def test_google_link_no_proxy_group(
app,
client,
db_session,
encoded_creds_jwt,
add_new_g_acnt_mock,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
user_id = encoded_creds_jwt["user_id"]
test_auth_code = "abc123"
redirect = "http://localhost"
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id,
"google_proxy_group_id": None, # <- no proxy group
"redirect": redirect,
},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
# manually set cookie for initial session
client.set_cookie("localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True)
# simulate successfully authed reponse with user email
google_auth_get_user_info_mock.return_value = {"email": google_account}
r = client.get("/link/google/callback",
query_string={"code": test_auth_code})
assert not add_new_g_acnt_mock.called
# make sure we're redirecting with error information
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
assert "exp" not in query_params
assert "linked_email" not in query_params
assert "error" in query_params
assert "error_description" in query_params
assert response_redirect == redirect
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
assert not add_google_email_to_proxy_group_mock.called
def test_valid_session_modified(app):
username = "******"
modified_username = "******"
test_session_jwt = create_session_token(app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={"username": username})
# Test that once the session is started, we have access to
# the username
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
with client.session_transaction() as session:
assert session["username"] == username
session["username"] = modified_username
with client.session_transaction() as session:
assert session["username"] == modified_username
def test_expired_session_timeout(app):
# make the start time be one timeout in the past (so the
# session is expired)
max_inactivity = app.config.get("SESSION_TIMEOUT")
now = int(time.time())
last_active = (now - max_inactivity.seconds)
username = "******"
# since we're timetraveling, we have to trick the JWT (since it relies
# on the current time and this expiration to calculate
# the actual expiration time). For testing, we'll "expire" it on creation
jwt_expiration = 0
test_session_jwt = create_session_token(app.keypairs[0],
jwt_expiration,
context=dict(
session_started=last_active,
username=username))
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie("localhost", SESSION_COOKIE_NAME, test_session_jwt)
with client.session_transaction() as session:
# make sure we don't have the username when opening
# the session, since it has expired
assert session.get("username") != username
def test_expired_session_lifetime(app):
# make the start time be max lifetime ago (so it's expired)
lifetime = config.get("SESSION_LIFETIME")
now = int(time.time())
one_lifetime_ago = now - lifetime
username = "******"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context=dict(session_started=one_lifetime_ago, username=username),
)
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
with client.session_transaction() as session:
# make sure we don't have the username when opening
# the session, since it has expired
assert session.get("username") != username
def test_google_link_auth_return(
app,
client,
db_session,
encoded_creds_jwt,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test the link endpoint that gets hit after authN. Make sure we
make calls to create new user google accounts and return a redirect
with the redirect from the flask.session.
"""
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
test_auth_code = "abc123"
redirect = "http://localhost"
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
app.config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id,
"google_proxy_group_id": proxy_group_id,
"redirect": redirect,
},
)
# manually set cookie for initial session
client.set_cookie("localhost", SESSION_COOKIE_NAME, test_session_jwt)
# simulate successfully authed reponse with user email
google_auth_get_user_info_mock.return_value = {"email": google_account}
r = client.get("/link/google/callback",
query_string={"code": test_auth_code})
assert r.status_code == 302
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
assert "exp" in query_params
assert query_params["linked_email"][0] == google_account
assert response_redirect == redirect
user_google_account = (db_session.query(UserGoogleAccount).filter(
UserGoogleAccount.email == google_account,
UserGoogleAccount.user_id == user_id,
).first())
assert user_google_account
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
assert add_google_email_to_proxy_group_mock.called
def test_valid_session_valid_access_token_diff_user(app, test_user_a,
test_user_b, db_session,
monkeypatch):
"""
Test the case where a valid access token is in a cookie, but it's for a
different user than the one logged in. Make sure that a new access token
is created for the logged in user and the response doesn't contain info
for the non-logged in user.
