def test_override_outcome():
base = "::"
inbound = "foo"
assert validate(base, inbound) is False
def always_true(**kwargs):
return True
assert validate(base, inbound, override=always_true)
def test_not_require_all(ScopeTestCase):
assert validate("user foo", "user", require_all=False)
assert validate("user:read:write", "user:read", require_all_actions=False)
# from complex_
assert validate("user:read user::delete", "user:read:delete", require_all=False)
assert validate(
"user:read user::delete", "user:read user:delete", require_all=False
)
def test_list_scopes():
base = ["foo", "bar"]
inbound = "foo"
assert validate(base, inbound) is False
inbound = "foo bar"
assert validate(base, inbound)
inbound = "foo", "bar"
assert validate(base, inbound)
def test_none_scopes():
base = None
inbound = "bar"
with pytest.raises(InvalidScope):
validate(base, inbound)
base = "foo"
inbound = None
with pytest.raises(InvalidScope):
validate(base, inbound)
def test_none_input():
base = "foo"
inbound = []
assert validate(base, inbound) is False
inbound = [None, None]
assert validate(base, inbound) is False
inbound = [None, "foo"]
assert validate(base, inbound)
def test_bad_override_type():
base = "::"
inbound = "foo"
assert validate(base, inbound) is False
def oops(**kwargs):
return "foobar"
def okay(outcome, **kwargs):
return outcome
assert validate(base, inbound, override=partial(okay, outcome=True))
assert not validate(base, inbound, override=partial(okay, outcome=False))
with pytest.raises(exceptions.OverrideError):
validate(base, inbound, override=oops)
def test_regular(
simple_single_specific, simple_single_global, simple_multiple, complex_
):
for test_case in (
simple_single_specific + simple_single_global + simple_multiple + complex_
):
is_valid = validate(test_case.base, test_case.inbound)
assert is_valid is test_case.outcome
def is_authorized(request: Request, base_scope: t.Optional[str]) -> bool:
if base_scope:
token = extract_token(request)
try:
# Get the encrypted payload. If it fails to decrypt, or it fails
# a claim (like expiration) then this will raise an exception
payload = jwt.decode(token, request.app.config.JWT_SECRET)
except Exception as e:
logger.error(e)
return False
else:
# Check to see if the known base scope criteria has been met
return validate(base_scope, payload.get("scopes", ""))
return True
def test_override_arguments():
_base = "::"
_inbound = "foo"
def check_args(is_valid, base, inbounds, require_all_actions):
inbound = inbounds[0]
return (len(inbounds) == 1 and is_valid is False and not base.namespace
and not base.actions and not base.negations
and inbound.namespace == _inbound and not inbound.actions
and not inbound.negations and require_all_actions is False)
assert validate(_base,
_inbound,
override=check_args,
require_all_actions=False)
def test_negation_without_specifc_actions():
base = "foo::bar"
inbound = "foo"
assert validate(base, inbound)
def test_overzealous_colons():
base = "foo::::bar"
inbound = "bar"
with pytest.raises(InvalidScope):
validate(base, inbound)
def test_inbound_negation():
base = "foo"
inbound = "::bar"
with pytest.raises(InvalidScope):
validate(base, inbound)
def test_dict_scopes():
base = {"foo": "bar"}
inbound = "foo"
with pytest.raises(InvalidScope):
assert validate(base, inbound)
