def test_cloud_key_store():
driver = KeyPairSupportedDummyNodeDriver('')
keystore = CloudKeyStore(driver)
identity = Identity(DummyTeam, 'abcd')
assert_keystore_compliance(keystore, identity)
identity2 = Identity(DummyTeam, 'efg')
assert_keystore_compliance(keystore, identity2)
def test_cloud_key_store_get_key_name_pattern():
for i in range(100):
CloudKeyStore._sample_keys = None
# repeat for better reproducibility
driver = KeyPairSupportedDummyNodeDriver('')
keystore = CloudKeyStore(driver)
identity = Identity(DummyTeam, 'abcd')
pattern = keystore._get_key_name_pattern(identity)
print('Cached CloudKeyStore._sample_keys:', CloudKeyStore._sample_keys)
print(
'Cached CloudKeyStore._sample_keys (as names):',
tuple(
keystore._get_key_name(identity, k)
for k in CloudKeyStore._sample_keys))
print('Generated pattern:', pattern.pattern)
def random_fp():
return ':'.join(
map('{:02x}'.format,
hashlib.md5(os.urandom(100)).digest()))
actual = {
'tests.server_test.DummyTeam abcd ' + random_fp()
for _ in range(5)
}
result = filter(
pattern.match, actual | {
'tests.server_test.DummyTeam defg ' + random_fp(),
'tests.server_test.OtherTeam abcd ' + random_fp(),
'tests.server_test.DummyTeam abcd ', 'junk'
})
result = frozenset(result)
assert result == actual
def test_default_permission_policy():
remotes = {'a': Remote('a', 'localhost'), 'b': Remote('b', 'localhost')}
identity = Identity(DummyTeam, 'a')
p = DefaultPermissionPolicy()
assert p.filter(remotes, identity, {'x'}) == remotes
for remote in remotes.values():
assert p.permit(remote, identity, {'x'})
def fx_github_identity(fx_github_access_token):
global _fx_github_identity_cache
if not _fx_github_identity_cache:
_fx_github_identity_cache = request(fx_github_access_token,
'https://api.github.com/user',
'GET')
return Identity(GitHubOrganization, _fx_github_identity_cache['login'],
fx_github_access_token)
def authenticate(self, state, requested_redirect_url: str,
wsgi_environ: dict) -> Identity:
try:
pair = self.states.pop()
except IndexError:
raise AuthenticationError()
if pair[0] != state or pair[1] != requested_redirect_url:
raise AuthenticationError()
return Identity(type(self), len(self.states))
def test_authenticate(fx_app, fx_token_store, fx_token_id):
token_url = get_url('create_access_token', token_id=fx_token_id)
auth_url = get_url('authenticate', token_id=fx_token_id)
with app.test_client() as c:
response = c.put(token_url)
assert response.status_code == 202
response = c.get(auth_url)
assert response.status_code == 200
token = fx_token_store.get(fx_token_id)
assert isinstance(token, Token)
assert token.identity == Identity(DummyTeam, 0)
def test_get_identity_403(fx_app, fx_token_store, fx_token_id):
expires_at = (datetime.datetime.now(datetime.timezone.utc) +
datetime.timedelta(hours=1))
fx_token_store.set(fx_token_id,
Token(Identity(DummyTeam, 1, False), expires_at))
with fx_app.test_request_context():
try:
result = get_identity(fx_token_id)
except HTTPException as e:
response = e.get_response(request.environ)
assert response.status_code == 403
data = json.loads(response.get_data())
assert data['error'] == 'not-authorized'
else:
fail('get_identity() does not raise HTTPException, but returns ' +
repr(result))
def test_group_metadata_permission_policy(key, separator):
sep = separator or ' '
remotes = {
'web-1': Remote(
'ubuntu', '192.168.0.5',
metadata={key: sep.join(['web', 'a']), 'other': 'ignore'}
),
'web-2': Remote(
'ubuntu', '192.168.0.6',
metadata={key: sep.join(['web', 'b']), 'other': 'ignore'}
),
'web-3': Remote(
'ubuntu', '192.168.0.7',
metadata={key: sep.join(['web', 'c']), 'other': 'ignore'}
),
'worker-1': Remote(
'ubuntu', '192.168.0.25',
