def test_get_backend_from_raw_jwt(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode() backend_class = get_backend_from_raw_jwt(raw_jwt=jwt) self.assertEqual(backend_class, ApiKeyBackend)
def test_make_instance_from_raw_jwt(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) backend_instance = ApiKeyBackend.make_instance_from_raw_jwt(raw_jwt=jwt) self.assertIsInstance(backend_instance, ApiKeyBackend)
def test_sanity(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) self.assertIn('exp', decoded) self.assertIn('iat', decoded) self.assertIn('jti', decoded) self.assertEqual(decoded['api_key_id'], api_key.id) self.assertEqual(decoded['scope'], ['read', 'write'])
def test_make_authenticate_success_response(self): with mock.patch( 'ievv_auth.ievv_jwt.backends.api_key_backend.ApiKeyBackend.encode', return_value='test' ): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() self.assertDictEqual( backend.make_authenticate_success_response( base_payload={ **api_key.base_jwt_payload }), {'access': 'test'} )
def test_api_key_ok_api_key_backend(self): api_key, instance = ScopedAPIKey.objects.create_key( name='test', jwt_backend_name='api-key', base_jwt_payload={'scope': 'cool'}) response = self.make_post_request(data={'api_key': api_key}) self.assertEqual(response.status_code, 200) self.assertIsNotNone(response.data.get('access')) payload = ApiKeyBackend().decode(token=response.data.get('access'), verify=True) self.assertEqual(payload['scope'], 'cool') self.assertEqual(payload['api_key_id'], instance.id) self.assertEqual(payload['jwt_backend_name'], 'api-key')
def test_fields_which_is_not_overridable_is_not_changed(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'exp': 123, 'iat': 123, 'jti': 123 } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) self.assertIn('exp', decoded) self.assertNotEqual(decoded['exp'], 123) self.assertIn('iat', decoded) self.assertNotEqual(decoded['iat'], 123) self.assertIn('jti', decoded) self.assertNotEqual(decoded['jti'], 123) self.assertEqual(decoded['api_key_id'], api_key.id)
def test_token_has_expired(self): with self.settings(IEVV_JWT={ 'default': { 'ACCESS_TOKEN_LIFETIME': timezone.timedelta(minutes=0), } }): with mock.patch( 'ievv_auth.ievv_jwt.backends.api_key_backend.ApiKeyBackend.access_token_expiration', new_callable=PropertyMock, return_value=timezone.now() - timezone.timedelta(days=1)): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(jwt, verify=True)
def test_sign_jwt_with_another_secret(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) new_jwt = py_jwt.encode(payload=decoded, key='asdxxxxxxxxxxxxxxxxxxxxxxxxxxx') with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)
def test_verify_intercepted_payload_added_additional_scope(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) [header, _, secret] = jwt.split('.') decoded = backend.decode(jwt) decoded['scope'] = 'admin' payload = base64.urlsafe_b64encode( json.dumps( decoded, separators=(',', ':') ).encode('utf-8') ).decode('utf-8') new_jwt = f'{header}.{payload}.{secret}' with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)
def test_verify_intercepted_payload_extend_expiration(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) [header, _, secret] = jwt.split('.') decoded = backend.decode(jwt) decoded['exp'] = timegm((timezone.now() + timezone.timedelta(weeks=200)).utctimetuple()) payload = base64.urlsafe_b64encode( json.dumps( decoded, separators=(',', ':') ).encode('utf-8') ).decode('utf-8') new_jwt = f'{header}.{payload}.{secret}' with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)