class VerifyTokenTest(unittest.TestCase):
@classmethod
def setUpClass(self):
# Populate OpenID config cache.
with mock.patch('kinto.plugins.openid.utils.requests.get') as m:
m.return_value.json.return_value = {'userinfo_endpoint': 'http://uinfo',
'jwks_uri': 'https://jwks'}
fetch_openid_config('https://fxa')
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://fxa', client_id='abc')
def test_fetches_userinfo_if_id_token_is_none(self):
self.mocked_get.return_value.json.side_effect = [
{"sub": "me"},
]
payload = self.policy._verify_token(access_token='abc')
assert payload["sub"] == "me"
def test_returns_none_if_fetching_userinfo_fails(self):
self.mocked_get.return_value.raise_for_status.side_effect = ValueError
payload = self.policy._verify_token(access_token='abc')
assert payload is None
class VerifyTokenTest(unittest.TestCase):
@classmethod
def setUpClass(self):
# Populate OpenID config cache.
with mock.patch('kinto.plugins.openid.utils.requests.get') as m:
m.return_value.json.return_value = {
'userinfo_endpoint': 'http://uinfo',
'jwks_uri': 'https://jwks'
}
fetch_openid_config('https://fxa')
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://fxa',
client_id='abc')
def test_fetches_userinfo_if_id_token_is_none(self):
self.mocked_get.return_value.json.side_effect = [
{
"sub": "me"
},
]
payload = self.policy._verify_token(access_token='abc')
assert payload["sub"] == "me"
def test_returns_none_if_fetching_userinfo_fails(self):
self.mocked_get.return_value.raise_for_status.side_effect = ValueError
payload = self.policy._verify_token(access_token='abc')
assert payload is None
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://fxa',
client_id='abc')
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp',
client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert 'Bearer ' in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = 'bearer+oidc'
h = self.policy.forget(self.request)
assert 'bearer+oidc ' in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers['Authorization'] = 'avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
self.verify.assert_called_with('xyz')
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = {'sub': 'me'}
self.policy.unauthenticated_userid(self.request) == 'me'
def test_payload_is_stored_in_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
assert self.request.registry.cache.set.called
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert 'Bearer ' in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = 'bearer+oidc'
h = self.policy.forget(self.request)
assert 'bearer+oidc ' in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers['Authorization'] = 'avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
self.verify.assert_called_with('xyz')
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = {'sub': 'me'}
self.policy.unauthenticated_userid(self.request) == 'me'
def test_payload_is_stored_in_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
assert self.request.registry.cache.set.called
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def setUp(self):
mocked = mock.patch("kinto.plugins.openid.requests.get")
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer="https://idp", client_id="abc")
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, "_verify_token")
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {"sub": "userid"}
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://fxa', client_id='abc')
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert 'Bearer ' in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = 'bearer+oidc'
h = self.policy.forget(self.request)
assert 'bearer+oidc ' in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers['Authorization'] = 'avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
self.verify.assert_called_with('xyz')
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = {'sub': 'me'}
assert self.policy.unauthenticated_userid(self.request) == 'me'
def test_payload_is_stored_in_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
assert self.request.registry.cache.set.called
def test_payload_is_read_from_cache_but_differently_by_access_token(self):
# State to keep track of cache keys queried.
cache_keys_used = []
def mocked_cache_get(cache_key):
# This makes sure the same cache key is not used twice
assert cache_key not in cache_keys_used
cache_keys_used.append(cache_key)
if len(cache_keys_used) == 1:
return {'sub': 'me'}
elif len(cache_keys_used) == 2:
return {'sub': 'you'}
self.request.registry.cache.get.side_effect = mocked_cache_get
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'me'
# Change the Authorization header the second time
self.request.headers['Authorization'] = 'Bearer abc'
assert self.policy.unauthenticated_userid(self.request) == 'you'
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp',
client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert 'Bearer ' in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = 'bearer+oidc'
h = self.policy.forget(self.request)
assert 'bearer+oidc ' in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers['Authorization'] = 'avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers['Authorization'] = 'Basic avrbnnbrbr'
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
self.verify.assert_called_with('xyz')
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
self.request.registry.cache.get.return_value = {'sub': 'me'}
assert self.policy.unauthenticated_userid(self.request) == 'me'
def test_payload_is_stored_in_cache(self):
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'userid'
assert self.request.registry.cache.set.called
def test_payload_is_read_from_cache_but_differently_by_access_token(self):