metadata={key: sep.join(['worker', 'a']), 'other': 'ignore'}
),
'worker-2': Remote(
'ubuntu', '192.168.0.26',
metadata={key: sep.join(['worker', 'b']), 'other': 'ignore'}
),
'db-1': Remote(
'ubuntu', '192.168.0.50',
metadata={key: sep.join(['db', 'a']), 'other': 'ignore'}
),
'db-2': Remote(
'ubuntu', '192.168.0.51',
metadata={key: sep.join(['db', 'b']), 'other': 'ignore'}
)
}
def subset(*keys):
return {a: r for a, r in remotes.items() if a in keys}
p = GroupMetadataPermissionPolicy(key, separator)
identity = Identity(DummyTeam, 1)
assert (p.filter(remotes, identity, {'web', 'a'}) ==
subset('web-1', 'web-2', 'web-3', 'worker-1', 'db-1'))
assert (p.filter(remotes, identity, {'db', 'c'}) ==
subset('web-3', 'worker-3', 'db-1', 'db-2'))
assert p.permit(remotes['db-1'], identity, {'web', 'a'})
assert not p.permit(remotes['db-1'], identity, {'web', 'b'})
assert p.permit(remotes['db-1'], identity, {'db', 'a'})
assert p.permit(remotes['db-1'], identity, {'db', 'b'})
def test_cloud_key_store_get_key_name_pattern():
driver = KeyPairSupportedDummyNodeDriver('')
keystore = CloudKeyStore(driver)
identity = Identity(DummyTeam, 'abcd')
pattern = keystore._get_key_name_pattern(identity)
random_fp = lambda: ':'.join(
map('{:02x}'.format,
hashlib.md5(os.urandom(100)).digest()))
actual = {
'tests.server_test.DummyTeam abcd ' + random_fp()
for _ in range(5)
}
result = filter(
pattern.match, actual | {
'tests.server_test.DummyTeam defg ' + random_fp(),
'tests.server_test.OtherTeam abcd ' + random_fp(),
'tests.server_test.DummyTeam abcd ', 'junk'
})
assert frozenset(result) == actual
def test_identity_hash():
assert hash(Identity(int, 1)) == hash(Identity(int, 1))
def fx_authorized_identity(fx_token_store, fx_token_id):
identity = Identity(DummyTeam, 1, True)
expires_at = (datetime.datetime.now(datetime.timezone.utc) +
datetime.timedelta(hours=1))
fx_token_store.set(fx_token_id, Token(identity, expires_at))
return identity
def test_identity_ne():
assert not (Identity(DummyTeamA, 1) != Identity(DummyTeamA, 1))
assert Identity(DummyTeamA, 1) != Identity(DummyTeamA, 2)
assert Identity(DummyTeamA, 1) != Identity(DummyTeamB, 1)
assert Identity(DummyTeamA, 1) != Identity(DummyTeamB, 2)
def test_db_key_store(fx_db_key_store):
identity = Identity(DummyTeam, 'abcd')
assert_keystore_compliance(fx_db_key_store, identity)
identity2 = Identity(DummyTeam, 'efg')
assert_keystore_compliance(fx_db_key_store, identity2)
def test_identity_hash():
assert hash(Identity(DummyTeamA, 1)) == hash(Identity(DummyTeamA, 1))
def fx_github_identity(fx_github_access_token: str) -> Identity:
resp = request(fx_github_access_token, 'https://api.github.com/user',
'GET')
return Identity(GitHubOrganization, resp['login'], fx_github_access_token)
def fx_bitbucket_identity(fx_bitbucket_access_token: str) -> Identity:
resp = request(fx_bitbucket_access_token,
'https://api.bitbucket.org/2.0/user', 'GET')
return Identity(BitbucketTeam, resp['username'], fx_bitbucket_access_token)
def test_identity_eq():
assert Identity(int, 1) == Identity(int, 1)
assert not (Identity(int, 1) == Identity(int, 2))
assert not (Identity(int, 1) == Identity(str, 1))
assert not (Identity(int, 1) == Identity(str, 2))
def test_identity_eq():
assert Identity(DummyTeamA, 1) == Identity(DummyTeamA, 1)
assert not (Identity(DummyTeamA, 1) == Identity(DummyTeamA, 2))
assert not (Identity(DummyTeamA, 1) == Identity(DummyTeamB, 1))
assert not (Identity(DummyTeamA, 1) == Identity(DummyTeamB, 2))
def test_identity_ne():
assert not (Identity(int, 1) != Identity(int, 1))
assert Identity(int, 1) != Identity(int, 2)
assert Identity(int, 1) != Identity(str, 1)
assert Identity(int, 1) != Identity(str, 2)