def test_credentials_which_cannot_be_encoded_in_unicode_work(self):
badCredentials = {
'accessToken': u"\U0001F4A9",
'clientId': u"\U0001F4A9",
}
with self.assertRaises(exc.TaskclusterAuthFailure):
subject.Auth({'credentials': badCredentials})
def test_invalid_unicode_permacred_simple(self):
"""Unicode strings that do not encode to ASCII in credentials cause issues"""
with self.assertRaises(exc.TaskclusterAuthFailure):
subject.Auth({
'credentials': {
'clientId': u"\U0001F4A9",
'accessToken': u"\U0001F4A9",
}
})
def test_credentials_which_cannot_be_encoded_in_unicode_work():
badCredentials = {
'accessToken': u"\U0001F4A9",
'clientId': u"\U0001F4A9",
}
with pytest.raises(exc.TaskclusterAuthFailure):
subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': badCredentials,
})
def test_invalid_unicode_permacred_simple():
"""Unicode strings that do not encode to ASCII in credentials cause issues"""
with pytest.raises(exc.TaskclusterAuthFailure):
subject.Auth({
'rootUrl': base.TEST_ROOT_URL,
'credentials': {
'clientId': u"\U0001F4A9",
'accessToken': u"\U0001F4A9",
}
})
def test_signed_url_bad_credentials(self):
client = subject.Auth({
'credentials': {
'clientId': 'tester',
'accessToken': 'wrong-secret',
}
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
with self.assertRaises(requests.exceptions.RequestException):
response.raise_for_status()
self.assertEqual(401, response.status_code)
def test_unicode_permacred_simple(self):
"""Unicode strings that encode to ASCII in credentials do not cause issues"""
client = subject.Auth({
'credentials': {
'clientId': u'tester',
'accessToken': u'no-secret',
}
})
result = client.testAuthenticate({
'clientScopes': ['test:a'],
'requiredScopes': ['test:a'],
})
self.assertEqual(result, {'scopes': ['test:a'], 'clientId': 'tester'})
def test_signed_url_bad_credentials():
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'wrong-secret',
}
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
with pytest.raises(requests.exceptions.RequestException):
response.raise_for_status()
assert 401 == response.status_code
def test_permacred_insufficient_scopes():
"""A call with insufficient scopes results in an error"""
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
}
})
with pytest.raises(exc.TaskclusterRestFailure):
client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['something-more'],
})
def test_unicode_permacred_simple():
"""Unicode strings that encode to ASCII in credentials do not cause issues"""
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': u'tester',
'accessToken': u'no-secret',
}
})
result = client.testAuthenticate({
'clientScopes': ['test:a'],
'requiredScopes': ['test:a'],
})
assert result == {'scopes': ['test:a'], 'clientId': 'tester'}
def test_permacred_simple_authorizedScopes():
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
},
'authorizedScopes': ['test:a', 'test:b'],
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:a'],
})
assert result == {'scopes': ['test:a', 'test:b'], 'clientId': 'tester'}
def test_permacred_simple(self):
"""we can call methods which require authentication with valid
permacreds"""
client = subject.Auth({
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
}
})
result = client.testAuthenticate({
'clientScopes': ['test:a'],
'requiredScopes': ['test:a'],
})
self.assertEqual(result, {'scopes': ['test:a'], 'clientId': 'tester'})
def test_permacred_simple():
"""we can call methods which require authentication with valid
permacreds"""
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
}
})
result = client.testAuthenticate({
'clientScopes': ['test:a'],
'requiredScopes': ['test:a'],
})
assert result == {'scopes': ['test:a'], 'clientId': 'tester'}
def test_permacred_insufficient_scopes(self):
"""A call with insufficient scopes results in an error"""
client = subject.Auth({
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
}
})
# TODO: this should be TaskclsuterAuthFailure; most likely the client
# is expecting AuthorizationFailure instead of AuthenticationFailure
with self.assertRaises(exc.TaskclusterRestFailure):
client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['something-more'],
})
def test_signed_url_authorizedScopes(self):
client = subject.Auth({
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
},
'authorizedScopes': ['test:authenticate-get'],
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
response.raise_for_status()
response = response.json()
self.assertEqual(response, {
'scopes': ['test:authenticate-get'],
'clientId': 'tester',
})
def test_no_creds_needed():
"""we can call methods which require no scopes with an unauthenticated
client"""
# mock this request so we don't depend on the existence of a client
@httmock.all_requests
def auth_response(url, request):
assert urllib.parse.urlunsplit(url) == 'https://tc-tests.example.com/api/auth/v1/clients/abc'
assert not ('Authorization' in request.headers)
headers = {'content-type': 'application/json'}
content = {"clientId": "abc"}
return httmock.response(200, content, headers, None, 5, request)
with httmock.HTTMock(auth_response):
