub": "me"}
        assert self.policy.unauthenticated_userid(self.request) == "me"

    def test_payload_is_stored_in_cache(self):
        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "userid"
        assert self.request.registry.cache.set.called

    def test_payload_is_read_from_cache_but_differently_by_access_token(self):
        # State to keep track of cache keys queried.
        cache_keys_used = []

        def mocked_cache_get(cache_key):
            # This makes sure the same cache key is not used twice
            assert cache_key not in cache_keys_used
            cache_keys_used.append(cache_key)
            if len(cache_keys_used) == 1:
                return {"sub": "me"}
            elif len(cache_keys_used) == 2:
                return {"sub": "you"}

        self.request.registry.cache.get.side_effect = mocked_cache_get

        self.request.headers["Authorization"] = "Bearer xyz"
        assert self.policy.unauthenticated_userid(self.request) == "me"

        # Change the Authorization header the second time
        self.request.headers["Authorization"] = "Bearer abc"
        assert self.policy.unauthenticated_userid(self.request) == "you"