def test_request_subject_and_issue_not_matching(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem, subject='different' ) self.assertEqual(self.send_request(token).status_code, 401)
def test_request_with_string_headers_is_allowed(self): token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) str_auth = 'Bearer ' + token.decode(encoding='iso-8859-1') self.check_response('needed', 'one', 200, authorization=str_auth)
def _assert_request_with_duplicate_jti_is_accepted(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) self.assertEqual(self.send_request(token).status_code, 200) self.assertEqual(self.send_request(token).status_code, 200)
def test_decorated_request_with_invalid_issuer_is_rejected(self): # Try with a different audience with a valid signature token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) url = '/restricted-to-another-client/' self.assertEqual(self.send_request(token, url=url).status_code, 403)
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self): self.app.config['ASAP_CHECK_JTI_UNIQUENESS'] = True token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) self.assertEqual(self.send_request(token).status_code, 200) self.assertEqual(self.send_request(token).status_code, 401)
def test_request_with_valid_token_is_allowed(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) body, resp_info, environ = self.send_request(token=token) self.assertEqual(resp_info['status'], '200 OK') self.assertIn('ATL_ASAP_CLAIMS', environ)
def test_request_subject_does_not_need_to_match_issuer_from_settings(self): self.app.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem, subject='different' ) self.assertEqual(self.send_request(token).status_code, 200)
def test_request_with_invalid_audience_is_rejected(self): token = create_token( 'client-app', 'invalid-audience', 'client-app/key01', self._private_key_pem ) body, resp_info, environ = self.send_request(token=token) self.assertEqual(resp_info['status'], '401 Unauthorized') self.assertNotIn('ATL_ASAP_CLAIMS', environ)
def test_request_subject_and_issue_not_matching(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem, subject='different' ) body, resp_info, environ = self.send_request(token=token) self.assertEqual(resp_info['status'], '401 Unauthorized') self.assertNotIn('ATL_ASAP_CLAIMS', environ)
def test_request_with_valid_token_is_allowed(self): token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) with override_settings(**self.test_settings): response = self.client.get(reverse('expected'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Greatest Success!', status_code=200)
def test_request_subject_does_not_need_to_match_issuer_from_settings(self): self.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem, subject='different' ) body, resp_info, environ = self.send_request(token=token) self.assertEqual(resp_info['status'], '200 OK') self.assertIn('ATL_ASAP_CLAIMS', environ)
def test_request_using_settings_only_is_allowed(self): token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) with override_settings(**self.test_settings): response = self.client.get(reverse('settings'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Any settings issuer is allowed.')
def test_request_decorated_issuer_is_allowed(self): retriever = get_static_retriever_class( {'whitelist/key01': self._public_key_pem}) token = create_token(issuer='whitelist', audience='server-app', key_id='whitelist/key01', private_key=self._private_key_pem) with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever): response = self.client.get(reverse('decorated'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Only the right issuer is allowed.')
