def test_enforce(self):
"""
Test the Enforcer object.
"""
with self.assertRaises(scitokens.scitokens.EnforcementError):
print(scitokens.Enforcer(None))
enf = scitokens.Enforcer(self._test_issuer)
enf.add_validator("foo", self.always_accept)
self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure)
self._token["scp"] = "read:/"
self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu")
enf.add_validator("foo", self.always_accept)
self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
self._token["scp"] = "read:/foo/bar"
self.assertFalse(enf.test(self._token, "read", "/foo"), msg=enf.last_failure)
self._token["site"] = "T2_US_Example"
self.assertFalse(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer, site="T2_US_Example")
enf.add_validator("foo", self.always_accept)
self.assertTrue(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)
self.assertFalse(enf.test(self._token, "write", "/foo/bar"), msg=enf.last_failure)
with self.assertRaises(scitokens.scitokens.InvalidPathError):
print(enf.test(self._token, "write", "~/foo"))
def test_enforce(self):
def always_accept(value):
if value or not value:
return True
enf = scitokens.Enforcer(self._test_issuer)
enf.add_validator("foo", always_accept)
self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure)
self._token["authz"] = "read"
self._token["path"] = "/"
self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu")
enf.add_validator("foo", always_accept)
self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
self._token["path"] = "/foo/bar"
self.assertFalse(enf.test(self._token, "read", "/foo"), msg=enf.last_failure)
self._token["site"] = "T2_US_Example"
self.assertFalse(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer, site="T2_US_Example")
enf.add_validator("foo", always_accept)
self.assertTrue(enf.test(self._token, "read", "/foo/bar"), msg=enf.last_failure)
def test_aud(self):
"""
Test the audience claim
"""
self._token['scp'] = 'read:/'
enf = scitokens.Enforcer(self._test_issuer)
enf.add_validator("foo", lambda path : True)
self._token['aud'] = "https://example.unl.edu"
self.assertFalse(enf.test(self._token, "read", "/"), msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer, audience = "https://example.unl.edu")
enf.add_validator("foo", lambda path : True)
self.assertTrue(enf.test(self._token, "read", "/"), msg=enf.last_failure)
def test_multiple_aud(self):
"""
Test multiple aud
"""
self._token['scp'] = 'read:/'
# Test multiple audiences
enf = scitokens.Enforcer(
self._test_issuer,
audience=["https://example.unl.edu", "https://another.com"])
enf.add_validator("foo", self.always_accept)
self.assertTrue(enf.test(self._token, "read", "/"),
msg=enf.last_failure)
self._token['aud'] = "https://another.com"
self.assertTrue(enf.test(self._token, "read", "/"),
msg=enf.last_failure)
self._token['aud'] = "https://doesnotwork.com"
self.assertFalse(enf.test(self._token, "read", "/"),
msg=enf.last_failure)
self._token2['scope'] = 'read:/'
self._token2["aud"] = ["https://example.com", "https://another.com"]
enf = scitokens.Enforcer(self._test_issuer,
audience="https://example.com")
self.assertTrue(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
self._token2["aud"] = ["notexist", "https://another.com"]
self.assertFalse(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
self._token2["aud"] = ["https://example.com", "https://another.com"]
enf = scitokens.Enforcer(self._test_issuer,
audience=["https://example.com", "blah.com"])
self.assertTrue(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
self._token2["aud"] = ["notexist", "https://another.com"]
self.assertFalse(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
self._token2["aud"] = ["https://example.com", "https://another.com"]
enf = scitokens.Enforcer(self._test_issuer,
audience=["https://example.com", "blah.com"])
self.assertTrue(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
enf = scitokens.Enforcer(self._test_issuer,
audience=["foo.com", "blah.com"])
self.assertFalse(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
def test_opt(self):
"""
Testing the version attribute
"""
self._token['opt'] = "This is optional information, and should always return true"
self._token['scope'] = "write:/home/example"
enf = scitokens.Enforcer(issuer="local")
self.assertTrue(enf.test(self._token, "write", "/home/example/test_file"))
def test_enforce_v2(self):
"""
Test the Enforcer object for profile scitokens:2.0
Also, there is a non-validated attribute, foo. In 1.0, non-validated attributes
cause a validation error. In 2.0, they are ignored.
"""
with self.assertRaises(scitokens.scitokens.EnforcementError):
print(scitokens.Enforcer(None))
# No audience specified
enf = scitokens.Enforcer(self._test_issuer)
self.assertFalse(enf.test(self._token2, "read", "/"),
msg=enf.last_failure)
self._token2["scp"] = "read:/"
self.assertFalse(enf.test(self._token2, "read", "/"),
msg=enf.last_failure)
# Token is set to to ANY, so any audience will work
enf = scitokens.Enforcer(self._test_issuer,
audience="https://example.unl.edu")
self._token2["scp"] = "read:/"
self.assertTrue(enf.test(self._token2, "read", "/"),
msg=enf.last_failure)
# Change the audience from ANY to https://example.com
self._token2["aud"] = "https://example.com"
self.assertFalse(enf.test(self._token2, "read", "/"),
msg=enf.last_failure)
# Change back to ANY
self._token2["aud"] = "ANY"
self.assertTrue(enf.test(self._token2, "read", "/"),
msg=enf.last_failure)
self._token2["scp"] = "read:/foo/bar"
self.assertFalse(enf.test(self._token2, "read", "/foo"),
msg=enf.last_failure)
self.assertFalse(enf.test(self._token2, "write", "/foo/bar"),
msg=enf.last_failure)
with self.assertRaises(scitokens.scitokens.InvalidPathError):
print(enf.test(self._token2, "write", "~/foo"))
def test_sub(self):
"""
Verify that tokens with the `sub` set are accepted.
