def test_auth_req_fake_tenantadm_tenant_suspended(self, management_api,
device_api,
tenant_foobar,
clean_migrated_db):
d = Device()
da = DevAuthorizer(tenant_token=tenant_foobar)
url = device_api.auth_requests_url
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(401, {}, {
'request_id': 'test',
'error': 'account suspended'
})),
]
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
assert rsp.json()['error'] == 'account suspended'
# request failed, so device should not even be listed as known for the
# default tenant
TestEnterprise.verify_tenant_dev_present(management_api,
d.identity,
'',
present=False)
def test_auth_req_fake_tenantadm_valid_tenant_token(
self, management_api, device_api, tenant_foobar):
d = Device()
da = DevAuthorizer(tenant_token=tenant_foobar)
url = device_api.auth_requests_url
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(200, {}, {
'id': '507f191e810c19729de860ea',
'name': 'Acme',
})),
]
try:
with orchestrator.run_fake_for_device_id(1) as server:
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
except bravado.exception.HTTPError as e:
assert e.response.status_code == 204
# device should be appear in devices listing
TestEnterprise.verify_tenant_dev_present(management_api,
d.identity,
tenant_foobar,
present=True)
def tenantadm_fake_tenant_verify():
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(200, {}, '')),
]
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
yield fake
def init_service_mocks(
self,
wflows_rsp_q: asyncio.Queue = None,
tadm_rsp_q: asyncio.Queue = None,
) -> mockserver.MockServer:
# Very simple tornado request handler for tenantadm and workflows that
# generates responses from items pushed onto an asyncio.Queue object,
# the object can either be a callable or a 3-tuple with (code, header,
# body). Callables are passed 'self' (RequestHandler) as argument.
class RequestHandler(tornado.web.RequestHandler):
def initialize(self, rsp_q):
self.rsp_q = rsp_q
def prepare(self):
rsp = self.rsp_q.get_nowait()
if callable(rsp):
rsp(self)
else:
(status, hdr, body) = rsp
self.set_status(status)
for key, val in hdr.items():
self.add_header(key, val)
if body:
self.write(body)
self.finish()
with mockserver.run_fake(get_fake_tenantadm_addr()) as tadm:
tadm.app.add_handlers(
r".*",
[(
r".*",
RequestHandler,
{
"rsp_q": tadm_rsp_q
},
)],
)
with mockserver.run_fake(get_fake_workflows_addr()) as wflows:
wflows.app.add_handlers(
r".*",
[(
r".*",
RequestHandler,
{
"rsp_q": wflows_rsp_q
},
)],
)
yield tadm, wflows
def request_token(device, dev_auth, url):
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(200, {}, {
'id': '507f191e810c19729de860ea',
'name': 'Acme',
})),
]
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, dev_auth, device)
assert rsp.status_code == 200
dev_auth.parse_rsp_payload(device, rsp.text)
return device.token
def mock_tenantadm_auth(tenant_addons):
def tenantadm_handler(req):
auth = req.headers["Authorization"]
# jwt = <header (base64)>.<claims (base64)>.<signature (base64)>
jwt_b64 = auth.split(".")
if len(jwt_b64) > 1:
print(jwt_b64)
# Convert base64 from url- to std-encoding and append padding
claims_b64 = jwt_b64[1].replace("+", "-").replace("?", "_")
# Add padding
claims_b64 += "=" * (-len(claims_b64) % 4)
# Decode claims
claims = base64.b64decode(claims_b64)
d = json.loads(claims)
tenant_id = d["mender.tenant"]
return (
200,
{},
{
"id":
tenant_id,
"name":
"Acme",
"addons": [{
"name": addon,
"enabled": True
} for addon in tenant_addons],
},
)
else:
return (500, {}, {})
with mockserver.run_fake(
get_fake_tenantadm_addr(),
handlers=[("POST", "/api/internal/v1/tenantadm/tenants/verify",
tenantadm_handler)],
) as srv:
yield srv
def test_auth_req_fake_tenantadm_valid_tenant_token(
self, management_api, device_api, tenant_foobar):
d = Device()
da = DevAuthorizer(tenant_token=tenant_foobar)
url = device_api.auth_requests_url
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(200, {}, {
'id': '507f191e810c19729de860ea',
'name': 'Acme',
})),
]
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
# device should be appear in devices listing
TestMultiTenant.verify_tenant_dev_present(management_api,
d.identity,
tenant_foobar,
present=True)
def test_auth_req_fake_tenantadm_invalid_tenant_token(
self, management_api, device_api, clean_migrated_db):
d = Device()
da = DevAuthorizer(tenant_token="bad-token")
url = device_api.auth_requests_url
handlers = [
('POST', '/api/internal/v1/tenantadm/tenants/verify', lambda _:
(401, {}, {
'request_id': 'test',
'error': 'ignoreme'
})),
]
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
# request failed, so device should not even be listed as known for the
# default tenant
TestMultiTenant.verify_tenant_dev_present(management_api,
d.identity,
'',
present=False)
def accepted_tenants_devices(device_api, management_api, clean_migrated_db,
cli, request):
"""Fixture that sets up an accepted devices for tenants. The fixture can
be parametrized with a tenants, number of devices and number of authentication sets.
Yields a dict:
[tenant ID: [device object, ...], ]"""
requested = request.param
tenants_devices = dict()
url = device_api.auth_requests_url
for (tenant, dev_count, auth_count) in requested:
tenant_devices = []
cli.migrate(tenant=tenant)
tenant_token = make_fake_tenant_token(tenant)
for _ in range(int(dev_count)):
d = Device()
for i in range(int(auth_count)):
d.rotate_key()
da = DevAuthorizer(tenant_token=tenant_token)
# poke devauth so that device appears
handlers = [
(
"POST",
"/api/internal/v1/tenantadm/tenants/verify",
lambda _: (
200,
{},
{
"id": "507f191e810c19729de860ea",
"name": "Acme",
},
),
),
]
try:
with orchestrator.run_fake_for_device_id(1) as server:
with mockserver.run_fake(get_fake_tenantadm_addr(),
handlers=handlers) as fake:
rsp = device_auth_req(url, da, d)
assert rsp.status_code == 401
except bravado.exception.HTTPError as e:
assert e.response.status_code == 204
# try to find our devices in all devices listing
dev = management_api.find_device_by_identity(
d.identity, Authorization="Bearer " + tenant_token)
devid = dev.id
for a in dev.auth_sets:
if compare_keys(a.pubkey, d.public_key):
aid = a.id
break
try:
with orchestrator.run_fake_for_device_id(devid) as server:
management_api.accept_device(devid,
aid,
Authorization="Bearer " +
tenant_token)
token = request_token(d, da,
device_api.auth_requests_url)
assert len(token) > 0
except bravado.exception.HTTPError as e:
assert e.response.status_code == 204
assert dev
tenant_devices.append(d)
tenants_devices[tenant] = tenant_devices
yield tenants_devices
