def test_auth_verify_bearer_expired_token(self):
settings = get_settings()
keyset = get_keyset()
kid = "2aedafba-8170-4064-b704-ce92b7c89cc6"
key = keyset.get_key(kid)
exp_time = round(time.time()) - 1000
for user_id_field in settings['USER_ID_FIELDS']:
token = jwt.JWT(header={
"kid": kid,
"alg": "ES256"
},
claims={
'exp': exp_time,
user_id_field: '*****@*****.**'
})
token.make_signed_token(key)
bearer = 'Bearer {}'.format(token.serialize())
with self.assertRaises(AuthenticationFailed) as cm:
decoded_claims, user_id = JWTAccessToken.token_data(
bearer, True)
e = cm.exception
self.assertTrue(
str(e).startswith('API authz problem: token expired'))
def test_user_not_in_cache(self, mock_cache, mock_request,
mock_token_data):
mock_request.is_authorized_for.return_value = True
settings = get_settings()
claims = {settings['USER_ID_FIELD']: self.superuser.username}
mock_token_data.return_value = claims, self.superuser.username
mock_cache.get.return_value = None
user, scope = JWTAuthBackend.authenticate(mock_request)
self.assertEqual(user.username, self.superuser.username)
def test_with_scope_correct_user(self, mocked_cache, mock_token_data):
jwt_auth_backend = backend.JWTAuthBackend()
mocked_request = mock.Mock()
mocked_request.is_authorized_for.return_value = True
settings = get_settings()
claims = {settings['USER_ID_FIELD']: '*****@*****.**'}
mock_token_data.return_value = claims, '*****@*****.**'
user, scope = jwt_auth_backend.authenticate(mocked_request)
self.assertEqual(user, self.normal_user)
def test_user_invalid_scope(self, mock_cache, mock_request,
mock_token_data):
mock_request.is_authorized_for.return_value = False
settings = get_settings()
claims = {settings['USER_ID_FIELD']: self.superuser.username}
mock_token_data.return_value = claims, self.superuser.username
mock_cache.get.return_value = None
with self.assertRaises(AuthenticationFailed) as cm:
JWTAuthBackend.authenticate(mock_request)
e = cm.exception
self.assertEqual(str(e), 'No token or required scope')
def test_user_does_not_exists(self, mock_cache, mock_request,
mock_token_data):
mock_request.is_authorized_for.return_value = True
settings = get_settings()
claims = {settings['USER_ID_FIELD']: 'idonotexist'}
mock_token_data.return_value = claims, 'idonotexist'
mock_cache.get.return_value = None
with self.assertRaises(AuthenticationFailed) as cm:
JWTAuthBackend.authenticate(mock_request)
e = cm.exception
self.assertEqual(str(e),
'User {} is not authorized'.format('idonotexist'))
def test_with_scope_wrong_user_cache_hit(self, mocked_user_model, mocked_cache, mock_token_data):
jwt_auth_backend = backend.JWTAuthBackend()
mocked_request = mock.Mock()
mocked_request.is_authorized_for.return_value = True
settings = get_settings()
claims = {settings['USER_ID_FIELD']: '*****@*****.**'}
mock_token_data.return_value = claims, '*****@*****.**'
mocked_cache.get.return_value = backend.USER_DOES_NOT_EXIST
with self.assertRaises(exceptions.AuthenticationFailed):
jwt_auth_backend.authenticate(mocked_request)
mocked_cache.get.assert_called_once_with('*****@*****.**')
mocked_user_model.objects.get.assert_not_called()
def test_auth_verify_bearer_token(self):
settings = get_settings()
keyset = get_keyset()
kid = "2aedafba-8170-4064-b704-ce92b7c89cc6"
key = keyset.get_key(kid)
token = jwt.JWT(header={
"kid": kid,
"alg": "ES256"
},
claims={settings['USER_ID_FIELD']: "*****@*****.**"})
token.make_signed_token(key)
bearer = token.serialize()
decoded_claims, user_id = JWTAccessToken.token_data(
'Bearer {}'.format(bearer), True)
self.assertEqual(user_id, "*****@*****.**")
def test_with_scope_wrong_user_cache_miss(self, mocked_cache, mock_token_data):
jwt_auth_backend = backend.JWTAuthBackend()
mocked_request = mock.Mock()
mocked_request.is_authorized_for.return_value = True
settings = get_settings()
for user_id_fields in settings['USER_ID_FIELDS']:
claims = {user_id_fields: '*****@*****.**'}
mock_token_data.return_value = claims, '*****@*****.**'
mocked_cache.get.return_value = None
with self.assertRaises(exceptions.AuthenticationFailed):
jwt_auth_backend.authenticate(mocked_request)
mocked_cache.get.assert_called_once_with('*****@*****.**')
mocked_cache.set.assert_called_once_with(
'*****@*****.**',
backend.USER_DOES_NOT_EXIST,
5 * 60
)
mocked_cache.reset_mock()
