class TestToken(ManagementClient):
intclient = SimpleInternalClient()
devapi = BaseDevicesApiClient()
def test_token(self):
d = Device()
da = DevAuthorizer()
url = self.devapi.make_api_url("/auth_requests")
# poke devauth so that device appears
with deviceadm.run_fake_for_device(d) as server:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
# try to find our devices in all devices listing
mc = SimpleManagementClient()
dev = mc.find_device_by_identity(d.identity)
self.log.debug('found matching device with ID: %s', dev.id)
devid = dev.id
# extract authentication data set ID
aid = dev.auth_sets[0].id
try:
with inventory.run_fake_for_device_id(devid) as server:
self.accept_device(devid, aid)
except bravado.exception.HTTPError as e:
assert e.response.status_code == 204
# device is accepted, we should get a token now
with deviceadm.run_fake_for_device(d) as server:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 200
da.parse_rsp_payload(d, rsp.text)
assert len(d.token) > 0
self.log.info("device token: %s", d.token)
thdr, tclaims, tsign = explode_jwt(d.token)
assert 'typ' in thdr and thdr['typ'] == 'JWT'
assert 'jti' in tclaims
assert 'exp' in tclaims
assert 'sub' in tclaims and tclaims['sub'] == devid
assert 'iss' in tclaims and tclaims['iss'] == 'Mender'
assert 'mender.device' in tclaims and tclaims['mender.device'] == True
# TODO: signature verification?
# verify token; the token is to be placed in the Authorization header
# and it looks like bravado cannot handle a POST request with no data
# in body, hence we fall back to sending request directly
verify_url = self.intclient.make_api_url("/tokens/verify")
self.log.info("verify URL: %s", verify_url)
auth_hdr = 'Bearer {}'.format(d.token)
# no auth header should raise an error
rsp = requests.post(verify_url, data='')
assert rsp.status_code == 401
# successful verification
rsp = requests.post(verify_url,
data='',
headers={'Authorization': auth_hdr})
assert rsp.status_code == 200
# use a bogus token that is not a valid JWT
rsp = requests.post(verify_url,
data='',
headers={'Authorization': 'bogus'})
assert rsp.status_code == 401
# or a correct token with data appended at the end
rsp = requests.post(verify_url,
data='',
headers={'Authorization': auth_hdr + "==foo"})
assert rsp.status_code == 401
# bravado cannot handle DELETE requests either
# self.client.tokens.delete_tokens_id(id=tclaims['jti'])
# use requests instead
rsp = requests.delete(
self.make_api_url('/tokens/{}'.format(tclaims['jti'])))
assert rsp.status_code == 204
# unsuccessful verification
rsp = requests.post(verify_url,
data='',
headers={'Authorization': auth_hdr})
assert rsp.status_code == 401
def internal_api():
yield SimpleInternalClient()
def internal_api(request):
yield SimpleInternalClient(
request.config.getoption("--host"),
request.config.getoption("--spec"),
)