"""
monkeypatch.setitem(config, "MOCK_AUTH", False)
user = db_session.query(User).filter_by(id=test_user_a["user_id"]).first()
keypair = app.keypairs[0]
test_session_jwt = create_session_token(
keypair,
config.get("SESSION_TIMEOUT"),
context={
"username": user.username,
"provider": "google"
},
)
# different user's access token
other_user = db_session.query(User).filter_by(
id=test_user_b["user_id"]).first()
test_access_jwt = generate_signed_access_token(
kid=keypair.kid,
private_key=keypair.private_key,
user=other_user,
expires_in=config["ACCESS_TOKEN_EXPIRES_IN"],
scopes=["openid", "user"],
iss=config.get("BASE_URL"),
).token
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
client.set_cookie("localhost", config["ACCESS_TOKEN_COOKIE_NAME"],
test_access_jwt)
response = client.get("/user")
cookies = _get_cookies_from_response(response)
# either there's a new access_token in the response headers or the
# previously set access token been changed
access_token = (cookies.get("access_token", {}).get("access_token")
or test_access_jwt)
valid_access_token = validate_jwt(access_token, purpose="access")
assert response.status_code == 200
response_user_id = response.json.get("user_id") or response.json.get(
"sub")
assert response_user_id == test_user_a["user_id"]
user_id = valid_access_token.get("user_id") or valid_access_token.get(
"sub")
assert test_user_a["user_id"] == int(user_id)
def test_patch_google_link_account_doesnt_exist(
app,
client,
db_session,
encoded_creds_jwt,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test extending expiration for an unlinked G account access via PATCH.
"""
encoded_credentials_jwt = encoded_creds_jwt["jwt"]
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={"google_proxy_group_id": proxy_group_id},
)
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
r = client.patch(
"/link/google", headers={"Authorization": "Bearer " + encoded_credentials_jwt}
)
assert r.status_code == 404
# make sure accounts weren't created
g_account = (
db_session.query(UserGoogleAccount)
.filter(UserGoogleAccount.user_id == user_id)
.first()
)
assert not g_account
account_in_proxy_group = (
db_session.query(UserGoogleAccountToProxyGroup)
.filter(UserGoogleAccountToProxyGroup.proxy_group_id == proxy_group_id)
.first()
)
assert not account_in_proxy_group
assert not add_google_email_to_proxy_group_mock.called
def test_valid_session_valid_access_token(app, db_session, test_user_a,
test_user_b, monkeypatch):
monkeypatch.setitem(config, "MOCK_AUTH", False)
user = db_session.query(User).filter_by(id=test_user_a["user_id"]).first()
keypair = app.keypairs[0]
test_session_jwt = create_session_token(
keypair,
config.get("SESSION_TIMEOUT"),
context={
"username": user.username,
"provider": "google"
},
)
test_access_jwt = generate_signed_access_token(
kid=keypair.kid,
private_key=keypair.private_key,
user=user,
expires_in=config["ACCESS_TOKEN_EXPIRES_IN"],
scopes=["openid", "user"],
iss=config.get("BASE_URL"),
forced_exp_time=None,
client_id=None,
linked_google_email=None,
).token
# Test that once the session is started, we have access to
# the username
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
client.set_cookie(
"localhost",
config["ACCESS_TOKEN_COOKIE_NAME"],
test_access_jwt,
httponly=True,
samesite="Lax",
)
response = client.get("/user")
user_id = response.json.get("user_id") or response.json.get("sub")
assert response.status_code == 200
assert user_id == user.id
def test_google_login_http_headers_are_less_than_4k_for_user_with_many_projects(
app, client, monkeypatch, db_session):
"""
Test that when the current user has access to a large number of projects,
the http headers of the response from a GET to /login/google/login are less
than 4k bytes in size.
