def test_encrypt_password(self, app, user_class): """ This test verifies that Praetorian encrypts passwords using the scheme specified by the HASH_SCHEME setting. If no scheme is supplied, the test verifies that the default scheme is used. Otherwise, the test verifies that the encrypted password matches the supplied scheme. """ default_guard = Praetorian(app, user_class) secret = default_guard.encrypt_password('some password') assert default_guard.pwd_ctx.identify(secret) == 'pbkdf2_sha512' app.config['PRAETORIAN_HASH_SCHEME'] = 'plaintext' dumb_guard = Praetorian(app, user_class) assert dumb_guard.encrypt_password('some password') == 'some password'
def test_read_token_from_header(self, app, db, user_class, client): """ This test verifies that a token may be properly read from a flask request's header using the configuration settings for header name and type """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) db.session.add(the_dude) db.session.commit() moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) client.get( '/unprotected', headers={ 'Content-Type': 'application/json', DEFAULT_JWT_HEADER_NAME: DEFAULT_JWT_HEADER_TYPE + ' ' + token, }, ) assert guard.read_token_from_header() == token
def test_encode_jwt_token(self, app, user_class): """ This test verifies that the encode_jwt_token correctly encodes jwt data based on a user instance """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == ( moment + DEFAULT_JWT_ACCESS_LIFESPAN ).int_timestamp assert token_data['rf_exp'] == ( moment + DEFAULT_JWT_REFRESH_LIFESPAN ).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator'
def test_encode_eternal_jwt_token(self, app, user_class): """ This test verifies that the encode_eternal_jwt_token correctly encodes jwt data based on a user instance. Also verifies that the lifespan is set to the constant VITAM_AETERNUM """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_eternal_jwt_token(the_dude) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == (moment + VITAM_AETERNUM).int_timestamp assert token_data['rf_exp'] == (moment + VITAM_AETERNUM).int_timestamp assert token_data['id'] == the_dude.id
def test_pack_header_for_user(self, app, user_class): """ This test verifies that the pack_header_for_user method can be used to package a token into a header dict for a specified user """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): header_dict = guard.pack_header_for_user(the_dude) token_header = header_dict.get(DEFAULT_JWT_HEADER_NAME) assert token_header is not None token = token_header.replace(DEFAULT_JWT_HEADER_TYPE, '') token = token.strip() token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == ( moment + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp assert token_data['rf_exp'] == (moment + pendulum.Duration( **DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator' moment = pendulum.parse('2017-05-21 18:39:55') override_access_lifespan = pendulum.Duration(minutes=1) override_refresh_lifespan = pendulum.Duration(hours=1) with freezegun.freeze_time(moment): header_dict = guard.pack_header_for_user( the_dude, override_access_lifespan=override_access_lifespan, override_refresh_lifespan=override_refresh_lifespan, ) token_header = header_dict.get(DEFAULT_JWT_HEADER_NAME) assert token_header is not None token = token_header.replace(DEFAULT_JWT_HEADER_TYPE, '') token = token.strip() token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['exp'] == ( moment + override_access_lifespan).int_timestamp assert token_data['rf_exp'] == ( moment + override_refresh_lifespan).int_timestamp assert token_data['id'] == the_dude.id
def test_verify_passord(self, app, user_class, default_guard): """ This test verifies that the verify_password function can be used to successfully compare a raw password against its hashed version """ secret = default_guard.encrypt_password('some password') assert default_guard.verify_password('some password', secret) assert not default_guard.verify_password('not right', secret) app.config['PRAETORIAN_HASH_SCHEME'] = 'pbkdf2_sha512' specified_guard = Praetorian(app, user_class) secret = specified_guard.encrypt_password('some password') assert specified_guard.verify_password('some password', secret) assert not specified_guard.verify_password('not right', secret)
def test_authenticate(self, app, user_class, db): """ This test verifies that the authenticate function can be used to retrieve a User instance when the correct username and password are supplied. It also verifies that None is returned when a matching password and username are not supplied """ default_guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=default_guard.encrypt_password('abides'), ) db.session.add(the_dude) db.session.commit() assert default_guard.authenticate('TheDude', 'abides') == the_dude assert default_guard.authenticate('TheDude', 'is_undudelike') is None assert default_guard.authenticate('Walter', 'abides') is None db.session.delete(the_dude) db.session.commit()
