def test_request_subject_and_issue_not_matching(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem,
subject='different'
)
self.assertEqual(self.send_request(token).status_code, 401)
def test_request_with_string_headers_is_allowed(self):
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
str_auth = 'Bearer ' + token.decode(encoding='iso-8859-1')
self.check_response('needed', 'one', 200, authorization=str_auth)
def _assert_request_with_duplicate_jti_is_accepted(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 200)
self.assertEqual(self.send_request(token).status_code, 200)
def test_decorated_request_with_invalid_issuer_is_rejected(self):
# Try with a different audience with a valid signature
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
url = '/restricted-to-another-client/'
self.assertEqual(self.send_request(token, url=url).status_code, 403)
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self):
self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = True
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 200)
self.assertEqual(self.send_request(token).status_code, 401)
def test_request_with_valid_token_is_allowed(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
body, resp_info, environ = self.send_request(token=token)
self.assertEqual(resp_info['status'], '200 OK')
self.assertIn('ATL_ASAP_CLAIMS', environ)
def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
self.app.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem,
subject='different'
)
self.assertEqual(self.send_request(token).status_code, 200)
def test_request_with_invalid_audience_is_rejected(self):
token = create_token(
'client-app', 'invalid-audience',
'client-app/key01', self._private_key_pem
)
body, resp_info, environ = self.send_request(token=token)
self.assertEqual(resp_info['status'], '401 Unauthorized')
self.assertNotIn('ATL_ASAP_CLAIMS', environ)
def test_request_subject_and_issue_not_matching(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem,
subject='different'
)
body, resp_info, environ = self.send_request(token=token)
self.assertEqual(resp_info['status'], '401 Unauthorized')
self.assertNotIn('ATL_ASAP_CLAIMS', environ)
def test_request_with_valid_token_is_allowed(self):
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
with override_settings(**self.test_settings):
response = self.client.get(reverse('expected'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response, 'Greatest Success!', status_code=200)
def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
self.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem,
subject='different'
)
body, resp_info, environ = self.send_request(token=token)
self.assertEqual(resp_info['status'], '200 OK')
self.assertIn('ATL_ASAP_CLAIMS', environ)
def test_request_using_settings_only_is_allowed(self):
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
with override_settings(**self.test_settings):
response = self.client.get(reverse('settings'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response, 'Any settings issuer is allowed.')
def test_request_decorated_issuer_is_allowed(self):
retriever = get_static_retriever_class(
{'whitelist/key01': self._public_key_pem})
token = create_token(issuer='whitelist',
audience='server-app',
key_id='whitelist/key01',
private_key=self._private_key_pem)
with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever):
response = self.client.get(reverse('decorated'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response, 'Only the right issuer is allowed.')
def test_request_with_invalid_audience_is_rejected(self):
token = create_token(issuer='client-app',
audience='something-invalid',
key_id='client-app/key01',
private_key=self._private_key_pem)
with override_settings(**self.test_settings):
response = self.client.get(reverse('expected'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response,
'Unauthorized: Invalid token',
status_code=401)
def test_request_with_string_headers_is_allowed(self):
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
str_token = token.decode(encoding='iso-8859-1')
with override_settings(**self.test_settings):
response = self.client.get(reverse('expected'),
HTTP_AUTHORIZATION='Bearer ' +
str_token)
self.assertContains(response, 'Greatest Success!', status_code=200)
def test_request_non_decorated_issuer_is_rejected(self):
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
with override_settings(**self.test_settings):
response = self.client.get(reverse('decorated'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response,
'Forbidden: Invalid token issuer',
status_code=403)
def test_request_with_invalid_issuer_is_rejected(self):
# Try with a different audience with a valid signature
self.app.config['ASAP_KEY_RETRIEVER_CLASS'] = (
get_static_retriever_class({
'another-client/key01': self._public_key_pem
})
)
token = create_token(
'another-client', 'server-app',
'another-client/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 403)
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self):
self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = True
token = create_token(issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem)
str_auth = 'Bearer ' + token.decode(encoding='iso-8859-1')
self.check_response('needed', 'one', 200, authorization=str_auth)
self.check_response('needed',
'duplicate jti',
401,
authorization=str_auth)
def _assert_request_with_duplicate_jti_is_accepted(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
application = self.get_app_with_middleware(self.config)
body, resp_info, environ = self.send_request(
token=token, application=application)
self.assertEqual(resp_info['status'], '200 OK')
body, resp_info, environ = self.send_request(
token=token, application=application)
self.assertEqual(resp_info['status'], '200 OK')
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self):
self.config['ASAP_CHECK_JTI_UNIQUENESS'] = True
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
application = self.get_app_with_middleware(self.config)
body, resp_info, environ = self.send_request(
token=token, application=application)
self.assertEqual(resp_info['status'], '200 OK')
body, resp_info, environ = self.send_request(
token=token, application=application)
self.assertEqual(resp_info['status'], '401 Unauthorized')
def test_request_with_invalid_issuer_is_rejected(self):
retriever = get_static_retriever_class(
{'something-invalid/key01': self._public_key_pem})
token = create_token(issuer='something-invalid',
audience='server-app',
key_id='something-invalid/key01',
private_key=self._private_key_pem)
with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever):
response = self.client.get(reverse('expected'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response,
'Forbidden: Invalid token issuer',
status_code=403)
def test_request_subject_does_not_need_to_match_issuer(self):
token = create_token(
issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem,
subject='not-client-app',
)
with override_settings(**self.test_settings):
response = self.client.get(
reverse('subject_does_not_need_to_match_issuer'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(response, 'Subject does not need to match issuer.')
def test_request_subject_does_need_to_match_issuer_override_settings(self):
""" tests that the with_asap decorator can override the
ASAP_SUBJECT_SHOULD_MATCH_ISSUER setting.
"""
token = create_token(
issuer='client-app',
audience='server-app',
key_id='client-app/key01',
private_key=self._private_key_pem,
subject='not-client-app',
)
with override_settings(**dict(self.test_settings,
ASAP_SUBJECT_SHOULD_MATCH_ISSUER=False)):
response = self.client.get(
reverse('subject_does_need_to_match_issuer'),
HTTP_AUTHORIZATION=b'Bearer ' + token)
self.assertContains(
response,
'Unauthorized: Subject and Issuer do not match',
status_code=401)
def check_response(self,
view_name,
response_content='',
status_code=200,
issuer='client-app',
audience='server-app',
key_id='client-app/key01',
subject=None,
private_key=None,
token=None,
authorization=None,
retriever_key=None):
if authorization is None:
if token is None:
if private_key is None:
private_key = self._private_key_pem
token = create_token(issuer=issuer,
audience=audience,
key_id=key_id,
private_key=private_key,
subject=subject)
authorization = b'Bearer ' + token
test_settings = self.test_settings.copy()
if retriever_key is not None:
retriever = get_static_retriever_class(
{retriever_key: self._public_key_pem})
test_settings['ASAP_KEY_RETRIEVER_CLASS'] = retriever
with override_settings(**test_settings):
response = self.client.get(reverse(view_name),
HTTP_AUTHORIZATION=authorization)
self.assertContains(response,
response_content,
status_code=status_code)
def test_request_with_valid_token_is_allowed(self):
token = create_token(
'client-app', 'server-app',
'client-app/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 200)
def test_request_with_invalid_audience_is_rejected(self):
token = create_token(
'client-app', 'invalid-audience',
'client-app/key01', self._private_key_pem
)
self.assertEqual(self.send_request(token).status_code, 401)
