def test_subject_returns_sub_claim(self, claims):
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, 'top-secret',
'test-audience')
assert grant_token.subject == 'test-subject'
def test_init_raises_for_invalid_signature_algorithm(self, claims):
jwttok = jwt_token(claims, alg='HS512')
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == 'Invalid grant token signature algorithm.'
def test_init_raises_for_invalid_signature(self, claims):
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'wrong-secret', 'test-audience')
assert exc.value.description == 'Invalid grant token signature.'
def test_init_raises_for_none_key(self, claims):
jwttok = jwt_token(claims)
with pytest.raises(InvalidClientError) as exc:
VerifiedJWTGrantToken(jwttok, None, 'test-audience')
assert exc.value.description == 'Client is invalid.'
def test_init_raises_for_invalid_aud(self, claims):
claims['aud'] = 'different-audience'
jwttok = jwt_token(claims)
with pytest.raises(InvalidJWTGrantTokenClaimError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == "Invalid claim 'aud' (audience) in grant token."
def test_init_raises_for_too_long_token_lifetime(self, claims):
claims['exp'] = epoch(delta=timedelta(minutes=15))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == 'Grant token lifetime is too long.'
def test_init_raises_for_iat_claim_in_future(self, claims):
claims['iat'] = epoch(delta=timedelta(minutes=13))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == 'Grant token issue time (iat) is in the future.'
def test_init_raises_for_nbf_claim_in_future(self, claims):
claims['nbf'] = epoch(delta=timedelta(minutes=2))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == 'Grant token is not yet valid.'
def test_init_raises_when_expired_with_leeway(self, claims):
claims['exp'] = epoch(delta=timedelta(minutes=-2))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == 'Grant token is expired.'
def test_init_raises_for_missing_claims(self, claims, claim, description):
del claims[claim]
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == "Missing claim '{}' ({}) from grant token.".format(
claim, description)
def test_subject_raises_for_empty_sub_claim(self, claims):
claims['sub'] = ''
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, 'top-secret',
'test-audience')
with pytest.raises(InvalidGrantError) as exc:
grant_token.subject
assert exc.value.description == "Missing claim 'sub' (subject) from grant token."
def test_not_before_returns_nbf_claim(self, claims):
now = datetime.utcnow().replace(microsecond=0)
delta = timedelta(minutes=-2)
claims["nbf"] = epoch(timestamp=now, delta=delta)
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert grant_token.not_before == (now + delta)
def test_init_raises_for_invalid_timestamp_types(self, claims, claim,
description):
claims[claim] = 'wut'
jwttok = jwt_token(claims)
with pytest.raises(InvalidJWTGrantTokenClaimError) as exc:
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert exc.value.description == "Invalid claim '{}' ({}) in grant token.".format(
claim, description)
def test_subject_raises_for_missing_sub_claim(self, claims):
del claims["sub"]
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
with pytest.raises(InvalidGrantError) as exc:
grant_token.subject
assert (
exc.value.description == "Missing claim 'sub' (subject) from grant token."
)
def test_expiry_returns_exp_claim(self, claims):
now = datetime.utcnow().replace(microsecond=0)
delta = timedelta(minutes=2)
claims['exp'] = epoch(timestamp=now, delta=delta)
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, 'top-secret',
'test-audience')
assert grant_token.expiry == (now + delta)
def test_init_returns_token_when_expired_but_in_leeway(self, claims):
claims['exp'] = epoch(delta=timedelta(seconds=-8))
jwttok = jwt_token(claims)
VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
def test_init_returns_token_when_valid(self, claims):
jwttok = jwt_token(claims)
actual = VerifiedJWTGrantToken(jwttok, 'top-secret', 'test-audience')
assert isinstance(actual, VerifiedJWTGrantToken)
