Refactor our auth handling code to be cleaner

Breaks out the validation code from the auth context modification calls, makes decorators easier to define and adds testing for each individual piece. Will be the basis of better error messaging in the following change.
2017-03-16 17:05:26 -04:00 · 2017-03-16 17:05:26 -04:00 · 651666b60b
commit 651666b60b
parent 1bd4422da9
18 changed files with 830 additions and 455 deletions
--- a/auth/test/test_oauth.py
+++ b/auth/test/test_oauth.py
@ -0,0 +1,48 @@
+import pytest
+
+from auth.oauth import validate_bearer_auth, validate_oauth_token
+from auth.validateresult import AuthKind, ValidateResult
+from data import model
+from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
+
+@pytest.mark.parametrize('header, expected_result', [
+  ('', ValidateResult(AuthKind.oauth, missing=True)),
+  ('somerandomtoken', ValidateResult(AuthKind.oauth, missing=True)),
+  ('bearer some random token', ValidateResult(AuthKind.oauth, missing=True)),
+
+  ('bearer invalidtoken',
+   ValidateResult(AuthKind.oauth, error_message='OAuth access token could not be validated')),
+])
+def test_bearer(header, expected_result, app):
+  assert validate_bearer_auth(header) == expected_result
+
+def test_valid_oauth(app):
+  user = model.user.get_user('devtable')
+  token = list(model.oauth.list_access_tokens_for_user(user))[0]
+
+  result = validate_bearer_auth('bearer ' + token.access_token)
+  assert result.oauthtoken == token
+  assert result.authed_user == user
+  assert result.auth_valid
+
+def test_disabled_user_oauth(app):
+  user = model.user.get_user('disabled')
+  token = model.oauth.create_access_token_for_testing(user, 'deadbeef', 'repo:admin',
+                                                      access_token='foo')
+
+  result = validate_bearer_auth('bearer ' + token.access_token)
+  assert result.oauthtoken is None
+  assert result.authed_user is None
+  assert not result.auth_valid
+  assert result.error_message == 'Granter of the oauth access token is disabled'
+
+def test_expired_token(app):
+  user = model.user.get_user('devtable')
+  token = model.oauth.create_access_token_for_testing(user, 'deadbeef', 'repo:admin',
+                                                      access_token='bar', expires_in=-1000)
+
+  result = validate_bearer_auth('bearer ' + token.access_token)
+  assert result.oauthtoken is None
+  assert result.authed_user is None
+  assert not result.auth_valid
+  assert result.error_message == 'OAuth access token has expired'