2016-09-29 00:17:14 +00:00
|
|
|
import base64
|
2015-06-02 22:19:22 +00:00
|
|
|
import unittest
|
2016-09-29 00:17:14 +00:00
|
|
|
|
|
|
|
|
from datetime import datetime, timedelta
|
|
|
|
|
from tempfile import NamedTemporaryFile
|
|
|
|
|
|
2015-06-02 22:19:22 +00:00
|
|
|
import jwt
|
2016-09-29 00:17:14 +00:00
|
|
|
import requests
|
2015-06-02 22:19:22 +00:00
|
|
|
|
2016-09-29 00:17:14 +00:00
|
|
|
from Crypto.PublicKey import RSA
|
2015-07-16 19:49:06 +00:00
|
|
|
from flask import Flask, jsonify, request, make_response
|
2016-09-29 00:17:14 +00:00
|
|
|
from flask_testing import LiveServerTestCase
|
|
|
|
|
|
|
|
|
|
from app import app
|
2015-07-16 19:49:06 +00:00
|
|
|
from data.users import ExternalJWTAuthN
|
2016-09-29 00:17:14 +00:00
|
|
|
from initdb import setup_database_for_testing, finished_database_for_testing
|
|
|
|
|
|
2015-06-02 22:19:22 +00:00
|
|
|
|
2015-10-27 21:32:46 +00:00
|
|
|
_PORT_NUMBER = 5001
|
|
|
|
|
|
2016-09-29 00:17:14 +00:00
|
|
|
|
2015-06-02 22:19:22 +00:00
|
|
|
class JWTAuthTestCase(LiveServerTestCase):
|
|
|
|
|
maxDiff = None
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def setUpClass(cls):
|
|
|
|
|
public_key = NamedTemporaryFile(delete=True)
|
|
|
|
|
|
|
|
|
|
key = RSA.generate(1024)
|
|
|
|
|
private_key_data = key.exportKey('PEM')
|
|
|
|
|
|
|
|
|
|
pubkey = key.publickey()
|
|
|
|
|
public_key.write(pubkey.exportKey('OpenSSH'))
|
|
|
|
|
public_key.seek(0)
|
|
|
|
|
|
|
|
|
|
JWTAuthTestCase.public_key = public_key
|
|
|
|
|
JWTAuthTestCase.private_key_data = private_key_data
|
|
|
|
|
|
|
|
|
|
def create_app(self):
|
2015-10-27 21:32:46 +00:00
|
|
|
global _PORT_NUMBER
|
|
|
|
|
_PORT_NUMBER = _PORT_NUMBER + 1
|
|
|
|
|
|
2015-06-02 22:19:22 +00:00
|
|
|
users = [
|
2015-07-16 19:49:06 +00:00
|
|
|
{'name': 'cooluser', 'email': 'user@domain.com', 'password': 'password'},
|
|
|
|
|
{'name': 'some.neat.user', 'email': 'neat@domain.com', 'password': 'foobar'}
|
2015-06-02 22:19:22 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
jwt_app = Flask('testjwt')
|
|
|
|
|
private_key = JWTAuthTestCase.private_key_data
|
2015-10-27 21:32:46 +00:00
|
|
|
jwt_app.config['LIVESERVER_PORT'] = _PORT_NUMBER
|
2015-06-02 22:19:22 +00:00
|
|
|
|
|
|
|
|
def _get_basic_auth():
|
|
|
|
|
data = base64.b64decode(request.headers['Authorization'][len('Basic '):])
|
|
|
|
|
return data.split(':', 1)
|
|
|
|
|
|
|
|
|
|
@jwt_app.route('/user/verify', methods=['GET'])
|
|
|
|
|
def verify_user():
|
|
|
|
|
username, password = _get_basic_auth()
|
|
|
|
|
|
|
|
|
|
if username == 'disabled':
|
|
|
|
|
return make_response('User is currently disabled', 401)
|
|
|
|
|
|
|
|
|
|
for user in users:
|
|
|
|
|
if user['name'] == username or user['email'] == username:
|
|
|
|
|
if password != user['password']:
|
|
|
|
|
return make_response('', 404)
|
|
|
|
|
|
|
|
|
|
token_data = {
|
|
|
|
|
'iss': 'authy',
|
|
|
|
|
'aud': 'quay.io/jwtauthn',
|
|
|
|
|
'nbf': datetime.utcnow(),
|
2015-09-04 20:31:37 +00:00
|
|
|
'iat': datetime.utcnow(),
|
2015-06-02 22:19:22 +00:00
|
|
|
'exp': datetime.utcnow() + timedelta(seconds=60),
|
|
|
|
|
'sub': user['name'],
|
|
|
|
|
'email': user['email']
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
encoded = jwt.encode(token_data, private_key, 'RS256')
|
|
|
|
|
return jsonify({
|
|
|
|
|
'token': encoded
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return make_response('', 404)