def test_request_with_invalid_audience_is_rejected(self): token = create_token(issuer='client-app', audience='something-invalid', key_id='client-app/key01', private_key=self._private_key_pem) with override_settings(**self.test_settings): response = self.client.get(reverse('expected'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Unauthorized: Invalid token', status_code=401)
def test_request_with_string_headers_is_allowed(self): token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) str_token = token.decode(encoding='iso-8859-1') with override_settings(**self.test_settings): response = self.client.get(reverse('expected'), HTTP_AUTHORIZATION='Bearer ' + str_token) self.assertContains(response, 'Greatest Success!', status_code=200)
def test_request_non_decorated_issuer_is_rejected(self): token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) with override_settings(**self.test_settings): response = self.client.get(reverse('decorated'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Forbidden: Invalid token issuer', status_code=403)
def test_request_with_invalid_issuer_is_rejected(self): # Try with a different audience with a valid signature self.app.config['ASAP_KEY_RETRIEVER_CLASS'] = ( get_static_retriever_class({ 'another-client/key01': self._public_key_pem }) ) token = create_token( 'another-client', 'server-app', 'another-client/key01', self._private_key_pem ) self.assertEqual(self.send_request(token).status_code, 403)
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self): self.test_settings['ASAP_CHECK_JTI_UNIQUENESS'] = True token = create_token(issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem) str_auth = 'Bearer ' + token.decode(encoding='iso-8859-1') self.check_response('needed', 'one', 200, authorization=str_auth) self.check_response('needed', 'duplicate jti', 401, authorization=str_auth)
def _assert_request_with_duplicate_jti_is_accepted(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) application = self.get_app_with_middleware(self.config) body, resp_info, environ = self.send_request( token=token, application=application) self.assertEqual(resp_info['status'], '200 OK') body, resp_info, environ = self.send_request( token=token, application=application) self.assertEqual(resp_info['status'], '200 OK')
def test_request_with_duplicate_jti_is_rejected_as_per_setting(self): self.config['ASAP_CHECK_JTI_UNIQUENESS'] = True token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) application = self.get_app_with_middleware(self.config) body, resp_info, environ = self.send_request( token=token, application=application) self.assertEqual(resp_info['status'], '200 OK') body, resp_info, environ = self.send_request( token=token, application=application) self.assertEqual(resp_info['status'], '401 Unauthorized')
def test_request_with_invalid_issuer_is_rejected(self): retriever = get_static_retriever_class( {'something-invalid/key01': self._public_key_pem}) token = create_token(issuer='something-invalid', audience='server-app', key_id='something-invalid/key01', private_key=self._private_key_pem) with override_settings(ASAP_KEY_RETRIEVER_CLASS=retriever): response = self.client.get(reverse('expected'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Forbidden: Invalid token issuer', status_code=403)
def test_request_subject_does_not_need_to_match_issuer(self): token = create_token( issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem, subject='not-client-app', ) with override_settings(**self.test_settings): response = self.client.get( reverse('subject_does_not_need_to_match_issuer'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains(response, 'Subject does not need to match issuer.')
def test_request_subject_does_need_to_match_issuer_override_settings(self): """ tests that the with_asap decorator can override the ASAP_SUBJECT_SHOULD_MATCH_ISSUER setting. """ token = create_token( issuer='client-app', audience='server-app', key_id='client-app/key01', private_key=self._private_key_pem, subject='not-client-app', ) with override_settings(**dict(self.test_settings, ASAP_SUBJECT_SHOULD_MATCH_ISSUER=False)): response = self.client.get( reverse('subject_does_need_to_match_issuer'), HTTP_AUTHORIZATION=b'Bearer ' + token) self.assertContains( response, 'Unauthorized: Subject and Issuer do not match', status_code=401)
def check_response(self, view_name, response_content='', status_code=200, issuer='client-app', audience='server-app', key_id='client-app/key01', subject=None, private_key=None, token=None, authorization=None, retriever_key=None): if authorization is None: if token is None: if private_key is None: private_key = self._private_key_pem token = create_token(issuer=issuer, audience=audience, key_id=key_id, private_key=private_key, subject=subject) authorization = b'Bearer ' + token test_settings = self.test_settings.copy() if retriever_key is not None: retriever = get_static_retriever_class( {retriever_key: self._public_key_pem}) test_settings['ASAP_KEY_RETRIEVER_CLASS'] = retriever with override_settings(**test_settings): response = self.client.get(reverse(view_name), HTTP_AUTHORIZATION=authorization) self.assertContains(response, response_content, status_code=status_code)
def test_request_with_valid_token_is_allowed(self): token = create_token( 'client-app', 'server-app', 'client-app/key01', self._private_key_pem ) self.assertEqual(self.send_request(token).status_code, 200)
def test_request_with_invalid_audience_is_rejected(self): token = create_token( 'client-app', 'invalid-audience', 'client-app/key01', self._private_key_pem ) self.assertEqual(self.send_request(token).status_code, 401)