# State to keep track of cache keys queried.
cache_keys_used = []
def mocked_cache_get(cache_key):
# This makes sure the same cache key is not used twice
assert cache_key not in cache_keys_used
cache_keys_used.append(cache_key)
if len(cache_keys_used) == 1:
return {'sub': 'me'}
elif len(cache_keys_used) == 2:
return {'sub': 'you'}
self.request.registry.cache.get.side_effect = mocked_cache_get
self.request.headers['Authorization'] = 'Bearer xyz'
assert self.policy.unauthenticated_userid(self.request) == 'me'
# Change the Authorization header the second time
self.request.headers['Authorization'] = 'Bearer abc'
assert self.policy.unauthenticated_userid(self.request) == 'you'
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch("kinto.plugins.openid.requests.get")
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer="https://idp",
client_id="abc")
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, "_verify_token")
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {"sub": "userid"}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert "Bearer " in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = "bearer+oidc"
h = self.policy.forget(self.request)
assert "bearer+oidc " in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers["Authorization"] = "avrbnnbrbr"
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers["Authorization"] = "Basic avrbnnbrbr"
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "userid"
self.verify.assert_called_with("xyz")
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers["Authorization"] = "Bearer xyz"
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers["Authorization"] = "Bearer xyz"
self.request.registry.cache.get.return_value = {"sub": "me"}
assert self.policy.unauthenticated_userid(self.request) == "me"
def test_payload_is_stored_in_cache(self):
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "userid"
assert self.request.registry.cache.set.called
def test_payload_is_read_from_cache_but_differently_by_access_token(self):
# State to keep track of cache keys queried.
cache_keys_used = []
def mocked_cache_get(cache_key):
# This makes sure the same cache key is not used twice
assert cache_key not in cache_keys_used
cache_keys_used.append(cache_key)
if len(cache_keys_used) == 1:
return {"sub": "me"}
elif len(cache_keys_used) == 2:
return {"sub": "you"}
self.request.registry.cache.get.side_effect = mocked_cache_get
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "me"
# Change the Authorization header the second time
self.request.headers["Authorization"] = "Bearer abc"
assert self.policy.unauthenticated_userid(self.request) == "you"
class PolicyTest(unittest.TestCase):
def setUp(self):
mocked = mock.patch("kinto.plugins.openid.requests.get")
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer="https://idp", client_id="abc")
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, "_verify_token")
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {"sub": "userid"}
def test_returns_none_if_no_authorization(self):
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_header_type_in_forget(self):
h = self.policy.forget(self.request)
assert "Bearer " in h[0][1]
def test_header_type_can_be_configured(self):
self.policy.header_type = "bearer+oidc"
h = self.policy.forget(self.request)
assert "bearer+oidc " in h[0][1]
def test_returns_none_if_no_authorization_prefix(self):
self.request.headers["Authorization"] = "avrbnnbrbr"
assert self.policy.unauthenticated_userid(self.request) is None
def test_returns_none_if_bad_prefix(self):
self.request.headers["Authorization"] = "Basic avrbnnbrbr"
assert self.policy.unauthenticated_userid(self.request) is None
def test_can_specify_only_opaque_access_token(self):
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "userid"
self.verify.assert_called_with("xyz")
def test_returns_none_if_no_cache_and_invalid_access_token(self):
self.request.headers["Authorization"] = "Bearer xyz"
self.request.registry.cache.get.return_value = None
self.verify.return_value = None
assert self.policy.unauthenticated_userid(self.request) is None
assert not self.request.registry.cache.set.called
def test_payload_is_read_from_cache(self):
self.request.headers["Authorization"] = "Bearer xyz"
self.request.registry.cache.get.return_value = {"sub": "me"}
assert self.policy.unauthenticated_userid(self.request) == "me"
def test_payload_is_stored_in_cache(self):
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "userid"
assert self.request.registry.cache.set.called
def test_payload_is_read_from_cache_but_differently_by_access_token(self):
# State to keep track of cache keys queried.
cache_keys_used = []
def mocked_cache_get(cache_key):
# This makes sure the same cache key is not used twice
assert cache_key not in cache_keys_used
cache_keys_used.append(cache_key)
if len(cache_keys_used) == 1:
return {"sub": "me"}
elif len(cache_keys_used) == 2:
return {"sub": "you"}
self.request.registry.cache.get.side_effect = mocked_cache_get
self.request.headers["Authorization"] = "Bearer xyz"
assert self.policy.unauthenticated_userid(self.request) == "me"
# Change the Authorization header the second time
self.request.headers["Authorization"] = "Bearer abc"
assert self.policy.unauthenticated_userid(self.request) == "you"