Пример #1
0
    def test_token_generation(self):
        """
        Verify token generation using known hashes and signature
        """
        test_user = self.TEST_USER
        not_user = self.NOT_USER
        known_hashhash = ('5106273f7789f1e26b4a212789992f75c15433f402f3e94a'
                          'd18e7c80aee80faf')

        with self.app.app_context():

            token = generate_token(test_user)

            # Verify hashhash against known value
            hashhash = get_hashhash(test_user)
            self.assertEqual(hashhash, known_hashhash)

            # Now that we verified our hashhash, independently verify
            # the data with a serializer from config (not trusting
            # get_signature here).
            serializer = Serializer(self.app.config['FLASK_SECRET'])
            self.assertEqual(serializer.loads(token)['hashhash'], hashhash)

            # Now go ahead and verify the reverse
            serializer = get_signature()
            data = serializer.loads(token)
            self.assertEqual(data['username'], test_user)
            self.assertEqual(data['hashhash'], hashhash)

            # Verify no user handling (don't really care what
            # exception gets raised).
            with self.assertRaises(Exception):
                token = generate_token(not_user)
Пример #2
0
    def test_token_auth(self, log):
        """
        Validate authentication by token works properly
        """
        with self.app.app_context():
            # Test bad token
            valid, username = check_token_auth('asdfasdf.asdfasdf')
            self.assertEqual(False, valid)
            self.assertEqual(None, username)
            log.warn.assert_called_with('Received bad token signature')

            # Test bad username, but valid signature for users that have
            # been deleted
            sig = get_signature()
            token = sig.dumps({
                'username': self.NOT_USER,
            })
            valid, username = check_token_auth(token)
            self.assertEqual(False, valid)
            self.assertEqual(None, username)
            log.warn.assert_called_with(
                'Token auth signed message, but invalid user %s',
                self.NOT_USER
            )

            # Test that a different password invalidates token
            token = sig.dumps({
                'username': self.TEST_USER,
                'hashhash': get_hashhash('norm')
            })
            valid, username = check_token_auth(token)
            self.assertEqual(False, valid)
            self.assertEqual(None, username)
            log.warn.assert_called_with(
                'Token and password do not match, '
                '%s needs to regenerate token',
                self.TEST_USER
            )

            # Test valid case
            token = generate_token(self.TEST_USER)
            valid, username = check_token_auth(token)
            self.assertEqual(True, valid)
            self.assertEqual(self.TEST_USER, username)