def test_does_authorize_valid_requests(self, demo_app_auth,
lambda_context_args, create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/index'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_does_raise_not_authorized_error(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/index'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.raises(NotAuthorizedError):
authorizer.authorize(path, event, context)
def test_does_authorize_valid_requests(self, demo_app_auth,
lambda_context_args, create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/index'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_does_raise_not_authorized_error(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/index'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.raises(NotAuthorizedError):
authorizer.authorize(path, event, context)
def test_can_understand_explicit_auth_policy(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/explicit'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_cannot_access_view_without_permission(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/secret'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
with pytest.raises(ForbiddenError):
authorizer.authorize(path, event, context)
def test_cannot_access_view_without_permission(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/secret'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
with pytest.raises(ForbiddenError):
authorizer.authorize(path, event, context)
def test_can_understand_explicit_auth_policy(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/explicit'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_authorize_empty_path(self, lambda_context_args,
demo_app_auth, create_event):
# Ensures that / routes work since that is a special case in the
# API Gateway arn generation where an extra / is appended to the end
# of the arn.
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_authorize_empty_path(self, lambda_context_args,
demo_app_auth, create_event):
# Ensures that / routes work since that is a special case in the
# API Gateway arn generation where an extra / is appended to the end
# of the arn.
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/'
event = create_event(path, 'GET', {})
event['headers']['authorization'] = 'allow'
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
assert event['requestContext']['authorizer']['principalId'] == 'user'
def test_can_understand_cognito_token(self, lambda_context_args,
demo_app_auth, create_event):
# Ensures that / routes work since that is a special case in the
# API Gateway arn generation where an extra / is appended to the end
# of the arn.
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/cognito'
event = create_event(path, 'GET', {})
event["headers"]["authorization"] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhYWFhYWFhYS1iYmJiLWNjY2MtZGRkZC1lZWVlZWVlZWVlZWUiLCJhdWQiOiJ4eHh4eHh4eHh4eHhleGFtcGxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTAwMDA5NDAwLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3VzLWVhc3QtMV9leGFtcGxlIiwiY29nbml0bzp1c2VybmFtZSI6ImphbmVkb2UiLCJleHAiOjE1ODQ3MjM2MTYsImdpdmVuX25hbWUiOiJKYW5lIiwiaWF0IjoxNTAwMDA5NDAwLCJlbWFpbCI6ImphbmVkb2VAZXhhbXBsZS5jb20iLCJqdGkiOiJkN2UxMTMzYS0xZTNhLTQyMzEtYWU3Yi0yOGQ4NWVlMGIxNGQifQ.p35Yj9KJD5RbfPWGL08IJHgson8BhdGLPQqUOiF0-KM" # noqa
context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(path, event, context)
principal_id = event['requestContext']['authorizer']['principalId']
assert principal_id == 'janedoe'
def test_can_understand_explicit_deny_policy(self, demo_app_auth,
lambda_context_args,
create_event):
# Our auto-generated policies from the AuthResponse object do not
# contain any Deny clauses, however we also allow the user to return
# a dictionary that is transated into a policy, so we have to
# account for the ability for a user to set an explicit deny policy.
# It should behave exactly as not getting permission added with an
# allow.
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/explicit'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.raises(NotAuthorizedError):
authorizer.authorize(path, event, context)
def test_can_understand_explicit_deny_policy(self, demo_app_auth,
lambda_context_args,
create_event):
# Our auto-generated policies from the AuthResponse object do not
# contain any Deny clauses, however we also allow the user to return
# a dictionary that is transated into a policy, so we have to
# account for the ability for a user to set an explicit deny policy.
# It should behave exactly as not getting permission added with an
# allow.
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/explicit'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.raises(NotAuthorizedError):
authorizer.authorize(path, event, context)
def test_does_authorize_unsupported_authorizer(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/iam'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.warns(None) as recorded_warnings:
new_event, new_context = authorizer.authorize(path, event, context)
assert event == new_event
assert context == new_context
assert len(recorded_warnings) == 1
warning = recorded_warnings[0]
assert issubclass(warning.category, UserWarning)
assert ('IAMAuthorizer is not a supported in local '
'mode. All requests made against a route will be authorized'
' to allow local testing.') in str(warning.message)
def test_does_authorize_unsupported_authorizer(self, demo_app_auth,
lambda_context_args,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/iam'
event = create_event(path, 'GET', {})
context = LambdaContext(*lambda_context_args)
with pytest.warns(None) as recorded_warnings:
new_event, new_context = authorizer.authorize(path, event, context)
assert event == new_event
assert context == new_context
assert len(recorded_warnings) == 1
warning = recorded_warnings[0]
assert issubclass(warning.category, UserWarning)
assert ('IAMAuthorizer is not a supported in local '
'mode. All requests made against a route will be authorized'
' to allow local testing.') in str(warning.message)
def test_can_call_method_without_auth(self, lambda_context_args,
create_event):
demo = app.Chalice('app-name')
@demo.route('/index')
def index_view():
return {}
path = '/index'
authorizer = LocalGatewayAuthorizer(demo)
original_event = create_event(path, 'GET', {})
original_context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(
path, original_event, original_context)
# Assert that when the authorizer.authorize is called and there is no
# authorizer defined for a particular route that it is a noop.
assert original_event == event
assert original_context == context
def test_can_call_method_without_auth(self, lambda_context_args,
create_event):
demo = app.Chalice('app-name')
@demo.route('/index')
def index_view():
return {}
path = '/index'
authorizer = LocalGatewayAuthorizer(demo)
original_event = create_event(path, 'GET', {})
original_context = LambdaContext(*lambda_context_args)
event, context = authorizer.authorize(
path, original_event, original_context)
# Assert that when the authorizer.authorize is called and there is no
# authorizer defined for a particular route that it is a noop.
assert original_event == event
assert original_context == context
def test_does_authorize_unsupported_cognito_token(self,
lambda_context_args,
demo_app_auth,
create_event):
authorizer = LocalGatewayAuthorizer(demo_app_auth)
path = '/cognito'
event = create_event(path, 'GET', {})
event["headers"]["authorization"] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhYWFhYWFhYS1iYmJiLWNjY2MtZGRkZC1lZWVlZWVlZWVlZWUiLCJhdWQiOiJ4eHh4eHh4eHh4eHhleGFtcGxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTAwMDA5NDAwLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3VzLWVhc3QtMV9leGFtcGxlIiwiZXhwIjoxNTg0NzIzNjE2LCJnaXZlbl9uYW1lIjoiSmFuZSIsImlhdCI6MTUwMDAwOTQwMCwiZW1haWwiOiJqYW5lZG9lQGV4YW1wbGUuY29tIiwianRpIjoiZDdlMTEzM2EtMWUzYS00MjMxLWFlN2ItMjhkODVlZTBiMTRkIn0.SN5n-A3kxboNYg0sGIOipVUksCdn6xRJmAK9kSZof10" # noqa
context = LambdaContext(*lambda_context_args)
with pytest.warns(None) as recorded_warnings:
new_event, new_context = authorizer.authorize(path, event, context)
assert event == new_event
assert context == new_context
assert len(recorded_warnings) == 1
warning = recorded_warnings[0]
assert issubclass(warning.category, UserWarning)
assert ('CognitoUserPoolAuthorizer for machine-to-machine '
'communicaiton is not supported in local mode. All requests '
'made against a route will be authorized to allow local '
'testing.') in str(warning.message)
