def test_security():
"""
GIVEN sub
WHEN credentials are created, the secret key hash is calculated, the secret key is
retrieved and the secret key hash is compared with itself
THEN the secret key hash of the credentials is returned, the secret key of the
credentials is returned and True is returned.
"""
sub = "sub 1"
credentials = package_security.create(sub=sub)
assert credentials.public_key is not None
assert credentials.secret_key is not None
assert credentials.secret_key_hash is not None
assert credentials.salt is not None
returned_secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=credentials.secret_key, salt=credentials.salt)
assert returned_secret_key_hash == credentials.secret_key_hash
returned_secret_key = package_security.retrieve_secret_key(
sub=sub, salt=credentials.salt)
assert returned_secret_key == credentials.secret_key
assert (package_security.compare_secret_key_hashes(
left=credentials.secret_key_hash, right=credentials.secret_key_hash) is
True)
def test_main_install(_clean_credentials_table):
"""
GIVEN install event
WHEN main is called with the event
THEN a install response is returned.
"""
secret_key = "secret key 1"
salt = b"salt 1"
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=secret_key, salt=salt)
credentials = factory.CredentialsFactory(secret_key_hash=secret_key_hash,
salt=salt)
credentials.save()
token = base64.b64encode(
f"{credentials.public_key}:{secret_key}".encode()).decode()
authorization_value = f"Basic {token}"
spec_id = "spec 1"
version = "version 1"
uri = f"/{spec_id}/{spec_id}-{version}.tar.gz"
request = {
"headers": {
"authorization": [{
"key": "Authorization",
"value": authorization_value
}]
},
"uri": uri,
}
event = {"Records": [{"cf": {"request": copy.deepcopy(request)}}]}
returned_response = app.main(event, None)
assert returned_response == {**request, "uri": f"/{credentials.sub}{uri}"}
def test_calculate_secret_key_hash():
"""
GIVEN credentials
WHEN calculate_secret_key_hash is called with the sub and salt from the credentials
THEN the returned secret is equal to the secret of the credentials.
"""
sub = "sub 1"
credentials = package_security.create(sub=sub)
returned_secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=credentials.secret_key, salt=credentials.salt
)
assert returned_secret_key_hash == credentials.secret_key_hash
def test_main_list(_clean_credentials_table, _clean_specs_table):
"""
GIVEN list event and database with the spec
WHEN main is called with the event
THEN a list response is returned.
"""
secret_key = "secret key 1"
salt = b"salt 1"
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=secret_key, salt=salt)
credentials = factory.CredentialsFactory(secret_key_hash=secret_key_hash,
salt=salt)
credentials.save()
token = base64.b64encode(
f"{credentials.public_key}:{secret_key}".encode()).decode()
authorization_value = f"Basic {token}"
spec_id = "spec 1"
version = "version 1"
uri = f"/{spec_id}/"
package_database.get().create_update_spec(sub=credentials.sub,
name=spec_id,
version=version,
model_count=1)
request = {
"headers": {
"authorization": [{
"key": "Authorization",
"value": authorization_value
}]
},
"uri": uri,
}
event = {"Records": [{"cf": {"request": copy.deepcopy(request)}}]}
returned_response = app.main(event, None)
assert returned_response["status"] == "200"
assert returned_response["statusDescription"] == "OK"
assert returned_response["headers"]["cache-control"][0][
"value"] == "max-age=0"
assert returned_response["headers"]["content-type"][0][
"value"] == "text/html"
assert spec_id in returned_response["body"]
assert version in returned_response["body"]
assert credentials.public_key in returned_response["body"]
assert secret_key in returned_response["body"]
def test_authorize_user():
"""
GIVEN valid authorization
WHEN authorize_user is called
THEN UnauthorizedError is not raised.
"""
secret_key = "secret key 1"
salt = b"salt 1"
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=secret_key, salt=salt
)
authorization = types.TAuthorization(
public_key="public key 1", secret_key=secret_key
)
auth_info = types.CredentialsAuthInfo(
sub="sub 1", secret_key_hash=secret_key_hash, salt=salt
)
library.authorize_user(authorization=authorization, auth_info=auth_info)
def test_process(_clean_credentials_table):
"""
GIVEN valid authorization value
WHEN process is called
THEN UnauthorizedError is not raised.
"""
secret_key = "secret key 1"
salt = b"salt 1"
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=secret_key, salt=salt
)
spec_id = "spec 1"
version = "version 1"
uri = f"/{spec_id}/{spec_id}-{version}.tar.gz"
credentials = factory.CredentialsFactory(secret_key_hash=secret_key_hash, salt=salt)
credentials.save()
token = base64.b64encode(f"{credentials.public_key}:{secret_key}".encode()).decode()
authorization_value = f"Basic {token}"
library.process(uri=uri, authorization_value=authorization_value)
def test_main_list_not_found(_clean_credentials_table, _clean_specs_table):
"""
GIVEN list event and empty database
WHEN main is called with the event
THEN 404 is returned.
"""
secret_key = "secret key 1"
salt = b"salt 1"
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=secret_key, salt=salt)
credentials = factory.CredentialsFactory(secret_key_hash=secret_key_hash,
salt=salt)
credentials.save()
token = base64.b64encode(
f"{credentials.public_key}:{secret_key}".encode()).decode()
authorization_value = f"Basic {token}"
spec_id = "spec 1"
uri = f"/{spec_id}/"
request = {
"headers": {
"authorization": [{
"key": "Authorization",
"value": authorization_value
}]
},
"uri": uri,
}
event = {"Records": [{"cf": {"request": copy.deepcopy(request)}}]}
returned_response = app.main(event, None)
assert returned_response["status"] == "404"
assert returned_response["statusDescription"] == "NOT FOUND"
assert returned_response["headers"]["cache-control"][0][
"value"] == "max-age=0"
assert returned_response["headers"]["content-type"][0][
"value"] == "text/plain"
assert spec_id in returned_response["body"]
def authorize_user(
*,
authorization: types.TAuthorization,
auth_info: types.CredentialsAuthInfo,
) -> None:
"""
Check that the secret key that was submitted matches the stored secret key.
Raises UnauthorizedError is the secret key is not valid.
Args:
authorization: The authorization for the request.
auth_info: Authorization information about the user.
"""
secret_key_hash = package_security.calculate_secret_key_hash(
secret_key=authorization.secret_key, salt=auth_info.salt
)
if not package_security.compare_secret_key_hashes(
left=secret_key_hash, right=auth_info.secret_key_hash
):
raise exceptions.UnauthorizedError(
"the hash of the secret key from the request does not match the stored hash"
)