def setUp(self):
super(TestAsapDecorator, self).setUp()
self._private_key_pem = self.get_new_private_key_in_pem_format()
self._public_key_pem = utils.get_public_key_pem_for_private_key_pem(
self._private_key_pem)
self.retriever = get_static_retriever_class(
{'client-app/key01': self._public_key_pem})
self.test_settings = {'ASAP_KEY_RETRIEVER_CLASS': self.retriever}
def setUp(self):
self._private_key_pem = self.get_new_private_key_in_pem_format()
self._public_key_pem = utils.get_public_key_pem_for_private_key_pem(
self._private_key_pem)
self.app = get_app()
self.client = self.app.test_client()
retriever = get_static_retriever_class(
{'client-app/key01': self._public_key_pem})
self.app.config['ASAP_KEY_RETRIEVER_CLASS'] = retriever
def test_request_with_invalid_issuer_is_rejected(self):
# Try with a different audience with a valid signature
self.app.config['ASAP_KEY_RETRIEVER_CLASS'] = (
get_static_retriever_class({
'another-client/key01': self._public_key_pem
})
)
token = create_token(
'another-client', 'server-app',
'another-client/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 403)
def test_request_decorated_issuer_is_allowed(self):
retriever = get_static_retriever_class(
{'whitelist/key01': self._public_key_pem})
token = create_token(issuer='whitelist',
audience='server-app',
key_id='whitelist/key01',
private_key=self._private_key_pem)
with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever):
response = self.client.get(reverse('decorated'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response, 'Only the right issuer is allowed.')
def setUp(self):
self._private_key_pem = self.get_new_private_key_in_pem_format()
self._public_key_pem = utils.get_public_key_pem_for_private_key_pem(
self._private_key_pem)
retriever = get_static_retriever_class(
{'client-app/key01': self._public_key_pem})
self.config = {
'ASAP_VALID_AUDIENCE': 'server-app',
'ASAP_VALID_ISSUERS': ('client-app', ),
'ASAP_KEY_RETRIEVER_CLASS': retriever
}
def test_request_with_invalid_issuer_is_rejected(self):
# Try with a different audience with a valid signature
self.app.config['ASAP_KEY_RETRIEVER_CLASS'] = (
get_static_retriever_class(
{'another-client/key01': self._public_key_pem}))
token = create_token('another-client', 'server-app',
'another-client/key01', self._private_key_pem)
response = self.client.get(
'/', headers={'Authorization': b'Bearer ' + token})
self.assertEqual(response.status_code, 401)
def test_request_with_invalid_issuer_is_rejected(self):
retriever = get_static_retriever_class(
{'something-invalid/key01': self._public_key_pem})
token = create_token(issuer='something-invalid',
audience='server-app',
key_id='something-invalid/key01',
private_key=self._private_key_pem)
with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever):
response = self.client.get(reverse('expected'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response,
'Unauthorized: Invalid token issuer',
status_code=401)
def test_request_non_whitelisted_decorated_issuer_is_rejected(self):
retriever = get_static_retriever_class(
{'unexpected/key01': self._public_key_pem})
token = create_token(issuer='unexpected',
audience='server-app',
key_id='unexpected/key01',
private_key=self._private_key_pem)
with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever):
response = self.client.get(reverse('unexpected'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response,
'Forbidden: Invalid token issuer',
status_code=403)
def check_response(self,
view_name,
response_content='',
status_code=200,
issuer='client-app',
audience='server-app',
key_id='client-app/key01',
subject=None,
private_key=None,
token=None,
authorization=None,
retriever_key=None):
if authorization is None:
if token is None:
if private_key is None:
private_key = self._private_key_pem
token = create_token(issuer=issuer,
audience=audience,
key_id=key_id,
private_key=private_key,
subject=subject)
authorization = b'Bearer ' + token
test_settings = self.test_settings.copy()
if retriever_key is not None:
retriever = get_static_retriever_class(
{retriever_key: self._public_key_pem})
test_settings['ASAP_KEY_RETRIEVER_CLASS'] = retriever
with override_settings(**test_settings):
response = self.client.get(reverse(view_name),
HTTP_AUTHORIZATION=authorization)
self.assertContains(response,
response_content,
status_code=status_code)