auth.test: merge registry jwt into one pytest file

auth/test/test_registry_jwt.py

@@ -5,6 +5,8 @@ import pytest
 
 from app import app, instance_keys
 from auth.registry_jwt_auth import identity_from_bearer_token, InvalidJWTException
+from data import model  # TODO(jzelinskie): remove this after service keys are decoupled
+from data.database import ServiceKeyApprovalType
 from initdb import setup_database_for_testing, finished_database_for_testing
 from util.morecollections import AttrDict
 from util.security.registry_jwt import ANONYMOUS_SUB, build_context_and_subject
@@ -16,13 +18,8 @@ TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 ANONYMOUS_SUB = '(anonymous)'
 SERVICE_NAME = 'quay'
 
-
-def setup_module(m):
-  setup_database_for_testing(m)
-
-
-def teardown_module(m):
-  finished_database_for_testing(m)
+# This import has to come below any references to "app".
+from test.fixtures import *
 
 
 def _access(typ='repository', name='somens/somerepo', actions=None):
@@ -73,7 +70,7 @@ def _parse_token(token):
   return identity_from_bearer_token(token)[0]
 
 
-def test_accepted_token():
+def test_accepted_token(initialized_db):
   token = _token(_token_data())
   identity = _parse_token(token)
   assert identity.id == TEST_USER.username, 'should be %s, but was %s' % (TEST_USER.username,
@@ -93,7 +90,7 @@ def test_accepted_token():
   (_access(actions=['*', 'push'])),
   (_access(actions=['*'])),
   (_access(actions=['pull', '*', 'push'])),])
-def test_token_with_access(access):
+def test_token_with_access(access, initialized_db):
   token = _token(_token_data(access=access))
   identity = _parse_token(token)
   assert identity.id == TEST_USER.username, 'should be %s, but was %s' % (TEST_USER.username,
@@ -134,6 +131,58 @@ def test_token_with_access(access):
   ('some random token'),
   ('Bearer: sometokenhere'),
   ('\nBearer: dGVzdA'),])
-def test_invalid_jwt(token):
+def test_invalid_jwt(token, initialized_db):
   with pytest.raises(InvalidJWTException):
     _parse_token(token)
+
+
+def test_mixing_keys_e2e(initialized_db):
+  token_data = _token_data()
+
+  # Create a new key for testing.
+  p, key = model.service_keys.generate_service_key(instance_keys.service_name, None, kid='newkey',
+                                                   name='newkey', metadata={})
+  private_key = p.exportKey('PEM')
+
+  # Test first with the new valid, but unapproved key.
+  unapproved_key_token = _token(token_data, key_id='newkey', private_key=private_key)
+  with pytest.raises(InvalidJWTException):
+    _parse_token(unapproved_key_token)
+
+  # Approve the key and try again.
+  admin_user = model.user.get_user('devtable')
+  model.service_keys.approve_service_key(key.kid, admin_user, ServiceKeyApprovalType.SUPERUSER)
+
+  valid_token = _token(token_data, key_id='newkey', private_key=private_key)
+
+  identity = _parse_token(valid_token)
+  assert identity.id == TEST_USER.username
+  assert len(identity.provides) == 0
+
+  # Try using a different private key with the existing key ID.
+  bad_private_token = _token(token_data, key_id='newkey',
+                             private_key=instance_keys.local_private_key)
+  with pytest.raises(InvalidJWTException):
+    _parse_token(bad_private_token)
+
+  # Try using a different key ID with the existing private key.
+  kid_mismatch_token = _token(token_data, key_id=instance_keys.local_key_id,
+                              private_key=private_key)
+  with pytest.raises(InvalidJWTException):
+    _parse_token(kid_mismatch_token)
+
+  # Delete the new key.
+  key.delete_instance(recursive=True)
+
+  # Ensure it still works (via the cache.)
+  deleted_key_token = _token(token_data, key_id='newkey', private_key=private_key)
+  identity = _parse_token(deleted_key_token)
+  assert identity.id == TEST_USER.username
+  assert len(identity.provides) == 0
+
+  # Break the cache.
+  instance_keys.clear_cache()
+
+  # Ensure the key no longer works.
+  with pytest.raises(InvalidJWTException):
+    _parse_token(deleted_key_token)