def test_authenticate(self, app, user_class, db): """ This test verifies that the authenticate function can be used to retrieve a User instance when the correct username and password are supplied. It also verifies that exceptions are raised when a user cannot be found or the passwords do not match """ default_guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=default_guard.encrypt_password('abides'), ) db.session.add(the_dude) db.session.commit() assert default_guard.authenticate('TheDude', 'abides') == the_dude with pytest.raises(MissingUserError): default_guard.authenticate('TheBro', 'abides') with pytest.raises(AuthenticationError): default_guard.authenticate('TheDude', 'is_undudelike') db.session.delete(the_dude) db.session.commit()
def test_refresh_jwt_token(self, app, db, user_class): """ This test verifies that the refresh_jwt_token properly generates a refreshed jwt token. It ensures that a token who's access permission has not expired may not be refreshed. It also ensures that a token who's access permission has expired must not have an expired refresh permission for a new token to be issued """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) db.session.add(the_dude) db.session.commit() moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) new_moment = ( pendulum.parse('2017-05-21 18:39:55') .add_timedelta(DEFAULT_JWT_ACCESS_LIFESPAN) .add(minutes=1) ) with freezegun.freeze_time(new_moment): new_token = guard.refresh_jwt_token(token) new_token_data = jwt.decode( new_token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert new_token_data['iat'] == new_moment.int_timestamp assert new_token_data['exp'] == ( new_moment + DEFAULT_JWT_ACCESS_LIFESPAN ).int_timestamp assert new_token_data['rf_exp'] == ( moment + DEFAULT_JWT_REFRESH_LIFESPAN ).int_timestamp assert new_token_data['id'] == the_dude.id assert new_token_data['rls'] == 'admin,operator'
def test_refresh_jwt_token( self, app, db, user_class, validating_user_class, ): """ This test:: * verifies that the refresh_jwt_token properly generates a refreshed jwt token. * ensures that a token who's access permission has not expired may not be refreshed. * ensures that a token who's access permission has expired must not have an expired refresh permission for a new token to be issued. * ensures that if an override_access_lifespan argument is supplied that it is used instead of the instance's access_lifespan. * ensures that the access_lifespan may not exceed the refresh lifespan. * ensures that if the user_class has the instance method validate(), it is called an any exceptions it raises are wrapped in an InvalidUserError. * verifies that if a user is no longer identifiable that a MissingUserError is raised * verifies that any custom claims in the original token's payload are also packaged in the new token's payload """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) db.session.add(the_dude) db.session.commit() moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) new_moment = (pendulum.parse('2017-05-21 18:39:55') + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) + pendulum.Duration(minutes=1)) with freezegun.freeze_time(new_moment): new_token = guard.refresh_jwt_token(token) new_token_data = jwt.decode( new_token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert new_token_data['iat'] == new_moment.int_timestamp assert new_token_data['exp'] == ( new_moment + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp assert new_token_data['rf_exp'] == (moment + pendulum.Duration( **DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp assert new_token_data['id'] == the_dude.id assert new_token_data['rls'] == 'admin,operator' moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) new_moment = (pendulum.parse('2017-05-21 18:39:55') + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) + pendulum.Duration(minutes=1)) with freezegun.freeze_time(new_moment): new_token = guard.refresh_jwt_token( token, override_access_lifespan=pendulum.Duration(hours=2), ) new_token_data = jwt.decode( new_token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert new_token_data['exp'] == ( new_moment + pendulum.Duration(hours=2)).int_timestamp moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token( the_dude, override_refresh_lifespan=pendulum.Duration(hours=2), override_access_lifespan=pendulum.Duration(minutes=30), ) new_moment = moment + pendulum.Duration(minutes=31) with freezegun.freeze_time(new_moment): new_token = guard.refresh_jwt_token( token, override_access_lifespan=pendulum.Duration(hours=2), ) new_token_data = jwt.decode( new_token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert new_token_data['exp'] == new_token_data['rf_exp'] expiring_interval = (pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) + pendulum.Duration(minutes=1)) validating_guard = Praetorian(app, validating_user_class) brandt = validating_user_class( username='******', password=guard.encrypt_password("can't watch"), is_active=True, ) db.session.add(brandt) db.session.commit() moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(brandt) new_moment = moment + expiring_interval with freezegun.freeze_time(new_moment): validating_guard.refresh_jwt_token(token) brandt.is_active = False db.session.merge(brandt) db.session.commit() new_moment = new_moment + expiring_interval with freezegun.freeze_time(new_moment): with pytest.raises(InvalidUserError) as err_info: validating_guard.refresh_jwt_token(token) expected_message = 'The user is not valid or has had access revoked' assert