"""
self._token['sub'] = 'Some Great User'
enf = scitokens.Enforcer(self._test_issuer)
enf.add_validator("foo", self.always_accept)
self._token['scope'] = 'read:/'
acls = enf.generate_acls(self._token)
self.assertTrue(len(acls), 1)
def test_create_to_validate(self):
"""
End-to-end test of SciToken creation, verification, and validation.
"""
self._token['scope'] = "write:/home/example"
serialized_token = self._token.serialize(issuer="local")
token = scitokens.SciToken.deserialize(serialized_token, public_key = self._public_pem, insecure=True)
enf = scitokens.Enforcer(issuer="local")
self.assertTrue(enf.test(token, "write", "/home/example/test_file"), msg=enf.last_failure)
self.assertFalse(enf.test(token, "read", "/home/example/test_file"))
self.assertFalse(enf.test(token, "write", "/home/other/test_file"))
def test_ver(self):
"""
Testing the version attribute
"""
self._token['ver'] = 1
self._token['scope'] = "write:/home/example"
enf = scitokens.Enforcer(issuer="local")
self.assertTrue(enf.test(self._token, "write", "/home/example/test_file"))
# Now set it to a number it shouldn't understand
self._token['ver'] = 9999
self.assertFalse(enf.test(self._token, "write", "/home/example/test_file"))
def generateEnforcer(self, issuer, aud=None, validators=None):
'''
Generates a Scitoken enforcer.
:param issuer: Issuer of the scitokens.
:param aud: Audience for the scitokens (similar to JWT audience : 'aud' claim identifies the
recipients that the JWT is intended for)
:param validators:
:return: An enforcer object for the specified issuer.
:rtype: Enforcer object
'''
self.enf = scitokens.Enforcer(issuer=issuer, audience=aud)
if validators is not None:
for claim, validator in validators:
self.enf.add_validator(claim, validator)
return self.enf
def test_gen_acls(self):
"""
Test the generation of ACLs
"""
enf = scitokens.Enforcer(self._test_issuer)
enf.add_validator("foo", self.always_accept)
self._token['scope'] = 'read:/'
acls = enf.generate_acls(self._token)
self.assertTrue(len(acls), 1)
self.assertEqual(acls[0], ('read', '/'))
self._token['scope'] = 'read:/ write:/foo'
acls = enf.generate_acls(self._token)
self.assertTrue(len(acls), 2)
self.assertTrue(('read', '/') in acls)
self.assertTrue(('write', '/foo') in acls)
self._token['scope'] = 'read:/foo read://bar write:/foo write://bar'
acls = enf.generate_acls(self._token)
self.assertTrue(len(acls), 4)
self.assertTrue(('read', '/foo') in acls)
self.assertTrue(('write', '/foo') in acls)
self.assertTrue(('read', '/bar') in acls)
self.assertTrue(('write', '/bar') in acls)
self._token['exp'] = time.time() - 600
with self.assertRaises(scitokens.scitokens.ClaimInvalid):
print(enf.generate_acls(self._token))
self.assertTrue(enf.last_failure)
self._token['exp'] = time.time() + 600
self._token['scope'] = 'read:foo'
with self.assertRaises(
scitokens.scitokens.InvalidAuthorizationResource):
print(enf.generate_acls(self._token))
self._token['scope'] = 'read'
with self.assertRaises(
scitokens.scitokens.InvalidAuthorizationResource):
print(enf.generate_acls(self._token))
def test_v2(self):
"""
Test the requirements for a v2
"""
# First, delete the aud
del self._token2["aud"]
enf = scitokens.Enforcer(self._test_issuer,
audience="https://example.unl.edu")
self._token2["scope"] = "read:/foo/bar"
# Should fail, audience is required for 2.0 token
self.assertFalse(enf.test(self._token2, "read", "/foo/bar"),
msg=enf.last_failure)
# Now set the audience to ANY
self._token2["aud"] = "ANY"
self.assertTrue(enf.test(self._token2, "read", "/foo/bar"),
msg=enf.last_failure)
# Now to the correct audience
self._token2["aud"] = "https://example.unl.edu"
self.assertTrue(enf.test(self._token2, "read", "/foo/bar"),
msg=enf.last_failure)
# Now to the wrong audience
self._token2["aud"] = "https://example.com"
self.assertFalse(enf.test(self._token2, "read", "/foo/bar"),
msg=enf.last_failure)
# Arbitrary claims are allowed now in v2
self._token2["madeupclaim"] = "claimsdontmatter"
self._token2["aud"] = "ANY"
self.assertTrue(enf.test(self._token2, "read", "/foo/bar"),
msg=enf.last_failure)
# Arbitrary claims should fail in 1.0
self._token["madeupclaim"] = "claimsdontmatter"
self._token["aud"] = "ANY"
self.assertFalse(enf.test(self._token, "read", "/foo/bar"),
msg=enf.last_failure)