|
|
|
|
|
|
|
|
|
|
jwt_app.config['TESTING'] = True
|
|
|
|
|
return jwt_app
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def setUp(self):
|
|
|
|
|
setup_database_for_testing(self)
|
|
|
|
|
self.app = app.test_client()
|
|
|
|
|
self.ctx = app.test_request_context()
|
|
|
|
|
self.ctx.__enter__()
|
|
|
|
|
|
|
|
|
|
self.session = requests.Session()
|
|
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
self.jwt_auth = ExternalJWTAuthN(self.get_server_url() + '/user/verify', 'authy', '',
|
|
|
|
|
app.config['HTTPCLIENT'], 300, JWTAuthTestCase.public_key.name)
|
2015-06-02 22:19:22 +00:00
|
|
|
|
|
|
|
|
def tearDown(self):
|
|
|
|
|
finished_database_for_testing(self)
|
|
|
|
|
self.ctx.__exit__(True, None, None)
|
|
|
|
|
|
2015-07-20 15:39:59 +00:00
|
|
|
def test_verify_and_link_user(self):
|
|
|
|
|
result, error_message = self.jwt_auth.verify_and_link_user('invaliduser', 'foobar')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertEquals('Invalid username or password', error_message)
|
|
|
|
|
self.assertIsNone(result)
|
|
|
|
|
|
2015-07-20 15:39:59 +00:00
|
|
|
result, _ = self.jwt_auth.verify_and_link_user('cooluser', 'invalidpassword')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNone(result)
|
|
|
|
|
|
2015-07-20 15:39:59 +00:00
|
|
|
result, _ = self.jwt_auth.verify_and_link_user('cooluser', 'password')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
self.assertEquals('cooluser', result.username)
|
|
|
|
|
|
2015-07-20 15:39:59 +00:00
|
|
|
result, _ = self.jwt_auth.verify_and_link_user('some.neat.user', 'foobar')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
self.assertEquals('some_neat_user', result.username)
|
|
|
|
|
|
|
|
|
|
def test_confirm_existing_user(self):
|
|
|
|
|
# Create the users in the DB.
|
2015-07-20 15:39:59 +00:00
|
|
|
result, _ = self.jwt_auth.verify_and_link_user('cooluser', 'password')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
|
2015-07-20 15:39:59 +00:00
|
|
|
result, _ = self.jwt_auth.verify_and_link_user('some.neat.user', 'foobar')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
|
|
|
|
|
# Confirm a user with the same internal and external username.
|
2015-08-18 16:15:40 +00:00
|
|
|
result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'invalidpassword')
|
|
|
|
|
self.assertIsNone(result)
|
|
|
|
|
|
2015-06-02 22:19:22 +00:00
|
|
|
result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'password')
|
|
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
self.assertEquals('cooluser', result.username)
|
|
|
|
|
|
|
|
|
|
# Fail to confirm the *external* username, which should return nothing.
|
|
|
|
|
result, _ = self.jwt_auth.confirm_existing_user('some.neat.user', 'password')
|
|
|
|
|
self.assertIsNone(result)
|
|
|
|
|
|
|
|
|
|
# Now confirm the internal username.
|
|
|
|
|
result, _ = self.jwt_auth.confirm_existing_user('some_neat_user', 'foobar')
|
|
|
|
|
self.assertIsNotNone(result)
|
|
|
|
|
self.assertEquals('some_neat_user', result.username)
|
|
|
|
|
|
|
|
|
|
def test_disabled_user_custom_erorr(self):
|
2015-07-20 15:39:59 +00:00
|
|
|
result, error_message = self.jwt_auth.verify_and_link_user('disabled', 'password')
|
2015-06-02 22:19:22 +00:00
|
|
|
self.assertIsNone(result)
|
|
|
|
|
self.assertEquals('User is currently disabled', error_message)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
unittest.main()
|
