def test_default_identity_allow_specific_repo(requested, expected): user = DefaultIdentity('arthur', 'kingofthebritons', '*****@*****.**') user.allow(organization='myorg', repo='somerepo', permissions=Permission.all()) assert expected is user.is_authorized(**requested)
def _get_identity(self, jwt_payload: Dict[str, Any]) -> Identity: identity = DefaultIdentity(id=jwt_payload.get('sub'), email=jwt_payload.get('email'), name=jwt_payload.get('name', jwt_payload.get('sub'))) scopes = to_iterable(jwt_payload.get('scopes', ())) self._log.debug("Allowing scopes: %s", scopes) for scope in scopes: identity.allow(**self._parse_scope(scope)) return identity
def test_default_identity_properties(): """Test the basic properties of the default identity object """ user = DefaultIdentity('arthur', 'kingofthebritons', '*****@*****.**') assert user.name == 'arthur' assert user.id == 'kingofthebritons' assert user.email == '*****@*****.**'
def test_jwt_pre_authorize_action(): authz = JWTAuthenticator(private_key=JWT_HS_KEY, algorithm='HS256', default_lifetime=120) identity = DefaultIdentity(name='joe', email='*****@*****.**', id='babab0ba') header = authz.get_authz_header(identity, 'myorg', 'somerepo', actions={'read'}) auth_type, token = header['Authorization'].split(' ') assert 'Bearer' == auth_type payload = jwt.decode(token, JWT_HS_KEY, algorithms='HS256') assert payload['sub'] == 'babab0ba' assert payload['scopes'] == 'obj:myorg/somerepo/*:read' # Check that now() - expiration time is within 5 seconds of 120 seconds assert abs((datetime.fromtimestamp(payload['exp']) - datetime.now()).seconds - 120) < 5
def test_default_identity_denied_by_default(requested): user = DefaultIdentity('arthur', 'kingofthebritons', '*****@*****.**') assert user.is_authorized(**requested) is False
def test_default_identity_allow_specific_org_permissions(requested, expected): user = DefaultIdentity('arthur', 'kingofthebritons', '*****@*****.**') user.allow(organization='myorg', permissions={Permission.READ_META, Permission.READ}) assert expected is user.is_authorized(**requested)