expected_message in str(err_info.value) expiring_interval = (pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) + pendulum.Duration(minutes=1)) guard = Praetorian(app, user_class) bunny = user_class( username='******', password=guard.encrypt_password("can't blow that far"), ) db.session.add(bunny) db.session.commit() moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(bunny) db.session.delete(bunny) db.session.commit() new_moment = moment + expiring_interval with freezegun.freeze_time(new_moment): with pytest.raises(MissingUserError) as err_info: validating_guard.refresh_jwt_token(token) expected_message = 'Could not find the requested user' assert expected_message in str(err_info.value) moment = pendulum.parse('2018-08-14 09:05:24') with freezegun.freeze_time(moment): token = guard.encode_jwt_token( the_dude, duder='brief', el_duderino='not brief', ) new_moment = (pendulum.parse('2018-08-14 09:05:24') + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN) + pendulum.Duration(minutes=1)) with freezegun.freeze_time(new_moment): new_token = guard.refresh_jwt_token(token) new_token_data = jwt.decode( new_token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert new_token_data['iat'] == new_moment.int_timestamp assert new_token_data['exp'] == ( new_moment + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp assert new_token_data['rf_exp'] == (moment + pendulum.Duration( **DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp assert new_token_data['id'] == the_dude.id assert new_token_data['rls'] == 'admin,operator' assert new_token_data['duder'] == 'brief' assert new_token_data['el_duderino'] == 'not brief'
def test_encode_jwt_token(self, app, user_class, validating_user_class): """ This test:: * verifies that the encode_jwt_token correctly encodes jwt data based on a user instance. * verifies that if a user specifies an override for the access lifespan it is used in lieu of the instance's access_lifespan. * verifies that the access_lifespan cannot exceed the refresh lifespan. * ensures that if the user_class has the instance method validate(), it is called an any exceptions it raises are wrapped in an InvalidUserError * verifies that custom claims may be encoded in the token and validates that the custom claims do not collide with reserved claims """ guard = Praetorian(app, user_class) the_dude = user_class( username='******', password=guard.encrypt_password('abides'), roles='admin,operator', ) moment = pendulum.parse('2017-05-21 18:39:55') with freezegun.freeze_time(moment): token = guard.encode_jwt_token(the_dude) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == ( moment + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp assert token_data['rf_exp'] == (moment + pendulum.Duration( **DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator' moment = pendulum.parse('2017-05-21 18:39:55') override_access_lifespan = pendulum.Duration(minutes=1) override_refresh_lifespan = pendulum.Duration(hours=1) with freezegun.freeze_time(moment): token = guard.encode_jwt_token( the_dude, override_access_lifespan=override_access_lifespan, override_refresh_lifespan=override_refresh_lifespan, ) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == ( moment + override_access_lifespan).int_timestamp assert token_data['rf_exp'] == ( moment + override_refresh_lifespan).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator' moment = pendulum.parse('2017-05-21 18:39:55') override_access_lifespan = pendulum.Duration(hours=1) override_refresh_lifespan = pendulum.Duration(minutes=1) with freezegun.freeze_time(moment): token = guard.encode_jwt_token( the_dude, override_access_lifespan=override_access_lifespan, override_refresh_lifespan=override_refresh_lifespan, ) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == token_data['rf_exp'] assert token_data['rf_exp'] == ( moment + override_refresh_lifespan).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator' validating_guard = Praetorian(app, validating_user_class) brandt = validating_user_class( username='******', password=guard.encrypt_password("can't watch"), is_active=True, ) validating_guard.encode_jwt_token(brandt) brandt.is_active = False with pytest.raises(InvalidUserError) as err_info: validating_guard.encode_jwt_token(brandt) expected_message = 'The user is not valid or has had access revoked' assert expected_message in str(err_info.value) moment = pendulum.parse('2018-08-18 08:55:12') with freezegun.freeze_time(moment): token = guard.encode_jwt_token( the_dude, duder='brief', el_duderino='not brief', ) token_data = jwt.decode( token, guard.encode_key, algorithms=guard.allowed_algorithms, ) assert token_data['iat'] == moment.int_timestamp assert token_data['exp'] == ( moment + pendulum.Duration(**DEFAULT_JWT_ACCESS_LIFESPAN)).int_timestamp assert token_data['rf_exp'] == (moment + pendulum.Duration( **DEFAULT_JWT_REFRESH_LIFESPAN)).int_timestamp assert token_data['id'] == the_dude.id assert token_data['rls'] == 'admin,operator' assert token_data['duder'] == 'brief' assert token_data['el_duderino'] == 'not brief' with pytest.raises(ClaimCollisionError) as err_info: guard.encode_jwt_token(the_dude, exp='nice marmot') expected_message = 'custom claims collide' assert expected_message in str(err_info.value)