async def test_auth_active_access_with_access_token_in_header( opp, app, aiohttp_client, opp_access_token): """Test access with access token in header.""" token = opp_access_token setup_auth(opp, app) client = await aiohttp_client(app) refresh_token = await opp.auth.async_validate_access_token(opp_access_token ) req = await client.get("/", headers={"Authorization": f"Bearer {token}"}) assert req.status == 200 assert await req.json() == {"user_id": refresh_token.user.id} req = await client.get("/", headers={"AUTHORIZATION": f"Bearer {token}"}) assert req.status == 200 assert await req.json() == {"user_id": refresh_token.user.id} req = await client.get("/", headers={"authorization": f"Bearer {token}"}) assert req.status == 200 assert await req.json() == {"user_id": refresh_token.user.id} req = await client.get("/", headers={"Authorization": token}) assert req.status == 401 req = await client.get("/", headers={"Authorization": f"BEARER {token}"}) assert req.status == 401 refresh_token = await opp.auth.async_validate_access_token(opp_access_token ) refresh_token.user.is_active = False req = await client.get("/", headers={"Authorization": f"Bearer {token}"}) assert req.status == 401
async def test_cant_access_with_password_in_header(app, aiohttp_client, legacy_auth, opp): """Test access with password in header.""" setup_auth(opp, app) client = await aiohttp_client(app) req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD}) assert req.status == 401 req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: "wrong-pass"}) assert req.status == 401
async def test_auth_legacy_support_api_password_cannot_access( app, aiohttp_client, legacy_auth, opp): """Test access using api_password if auth.support_legacy.""" setup_auth(opp, app) client = await aiohttp_client(app) req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD}) assert req.status == 401 resp = await client.get("/", params={"api_password": API_PASSWORD}) assert resp.status == 401 req = await client.get("/", auth=BasicAuth("openpeerpower", API_PASSWORD)) assert req.status == 401
async def test_cant_access_with_password_in_query(app, aiohttp_client, legacy_auth, opp): """Test access with password in URL.""" setup_auth(opp, app) client = await aiohttp_client(app) resp = await client.get("/", params={"api_password": API_PASSWORD}) assert resp.status == 401 resp = await client.get("/") assert resp.status == 401 resp = await client.get("/", params={"api_password": "******"}) assert resp.status == 401
async def test_cannot_access_with_trusted_ip(opp, app2, trusted_networks_auth, aiohttp_client, opp_owner_user): """Test access with an untrusted ip address.""" setup_auth(opp, app2) set_mock_ip = mock_real_ip(app2) client = await aiohttp_client(app2) for remote_addr in UNTRUSTED_ADDRESSES: set_mock_ip(remote_addr) resp = await client.get("/") assert resp.status == 401, f"{remote_addr} shouldn't be trusted" for remote_addr in TRUSTED_ADDRESSES: set_mock_ip(remote_addr) resp = await client.get("/") assert resp.status == 401, f"{remote_addr} shouldn't be trusted"
async def test_basic_auth_does_not_work(app, aiohttp_client, opp, legacy_auth): """Test access with basic authentication.""" setup_auth(opp, app) client = await aiohttp_client(app) req = await client.get("/", auth=BasicAuth("openpeerpower", API_PASSWORD)) assert req.status == 401 req = await client.get("/", auth=BasicAuth("wrong_username", API_PASSWORD)) assert req.status == 401 req = await client.get("/", auth=BasicAuth("openpeerpower", "wrong password")) assert req.status == 401 req = await client.get("/", headers={"authorization": "NotBasic abcdefg"}) assert req.status == 401
async def test_auth_access_signed_path(opp, app, aiohttp_client, opp_access_token): """Test access with signed url.""" app.router.add_post("/", mock_handler) app.router.add_get("/another_path", mock_handler) setup_auth(opp, app) client = await aiohttp_client(app) refresh_token = await opp.auth.async_validate_access_token(opp_access_token ) signed_path = async_sign_path(opp, refresh_token.id, "/", timedelta(seconds=5)) req = await client.get(signed_path) assert req.status == 200 data = await req.json() assert data["user_id"] == refresh_token.user.id # Use signature on other path req = await client.get("/another_path?{}".format( signed_path.split("?")[1])) assert req.status == 401 # We only allow GET req = await client.post(signed_path) assert req.status == 401 # Never valid as expired in the past. expired_signed_path = async_sign_path(opp, refresh_token.id, "/", timedelta(seconds=-5)) req = await client.get(expired_signed_path) assert req.status == 401 # refresh token gone should also invalidate signature await opp.auth.async_remove_refresh_token(refresh_token) req = await client.get(signed_path) assert req.status == 401