Switch to returning an empty set when there are invalid auth scopes
This commit is contained in:
Joseph Schorr
parent
804be4d4be
commit
354f4109d0
3 changed files with 62 additions and 13 deletions
|
|
@ -9,6 +9,8 @@ from flask import g
|
|||
from flask.ext.principal import identity_loaded
|
||||
|
||||
from auth.auth import _process_basic_auth
|
||||
from auth.scopes import scopes_from_scope_string, is_subset_string, DIRECT_LOGIN, ADMIN_REPO
|
||||
from auth.permissions import QuayDeferredPermissionUser
|
||||
from endpoints.api import api_bp, api
|
||||
from endpoints.api.user import User, Signin
|
||||
|
||||
|
|
@ -124,6 +126,49 @@ class TestAuth(ApiTestCase):
|
|||
self.conduct_basic_auth(robot.username, 'someinvalidcode')
|
||||
self.verify_no_identity()
|
||||
|
||||
def test_deferred_permissions_scopes(self):
|
||||
self.assertEquals(QuayDeferredPermissionUser.for_id('123454')._scope_set, {DIRECT_LOGIN})
|
||||
self.assertEquals(QuayDeferredPermissionUser.for_id('123454', {})._scope_set, {})
|
||||
self.assertEquals(QuayDeferredPermissionUser.for_id('123454', {ADMIN_REPO})._scope_set, {ADMIN_REPO})
|
||||
|
||||
def assertParsedScopes(self, scopes_str, *args):
|
||||
expected = list(args)
|
||||
parsed = scopes_from_scope_string(scopes_str)
|
||||
self.assertEquals([p.scope for p in parsed], expected)
|
||||
|
||||
def test_scopes_parsing(self):
|
||||
# Valid single scopes.
|
||||
self.assertParsedScopes('repo:read', 'repo:read')
|
||||
self.assertParsedScopes('repo:admin', 'repo:admin')
|
||||
|
||||
# Invalid scopes.
|
||||
self.assertParsedScopes('not:valid')
|
||||
self.assertParsedScopes('repo:admins')
|
||||
|
||||
# Valid scope strings.
|
||||
self.assertParsedScopes('repo:read repo:admin', 'repo:read', 'repo:admin')
|
||||
self.assertParsedScopes('repo:read,repo:admin', 'repo:read', 'repo:admin')
|
||||
self.assertParsedScopes('repo:read,repo:admin repo:write', 'repo:read', 'repo:admin',
|
||||
'repo:write')
|
||||
|
||||
# Partially invalid scopes.
|
||||
self.assertParsedScopes('repo:read,not:valid')
|
||||
self.assertParsedScopes('repo:read repo:admins')
|
||||
|
||||
# Invalid scope strings.
|
||||
self.assertParsedScopes('repo:read|repo:admin')
|
||||
|
||||
def test_subset_string(self):
|
||||
self.assertTrue(is_subset_string('repo:read', 'repo:read'))
|
||||
self.assertTrue(is_subset_string('repo:read repo:admin', 'repo:read'))
|
||||
self.assertTrue(is_subset_string('repo:read,repo:admin', 'repo:read'))
|
||||
self.assertTrue(is_subset_string('repo:read,repo:admin', 'repo:admin'))
|
||||
self.assertTrue(is_subset_string('repo:read,repo:admin', 'repo:admin repo:read'))
|
||||
|
||||
self.assertFalse(is_subset_string('', 'repo:read'))
|
||||
self.assertFalse(is_subset_string('unknown:tag', 'repo:read'))
|
||||
self.assertFalse(is_subset_string('repo:read unknown:tag', 'repo:read'))
|
||||
self.assertFalse(is_subset_string('repo:read,unknown:tag', 'repo:read'))
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
||||
|
|
|
|||
Reference in a new issue