def testKitchenSink(self):
# Access specific models using a global read token.
self.assertScopeValid(
scope.access_obj(self.obj, "read") + scope.access_obj(self.obj2, "read"),
scope.access_all("read"),
)
# Then fail it by asking for a new permission.
self.assertScopeInvalid(
scope.access_obj(self.obj, "read", "write") + scope.access_obj(self.obj2, "read"),
scope.access_all("read"),
)
# Access specific objects using a specific read and write token.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write") + scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write") + scope.access_model(TestModel2, "read", "write"),
)
# Then fail it because access wasn't granted to the second model.
self.assertScopeInvalid(
scope.access_obj(self.obj, "read", "write") + scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write"),
)
# Then give it back with a token for the whole app.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write") + scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write") + scope.access_app("access_tokens", "read", "write"),
)
# Finally, give read access to everything, write access to a specific model, and it should work.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write"),
scope.access_model(self.obj, "write") + scope.access_all("read"),
)
def testExpiredAccessTokenGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
time.sleep(0.1)
self.assertFalse(
self.token_generator.validate(valid_token,
scope.access_all(),
max_age=0.05))
def testContentTypeTokenGeneratorCreatesSmallerKnownPermissionTokens(self):
self.assertLess(
len(
self.token_generator.generate(
scope.access_all("auth.change_permission"))),
len(
basic_token_generator.generate(
scope.access_all("auth.change_permission"))),
)
def testMismatchedTokenFormatDoesNotError(self):
for token_generator in (default_token_generator, basic_token_generator, content_type_token_generator, auth_permission_token_generator, kitchen_sink_token_generator):
self.assertEqual(
self.token_generator.validate(token_generator.generate(scope.access_all("read")), scope.access_all("read")),
token_generator._scope_serializer.get_scope_protocol_version() == self.token_generator._scope_serializer.get_scope_protocol_version(),
)
self.assertEqual(
token_generator.validate(self.token_generator.generate(scope.access_all("read")), scope.access_all("read")),
token_generator._scope_serializer.get_scope_protocol_version() == self.token_generator._scope_serializer.get_scope_protocol_version(),
)
def testMismatchedTokenFormatDoesNotError(self):
for token_generator in (default_token_generator, basic_token_generator,
content_type_token_generator,
auth_permission_token_generator,
kitchen_sink_token_generator):
self.assertEqual(
self.token_generator.validate(
token_generator.generate(scope.access_all("read")),
scope.access_all("read")),
token_generator._scope_serializer.get_scope_protocol_version()
== self.token_generator._scope_serializer.
get_scope_protocol_version(),
)
self.assertEqual(
token_generator.validate(
self.token_generator.generate(scope.access_all("read")),
scope.access_all("read")),
token_generator._scope_serializer.get_scope_protocol_version()
== self.token_generator._scope_serializer.
get_scope_protocol_version(),
)
def testKitchenSink(self):
# Access specific models using a global read token.
self.assertScopeValid(
scope.access_obj(self.obj, "read") +
scope.access_obj(self.obj2, "read"),
scope.access_all("read"),
)
# Then fail it by asking for a new permission.
self.assertScopeInvalid(
scope.access_obj(self.obj, "read", "write") +
scope.access_obj(self.obj2, "read"),
scope.access_all("read"),
)
# Access specific objects using a specific read and write token.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write") +
scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write") +
scope.access_model(TestModel2, "read", "write"),
)
# Then fail it because access wasn't granted to the second model.
self.assertScopeInvalid(
scope.access_obj(self.obj, "read", "write") +
scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write"),
)
# Then give it back with a token for the whole app.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write") +
scope.access_obj(self.obj2, "read", "write"),
scope.access_model(TestModel, "read", "write") +
scope.access_app("access_tokens", "read", "write"),
)
# Finally, give read access to everything, write access to a specific model, and it should work.
self.assertScopeValid(
scope.access_obj(self.obj, "read", "write"),
scope.access_model(self.obj, "write") + scope.access_all("read"),
)
def set_data( request, pk ):
blob = None
data = request.POST['data']
token = request.POST['token']
try:
blob = DataBlob.objects.get( ref = format(pk) )
except Exception:
if( not tokens.validate( token, scope.access_all() ) ):
return set_universal_access(HttpResponse(json.dumps({'msg':'NOAUTH'})))
blob = DataBlob.objects.create( data = '', ref = format(pk) )
if( not tokens.validate( token, scope.access_obj( blob ) ) ):
return set_universal_access(HttpResponse(json.dumps({'msg':'NOAUTH'})))
blob.data = data
blob.save()
return set_universal_access(HttpResponse(json.dumps({'msg':'DONE'})))
def testExpiredAccessTokenGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
time.sleep(0.1)
self.assertFalse(self.token_generator.validate(valid_token, scope.access_all(), max_age=0.05))
def testIncorrectSaltGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
self.assertFalse(self.token_generator.validate(valid_token, scope.access_all(), salt="bad_salt"))
def testIncorrectKeyGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
self.assertFalse(self.token_generator.validate(valid_token, scope.access_all(), key="bad_key"))
def testScopeModelGrants(self):
# Ask for no access.
self.assertScopeValid(
(),
scope.access_all("read"),
)
self.assertScopeValid(
(),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
(),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
(),
scope.access_obj(self.obj, "read"),
)
self.assertScopeValid(
(),
(),
)
# Ask for access, but no permissions
self.assertScopeValid(
scope.access_all(),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_obj(self.obj, "read"),
)
self.assertScopeValid(
scope.access_all(),
(),
)