"""
monkeypatch.setitem(config, "MOCK_GOOGLE_AUTH", True)
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"redirect":
"https://localhost/user/oauth2/authorize?client_id=7f7kAS4MJraUuo77d7RWHr4mZ6bvGtuzup7hw46I&response_type=id_token&redirect_uri=https://webapp.example/fence&scope=openid+user+data+google_credentials&nonce=randomvalue"
},
)
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
user_projects = {
"test": {
f"project{x}": {
"read",
"read-storage",
"update",
"upload",
"create",
"write-storage",
"delete",
}
for x in range(20)
}
}
user_info = {
"test": {
"tags": {},
}
}
dbGaP = os.environ.get("dbGaP") or config.get("dbGaP")
syncer = UserSyncer(dbGaP, config["DB"], {})
syncer.sync_to_db_and_storage_backend(user_projects, user_info, db_session)
resp = client.get("/login/google/login")
assert len(str(resp.headers)) < 4096
assert resp.status_code == 302
def get_updated_token(self, app):
if self._encoded_token:
# Create a new token by passing in fields from the current
# token. If `session_started` is None, it will be defaulted
# to the issue time for the JWT and passed into future tokens
# to keep track of the overall lifetime of the session
token = create_session_token(
flask.current_app.keypairs[0],
config.get("SESSION_TIMEOUT"),
self.session_token["context"],
)
self._encoded_token = token
return self._encoded_token
def test_valid_session(app):
username = "******"
test_session_jwt = create_session_token(
app.keypairs[0],
app.config.get("SESSION_TIMEOUT").seconds,
context={'username': username},
)
# Test that once the session is started, we have access to
# the username
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie("localhost", SESSION_COOKIE_NAME, test_session_jwt)
with client.session_transaction() as session:
assert session["username"] == username
def test_session_cleared(app):
username = "******"
test_session_jwt = create_session_token(
app.keypairs[0], config.get("SESSION_TIMEOUT"), context=dict(username=username)
)
# Test that once the session is started, we have access to
# the username
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"], test_session_jwt)
with client.session_transaction() as session:
session["username"] = username
session.clear()
assert session.get("username") != username
client_cookies = [cookie.name for cookie in client.cookie_jar]
assert config["SESSION_COOKIE_NAME"] not in client_cookies
def test_logout_fence(app, client, user_with_fence_provider, monkeypatch):
other_fence_logout_url = "https://test-url.com"
monkeypatch.setitem(config, "MOCK_AUTH", False)
monkeypatch.setitem(config, "SHIBBOLETH_HEADER", None)
monkeypatch.setitem(config, "OPENID_CONNECT",
{"fence": {
"api_base_url": other_fence_logout_url
}})
username = "******"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"username": username,
"provider": "fence"
},
)
# Test that once the session is started, we have access to
# the username
redirect = "https://some_site.com"
# fence will reject unexpected redirect URLs, so we patch the validator to consider
# this redirect valid
with mock.patch("fence.allowed_login_redirects",
return_value={"some_site.com"}):
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
r = client.get("/logout?next={}".format(redirect))
assert r.status_code == 302
assert r.location.startswith(other_fence_logout_url)
parsed_url = urllib.parse.urlparse(r.location)
result_redirect = urllib.parse.parse_qs(
parsed_url.query).get("next")[0]
assert result_redirect == redirect
def test_logout_fence(app, user_with_fence_provider, monkeypatch):
other_fence_logout_url = "https://test-url.com"
monkeypatch.setitem(app.config, "MOCK_AUTH", False)
monkeypatch.setitem(app.config, "SHIBBOLETH_HEADER", None)
monkeypatch.setitem(
app.config,
"OPENID_CONNECT",
{"fence": {
"api_base_url": other_fence_logout_url
}},
)
username = "******"
test_session_jwt = create_session_token(
app.keypairs[0],
app.config.get("SESSION_TIMEOUT"),
context={
"username": username,
"provider": "fence"
},
)
# Test that once the session is started, we have access to
# the username
with app.test_client() as client:
# manually set cookie for initial session
client.set_cookie("localhost", SESSION_COOKIE_NAME, test_session_jwt)
r = client.get("/logout?next=https://some_site.com")
assert r.status_code == 302
assert r.location.startswith(other_fence_logout_url)
parsed_url = urlparse.urlparse(r.location)
raw_redirect = urlparse.parse_qs(parsed_url.query).get("next")[0]
redirect = urllib.unquote(raw_redirect)
assert redirect == "https://some_site.com"
def test_google_link_g_account_access_extension(
app,
client,
db_session,
encoded_creds_jwt,
add_new_g_acnt_mock,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test the link endpoint that gets hit after authN when the provided Google
account is already linked. This time test if we correctly extend the
google accounts access.
