def test_init_raises_for_invalid_signature(self, claims):
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "wrong-secret", "test-audience")
assert exc.value.description == "Invalid grant token signature."
def test_init_raises_for_none_key(self, claims):
jwttok = jwt_token(claims)
with pytest.raises(InvalidClientError) as exc:
VerifiedJWTGrantToken(jwttok, None, "test-audience")
assert exc.value.description == "Client is invalid."
def test_init_raises_for_invalid_signature_algorithm(self, claims):
jwttok = jwt_token(claims, alg="HS512")
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert exc.value.description == "Invalid grant token signature algorithm."
def test_subject_returns_sub_claim(self, claims):
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, "top-secret",
"test-audience")
assert grant_token.subject == "test-subject"
def test_init_raises_for_too_long_token_lifetime(self, claims):
claims["exp"] = epoch(delta=timedelta(minutes=15))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert exc.value.description == "Grant token lifetime is too long."
def test_init_raises_for_nbf_claim_in_future(self, claims):
claims["nbf"] = epoch(delta=timedelta(minutes=2))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert exc.value.description == "Grant token is not yet valid."
def test_init_raises_when_expired_with_leeway(self, claims):
claims["exp"] = epoch(delta=timedelta(minutes=-2))
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert exc.value.description == "Grant token is expired."
def test_init_raises_for_invalid_aud(self, claims):
claims["aud"] = "different-audience"
jwttok = jwt_token(claims)
with pytest.raises(InvalidJWTGrantTokenClaimError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert exc.value.description == "Invalid claim 'aud' (audience) in grant token."
def test_init_raises_for_missing_claims(self, claims, claim, description):
del claims[claim]
jwttok = jwt_token(claims)
with pytest.raises(InvalidGrantError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert (exc.value.description ==
f"Missing claim '{claim}' ({description}) from grant token.")
def test_init_raises_for_invalid_timestamp_types(self, claims, claim,
description):
claims[claim] = "wut"
jwttok = jwt_token(claims)
with pytest.raises(InvalidJWTGrantTokenClaimError) as exc:
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert (exc.value.description ==
f"Invalid claim '{claim}' ({description}) in grant token.")
def test_subject_raises_for_empty_sub_claim(self, claims):
claims["sub"] = ""
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, "top-secret",
"test-audience")
with pytest.raises(InvalidGrantError) as exc:
_ = grant_token.subject
assert (exc.value.description ==
"Missing claim 'sub' (subject) from grant token.")
def test_not_before_returns_nbf_claim(self, claims):
now = datetime.utcnow().replace(microsecond=0)
delta = timedelta(minutes=-2)
claims["nbf"] = epoch(timestamp=now, delta=delta)
jwttok = jwt_token(claims)
grant_token = VerifiedJWTGrantToken(jwttok, "top-secret",
"test-audience")
assert grant_token.not_before == (now + delta)
def test_init_returns_token_when_valid(self, claims):
jwttok = jwt_token(claims)
actual = VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")
assert isinstance(actual, VerifiedJWTGrantToken)
def test_init_returns_token_when_expired_but_in_leeway(self, claims):
claims["exp"] = epoch(delta=timedelta(seconds=-8))
jwttok = jwt_token(claims)
VerifiedJWTGrantToken(jwttok, "top-secret", "test-audience")