def _get_user(self, headers: CIMultiDict) -> Union[None, User]: authentication = headers.get("Authentication") if authentication and self.auth_enabled: return User(authentication) if authentication: raise Unauthorized("Authentication method not supported") return None
def setup_class(self): # pylint: disable=attribute-defined-outside-init self.cognito_user = { "cognito:username": str(uuid4()), "email": f"{str(uuid4())}@{str(uuid4())}.com", "custom:id": str(uuid4()), "custom:1": str(uuid4()), "custom:2": str(uuid4()), "aud": os.environ["ALLOWED_AUDIENCES"].split(",")[ 0 ], # moved due pylint and minimising scope of PR "iss": ALLOWED_ISS, "exp": int((datetime.utcnow() + timedelta(hours=6)).timestamp()), "iat": int(datetime.utcnow().timestamp()), "custom:3": str(uuid4()), "custom:4": str(uuid4()), "custom:5": str(uuid4()), } self.id_token = encode_token(self.cognito_user) self.pool_id = str(uuid4) self.sample_user = User(self.id_token)
def test_loading_user_does_not_parse_standard_claims(self, jwt_partial_payload): current_ts = int(time.time()) standard_claims = { **jwt_partial_payload, "sub": str(uuid4()), "token_use": "id", "auth_time": current_ts, } id_token = encode_token( { "cognito:username": str(uuid4()), "custom:id": str(uuid4()), **standard_claims, } ) user = User(id_token) for key in standard_claims: assert not hasattr(user, key)
def user(user_token) -> User: # pylint: disable=redefined-outer-name return User(user_token)
def test_nth_cognito_client_validated_as_audience(self): test_allowed_audiences = [str(uuid4()) for _ in range(10)] with patch("lbz.jwt_utils.ALLOWED_AUDIENCES", test_allowed_audiences): assert User(encode_token({**self.cognito_user, "aud": test_allowed_audiences[9]}))
def test_user_raises_when_more_attributes_than_1000(self): with pytest.raises(RuntimeError): cognito_user = {str(uuid4()): str(uuid4()) for i in range(1001)} User(encode_token(cognito_user))
def test_decoding_user_raises_unauthorized_when_invalid_public_key(self): with pytest.raises(Unauthorized), patch( "lbz.jwt_utils.PUBLIC_KEYS", [{**SAMPLE_PUBLIC_KEY.copy(), "n": str(uuid4())}], ): User(self.id_token)
def test_decoding_user_raises_unauthorized_when_invalid_audience(self): with pytest.raises(Unauthorized), patch("lbz.jwt_utils.ALLOWED_AUDIENCES", [str(uuid4())]): User(self.id_token)
def test_decoding_user_raises_unauthorized_when_invalid_token(self): with pytest.raises(Unauthorized): User(self.id_token + "?")
def test_decoding_user(self): assert User(self.id_token)
def test__repr__username(self, jwt_partial_payload): username = str(uuid4()) sample_user = User(encode_token({"cognito:username": username, **jwt_partial_payload})) assert sample_user.__repr__() == f"User username={username}"
class TestAuthentication: def setup_class(self): # pylint: disable=attribute-defined-outside-init self.cognito_user = { "cognito:username": str(uuid4()), "email": f"{str(uuid4())}@{str(uuid4())}.com", "custom:id": str(uuid4()), "custom:1": str(uuid4()), "custom:2": str(uuid4()), "aud": os.environ["ALLOWED_AUDIENCES"].split(",")[ 0 ], # moved due pylint and minimising scope of PR "iss": ALLOWED_ISS, "exp": int((datetime.utcnow() + timedelta(hours=6)).timestamp()), "iat": int(datetime.utcnow().timestamp()), "custom:3": str(uuid4()), "custom:4": str(uuid4()), "custom:5": str(uuid4()), } self.id_token = encode_token(self.cognito_user) self.pool_id = str(uuid4) self.sample_user = User(self.id_token) def test__repr__username(self, jwt_partial_payload): username = str(uuid4()) sample_user = User(encode_token({"cognito:username": username, **jwt_partial_payload})) assert sample_user.__repr__() == f"User username={username}" def test_decoding_user(self): assert User(self.id_token) def test_decoding_user_raises_unauthorized_when_invalid_token(self): with pytest.raises(Unauthorized): User(self.id_token + "?") def test_decoding_user_raises_unauthorized_when_invalid_audience(self): with pytest.raises(Unauthorized), patch("lbz.jwt_utils.ALLOWED_AUDIENCES", [str(uuid4())]): User(self.id_token) def test_decoding_user_raises_unauthorized_when_invalid_public_key(self): with pytest.raises(Unauthorized), patch( "lbz.jwt_utils.PUBLIC_KEYS", [{**SAMPLE_PUBLIC_KEY.copy(), "n": str(uuid4())}], ): User(self.id_token) def test_loading_user_parses_user_attributes(self): parsed = self.cognito_user.copy() for key in ["aud", "iss", "exp", "iat"]: parsed.pop(key, None) for key, expected_value in parsed.items(): value = self.sample_user.__getattribute__( key.replace("cognito:", "").replace("custom:", "") ) assert value == expected_value def test_loading_user_does_not_parse_standard_claims(self, jwt_partial_payload): current_ts = int(time.time()) standard_claims = { **jwt_partial_payload, "sub": str(uuid4()), "token_use": "id", "auth_time": current_ts, } id_token = encode_token( { "cognito:username": str(uuid4()), "custom:id": str(uuid4()), **standard_claims, } ) user = User(id_token) for key in standard_claims: assert not hasattr(user, key) def test_user_raises_when_more_attributes_than_1000(self): with pytest.raises(RuntimeError): cognito_user = {str(uuid4()): str(uuid4()) for i in range(1001)} User(encode_token(cognito_user)) def test_nth_cognito_client_validated_as_audience(self): test_allowed_audiences = [str(uuid4()) for _ in range(10)] with patch("lbz.jwt_utils.ALLOWED_AUDIENCES", test_allowed_audiences): assert User(encode_token({**self.cognito_user, "aud": test_allowed_audiences[9]}))