"""
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
original_expiration = 1000
test_auth_code = "abc123"
redirect = "http://localhost"
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id,
"google_proxy_group_id": proxy_group_id,
"redirect": redirect,
},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
g_account_access = UserGoogleAccountToProxyGroup(
user_google_account_id=existing_account.id,
proxy_group_id=proxy_group_id,
expires=original_expiration,
)
db_session.add(g_account_access)
db_session.commit()
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
# simulate successfully authed reponse with user email
google_auth_get_user_info_mock.return_value = {"email": google_account}
r = client.get("/link/google/callback",
query_string={"code": test_auth_code})
account_in_proxy_group = (
db_session.query(UserGoogleAccountToProxyGroup).filter(
UserGoogleAccountToProxyGroup.user_google_account_id ==
existing_account.id).first())
assert account_in_proxy_group.proxy_group_id == proxy_group_id
# check that expiration changed and that it's less than the cfg
# expires in (since this check will happen a few seconds after
# it gets set)
assert account_in_proxy_group.expires != original_expiration
assert account_in_proxy_group.expires <= (
int(time.time()) + config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])
assert not add_new_g_acnt_mock.called
assert r.status_code == 302
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
assert "exp" in query_params
assert query_params["linked_email"][0] == google_account
assert response_redirect == redirect
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
assert not add_google_email_to_proxy_group_mock.called
def test_google_link_g_account_exists(
app,
client,
db_session,
encoded_creds_jwt,
add_new_g_acnt_mock,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test the link endpoint that gets hit after authN when the provided Google
account is already linked. Make sure we don't attempt to create a new one
and that we redirect with no errors
"""
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
test_auth_code = "abc123"
redirect = "http://localhost"
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id,
"google_proxy_group_id": proxy_group_id,
"redirect": redirect,
},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
# manually set cookie for initial session
client.set_cookie(
"localhost",
config["SESSION_COOKIE_NAME"],
test_session_jwt,
httponly=True,
samesite="Lax",
)
# simulate successfully authed reponse with user email
google_auth_get_user_info_mock.return_value = {"email": google_account}
r = client.get("/link/google/callback", query_string={"code": test_auth_code})
assert not add_new_g_acnt_mock.called
assert r.status_code == 302
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", "")
)
assert "exp" in query_params
assert query_params["linked_email"][0] == google_account
assert response_redirect == redirect
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
# check that we're adding the G account to the proxy group
assert add_google_email_to_proxy_group_mock.called
def test_patch_google_link(
app,
client,
db_session,
encoded_creds_jwt,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test extending expiration for previously linked G account access via PATCH.
Test valid and invalid expires_in parameters.
"""
encoded_credentials_jwt = encoded_creds_jwt["jwt"]
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
original_expiration = 1000
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_proxy_group_id": proxy_group_id,
"linked_google_email": google_account,
},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
g_account_access = UserGoogleAccountToProxyGroup(
user_google_account_id=existing_account.id,
proxy_group_id=proxy_group_id,
expires=original_expiration,
)
db_session.add(g_account_access)
db_session.commit()
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
r = client.patch(
"/link/google",
headers={"Authorization": "Bearer " + encoded_credentials_jwt})
assert r.status_code == 200
account_in_proxy_group = (
db_session.query(UserGoogleAccountToProxyGroup).filter(
UserGoogleAccountToProxyGroup.user_google_account_id ==
existing_account.id).first())
assert account_in_proxy_group.proxy_group_id == proxy_group_id
# check that expiration changed and that it's less than the cfg
# expires in (since this check will happen a few seconds after
# it gets set)
updated_expiration = account_in_proxy_group.expires
assert updated_expiration != original_expiration
assert updated_expiration <= (int(time.time()) +
config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])
assert not add_google_email_to_proxy_group_mock.called
# invalid expires_in: should fail
requested_exp = "abc" # expires_in must be int >0
r = client.patch(
"/link/google?expires_in={}".format(requested_exp),
headers={"Authorization": "Bearer " + encoded_credentials_jwt},
)
assert r.status_code == 400
# valid expires_in: should succeed
requested_exp = 60
r = client.patch(
"/link/google?expires_in={}".format(requested_exp),
headers={"Authorization": "Bearer " + encoded_credentials_jwt},
)
assert r.status_code == 200
account_in_proxy_group = (
db_session.query(UserGoogleAccountToProxyGroup).filter(
UserGoogleAccountToProxyGroup.user_google_account_id ==
existing_account.id).first())
# make sure the link is valid for the requested time
# (allow up to 15 sec for runtime)
diff = account_in_proxy_group.expires - int(time.time())
assert requested_exp <= diff <= requested_exp + 15
def test_patch_google_link_account_not_in_token(
app,
client,
db_session,
encoded_creds_jwt,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test extending expiration for previously linked G account access via PATCH.