# Ask for obj access.
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_obj(self.obj, "read"),
(),
)
# Ask for model access.
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_model(TestModel, "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_model(TestModel, "read"),
(),
)
# Ask for app access.
self.assertScopeValid(
scope.access_app("access_tokens", "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_app("access_tokens", "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
(),
)
# Ask for global access.
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
(),
)
def testInvalidTokenGrantsNothing(self):
self.assertFalse(self.token_generator.validate("bad_token", scope.access_all()))
def testInvalidTokenGrantsNothing(self):
self.assertFalse(
self.token_generator.validate("bad_token", scope.access_all()))
def testContentTypeTokenGeneratorCreatesSmallerKnownPermissionTokens(self):
self.assertLess(
len(self.token_generator.generate(scope.access_all("auth.change_permission"))),
len(basic_token_generator.generate(scope.access_all("auth.change_permission"))),
)
def testContentTypeTokenGeneratorCreatesEquivalentGlobalTokens(self):
self.assertEqual(
len(self.token_generator.generate(scope.access_all())),
len(basic_token_generator.generate(scope.access_all())),
)
def testContentTypeTokenGeneratorCreatesEquivalentGlobalTokens(self):
self.assertEqual(
len(self.token_generator.generate(scope.access_all())),
len(basic_token_generator.generate(scope.access_all())),
)
def testScopePermissionGrants(self):
# Asking for no permissions.
self.assertScopeValid(
scope.access_all(),
scope.access_all(),
)
self.assertScopeValid(
scope.access_all(),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_all("read", "write"),
)
# Asking for read permissions.
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_all(),
)
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read", "write"),
)
# Asking for read and write permissions.
self.assertScopeInvalid(
scope.access_all("read", "write"),
scope.access_all(),
)
self.assertScopeInvalid(
scope.access_all("read", "write"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all("read", "write"),
scope.access_all("read", "write"),
)
def testScopeModelGrants(self):
# Ask for no access.
self.assertScopeValid(
(),
scope.access_all("read"),
)
self.assertScopeValid(
(),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
(),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
(),
scope.access_obj(self.obj, "read"),
)
self.assertScopeValid(
(),
(),
)
# Ask for access, but no permissions
self.assertScopeValid(
scope.access_all(),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_obj(self.obj, "read"),
)
self.assertScopeValid(
scope.access_all(),
(),
)
# Ask for obj access.
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeValid(
scope.access_obj(self.obj, "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_obj(self.obj, "read"),
(),
)
# Ask for model access.
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeValid(
scope.access_model(TestModel, "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_model(TestModel, "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_model(TestModel, "read"),
(),
)
# Ask for app access.
self.assertScopeValid(
scope.access_app("access_tokens", "read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_app("access_tokens", "read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_app("access_tokens", "read"),
(),
)
# Ask for global access.
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_app("access_tokens", "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_model(TestModel, "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_obj(self.obj, "read"),
)
self.assertScopeInvalid(
scope.access_all("read"),
(),
)
def make_global_token( ): return tokens.generate( scope.access_all() )
def testIncorrectKeyGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
self.assertFalse(
self.token_generator.validate(valid_token,
scope.access_all(),
key="bad_key"))
def testIncorrectSaltGrantsNothing(self):
valid_token = self.token_generator.generate(scope.access_all())
self.assertFalse(
self.token_generator.validate(valid_token,
scope.access_all(),
salt="bad_salt"))
def make_global_token():
return tokens.generate(scope.access_all())
def testAuthPermissionTokenGeneratorCreatesEquivalentUnknownPermissionTokens(self):
self.assertEqual(
len(self.token_generator.generate(scope.access_all("read"))),
len(basic_token_generator.generate(scope.access_all("read"))),
)
def testScopePermissionGrants(self):
# Asking for no permissions.
self.assertScopeValid(
scope.access_all(),
scope.access_all(),
)
self.assertScopeValid(
scope.access_all(),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all(),
scope.access_all("read", "write"),
)
# Asking for read permissions.
self.assertScopeInvalid(
scope.access_all("read"),
scope.access_all(),
)
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all("read"),
scope.access_all("read", "write"),
)
# Asking for read and write permissions.
self.assertScopeInvalid(
scope.access_all("read", "write"),
scope.access_all(),
)
self.assertScopeInvalid(
scope.access_all("read", "write"),
scope.access_all("read"),
)
self.assertScopeValid(
scope.access_all("read", "write"),
scope.access_all("read", "write"),
)
def testAuthPermissionTokenGeneratorCreatesEquivalentUnknownPermissionTokens(
self):
self.assertEqual(
len(self.token_generator.generate(scope.access_all("read"))),
len(basic_token_generator.generate(scope.access_all("read"))),
)