client = subject.Auth({"rootUrl": "https://tc-tests.example.com", "credentials": {}})
result = client.client('abc')
assert result == {"clientId": "abc"}
def test_permacred_simple_authorizedScopes(self):
client = subject.Auth({
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
},
'authorizedScopes': ['test:a', 'test:b'],
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:a'],
})
self.assertEqual(result, {
'scopes': ['test:a', 'test:b'],
'clientId': 'tester'
})
def test_no_creds_needed(self):
"""we can call methods which require no scopes with an unauthenticated
client"""
# mock this request so we don't depend on the existence of a client
@httmock.all_requests
def auth_response(url, request):
self.assertEqual(urllib.parse.urlunsplit(url),
'https://auth.taskcluster.net/v1/clients/abc')
self.failIf('Authorization' in request.headers)
headers = {'content-type': 'application/json'}
content = {"clientId": "abc"}
return httmock.response(200, content, headers, None, 5, request)
with httmock.HTTMock(auth_response):
client = subject.Auth({"credentials": {}})
result = client.client('abc')
self.assertEqual(result, {"clientId": "abc"})
def test_named_temporary_credentials():
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1), ['test:xyz'],
name='credName')
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': tempCred,
})
result = client.testAuthenticate({
'clientScopes': ['test:*', 'auth:create-client:credName'],
'requiredScopes': ['test:xyz'],
})
assert result == {'scopes': ['test:xyz'], 'clientId': 'credName'}
def test_signed_url_authorizedScopes():
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
},
'authorizedScopes': ['test:authenticate-get'],
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
response.raise_for_status()
response = response.json()
assert response == {
'scopes': ['test:authenticate-get'],
'clientId': 'tester',
}
def test_signed_url():
"""we can use a signed url built with the python client"""
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': {
'clientId': 'tester',
'accessToken': 'no-secret',
}
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
response.raise_for_status()
response = response.json()
response['scopes'].sort()
assert response == {
'scopes': sorted(['test:*', u'auth:create-client:test:*']),
'clientId': 'tester',
}
def test_temporary_credentials_authorizedScopes():
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:xyz:*'],
)
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': tempCred,
'authorizedScopes': ['test:xyz:abc'],
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:xyz:abc'],
})
assert result == {'scopes': ['assume:anonymous', 'test:xyz:abc'], 'clientId': 'tester'}
def test_temp_credentials_signed_url(self):
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:*'],
)
client = subject.Auth({
'credentials': tempCred,
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
response.raise_for_status()
response = response.json()
self.assertEqual(response, {
'scopes': ['test:*'],
'clientId': 'tester',
})
def test_temporary_credentials():
"""we can call methods which require authentication with temporary
credentials generated by python client"""
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:xyz'],
)
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': tempCred,
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:xyz'],
})
assert result == {'scopes': ['test:xyz'], 'clientId': 'tester'}
def test_temp_credentials_signed_url():
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:*'],
)
client = subject.Auth({
'rootUrl': base.REAL_ROOT_URL,
'credentials': tempCred,
})
signedUrl = client.buildSignedUrl('testAuthenticateGet')
response = requests.get(signedUrl)
response.raise_for_status()
response = response.json()
assert response == {
'scopes': ['assume:anonymous', 'test:*'],
'clientId': 'tester',
}
def test_named_temporary_credentials(self):
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:xyz'],
name='credName')
client = subject.Auth({
'credentials': tempCred,
})
result = client.testAuthenticate({
'clientScopes': ['test:*', 'auth:create-client:credName'],
'requiredScopes': ['test:xyz'],
})
self.assertEqual(result, {
'scopes': ['test:xyz'],
'clientId': 'credName'
})
def test_temporary_credentials_authorizedScopes(self):
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(hours=1),
['test:xyz:*'],
)
client = subject.Auth({
'credentials': tempCred,
'authorizedScopes': ['test:xyz:abc'],
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:xyz:abc'],
})
self.assertEqual(result, {
'scopes': ['test:xyz:abc'],
'clientId': 'tester'
})
def test_temporary_credentials(self):
"""we can call methods which require authentication with temporary
credentials generated by python client"""
tempCred = subject.createTemporaryCredentials(
'tester',
'no-secret',
datetime.datetime.utcnow() - datetime.timedelta(hours=10),
datetime.datetime.utcnow() + datetime.timedelta(hours=10),
['test:xyz'],
)
client = subject.Auth({
'credentials': tempCred,
})
result = client.testAuthenticate({
'clientScopes': ['test:*'],
'requiredScopes': ['test:xyz'],
})
self.assertEqual(result, {
'scopes': ['test:xyz'],
'clientId': 'tester'
})