This will test the case where the linking happened during the life
of an access token and the same access token is used here (e.g.
account exists but a new token hasn't been generated with the linkage
info yet)
"""
encoded_credentials_jwt = encoded_creds_jwt["jwt"]
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
original_expiration = 1000
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={"google_proxy_group_id": proxy_group_id},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
g_account_access = UserGoogleAccountToProxyGroup(
user_google_account_id=existing_account.id,
proxy_group_id=proxy_group_id,
expires=original_expiration,
)
db_session.add(g_account_access)
db_session.commit()
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
r = client.patch(
"/link/google",
headers={"Authorization": "Bearer " + encoded_credentials_jwt})
assert r.status_code == 200
account_in_proxy_group = (
db_session.query(UserGoogleAccountToProxyGroup).filter(
UserGoogleAccountToProxyGroup.user_google_account_id ==
existing_account.id).first())
assert account_in_proxy_group.proxy_group_id == proxy_group_id
# check that expiration changed and that it's less than the cfg
# expires in (since this check will happen a few seconds after
# it gets set)
assert account_in_proxy_group.expires != original_expiration
assert account_in_proxy_group.expires <= (
int(time.time()) + config["GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN"])
assert not add_google_email_to_proxy_group_mock.called
def test_google_link_when_google_mocked(
app,
client,
db_session,
encoded_creds_jwt,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
monkeypatch,
):
""""""
monkeypatch.setitem(config, "MOCK_GOOGLE_AUTH", True)
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
redirect = "http://localhost"
google_account = encoded_creds_jwt["username"]
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id,
"google_proxy_group_id": proxy_group_id,
"redirect": redirect,
},
)
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
headers = {"Authorization": "Bearer " + encoded_creds_jwt.jwt}
r_link = client.get("/link/google/",
headers=headers,
query_string={"redirect": redirect})
redirect_location = str(r_link.location).replace(config["BASE_URL"], "")
# Pass through the Authorization header in the response...
# In our actual commons, the reverse proxy handles dumping this into the request
# again. this is ONLY used when MOCK_GOOGLE_AUTH is true (e.g. we're trying to
# fake a Google login)
auth_header = r_link.headers.get("Authorization")
r = client.get(redirect_location, headers={"Authorization": auth_header})
assert r.status_code == 302
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
assert "exp" in query_params
assert query_params["linked_email"][0] == google_account
assert response_redirect == redirect
user_google_account = (db_session.query(UserGoogleAccount).filter(
UserGoogleAccount.email == google_account,
UserGoogleAccount.user_id == user_id,
).first())
assert user_google_account
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
assert add_google_email_to_proxy_group_mock.called
def test_google_link_g_account_exists_linked_to_different_user(
app,
client,
db_session,
encoded_creds_jwt,
add_new_g_acnt_mock,
google_auth_get_user_info_mock,
add_google_email_to_proxy_group_mock,
):
"""
Test the link endpoint that gets hit after authN when the provided Google
account is already linked to a different user. We should not attempt to
create a new user google account and just redirect with
an error.
"""
user_id = encoded_creds_jwt["user_id"]
proxy_group_id = encoded_creds_jwt["proxy_group_id"]
test_auth_code = "abc123"
redirect = "http://localhost"
google_account = "*****@*****.**"
test_session_jwt = create_session_token(
app.keypairs[0],
config.get("SESSION_TIMEOUT"),
context={
"google_link": True,
"user_id": user_id + 5, # <- NOT the user whose g acnt exists
"google_proxy_group_id": proxy_group_id,
"redirect": redirect,
},
)
existing_account = UserGoogleAccount(email=google_account, user_id=user_id)
db_session.add(existing_account)
db_session.commit()
# manually set cookie for initial session
client.set_cookie("localhost", config["SESSION_COOKIE_NAME"],
test_session_jwt)
# simulate successfully authed reponse with user email
google_auth_get_user_info_mock.return_value = {"email": google_account}
r = client.get("/link/google/callback",
query_string={"code": test_auth_code})
assert not add_new_g_acnt_mock.called
# make sure we're redirecting with error information
parsed_url = urlparse(r.headers["Location"])
query_params = parse_qs(parsed_url.query)
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
response_redirect = urlunparse(
(parsed_url.scheme, parsed_url.netloc, parsed_url.path, "", "", ""))
assert "exp" not in query_params
assert "linked_email" not in query_params
assert "error" in query_params
assert "error_description" in query_params
assert response_redirect == redirect
assert not flask.session.get("google_link")
assert not flask.session.get("user_id")
assert not flask.session.get("google_proxy_group_id")
assert not add_google_email_to_proxy_group_mock.called
