| |
@@ -15,13 +15,20 @@
|
| |
import json
|
| |
from werkzeug.exceptions import Unauthorized
|
| |
import waiverdb.auth
|
| |
+ import flask_oidc
|
| |
|
| |
|
| |
+ @pytest.mark.usefixtures('enable_kerberos')
|
| |
class TestKerberosAuthentication(object):
|
| |
|
| |
def test_keytab_file_is_not_set_should_raise_error(self):
|
| |
with pytest.raises(Unauthorized):
|
| |
request = mock.MagicMock()
|
| |
+ headers = {'Authorization': "babablaba"}
|
| |
+ request.headers.return_value = mock.MagicMock(spec_set=dict)
|
| |
+ request.headers.__getitem__.side_effect = headers.__getitem__
|
| |
+ request.headers.__setitem__.side_effect = headers.__setitem__
|
| |
+ request.headers.__contains__.side_effect = headers.__contains__
|
| |
waiverdb.auth.get_user(request)
|
| |
|
| |
def test_unauthorized(self, client, monkeypatch):
|
| |
@@ -52,3 +59,43 @@
|
| |
assert r.headers.get('WWW-Authenticate') == 'negotiate STOKEN'
|
| |
res_data = json.loads(r.data.decode('utf-8'))
|
| |
assert res_data['username'] == 'foo'
|
| |
+
|
| |
+
|
| |
+ class TestOIDCAuthentication(object):
|
| |
+
|
| |
+ def test_get_user_without_token(self, session):
|
| |
+ with pytest.raises(Unauthorized) as excinfo:
|
| |
+ request = mock.MagicMock()
|
| |
+ waiverdb.auth.get_user(request)
|
| |
+ assert "No 'Authorization' header found" in str(excinfo.value)
|
| |
+
|
| |
+ @mock.patch.object(flask_oidc.OpenIDConnect, '_get_token_info')
|
| |
+ def test_get_user_with_invalid_token(self, mocked_get_token, session):
|
| |
+ # http://vsbattles.wikia.com/wiki/Son_Goku
|
| |
+ name = 'Son Goku'
|
| |
+ mocked_get_token.return_value = {'active': False, 'username': name,
|
| |
+ 'scope': 'openid waiverdb_scope'}
|
| |
+ headers = {'Authorization': 'Bearer invalid'}
|
| |
+ request = mock.MagicMock()
|
| |
+ request.headers.return_value = mock.MagicMock(spec_set=dict)
|
| |
+ request.headers.__getitem__.side_effect = headers.__getitem__
|
| |
+ request.headers.__setitem__.side_effect = headers.__setitem__
|
| |
+ request.headers.__contains__.side_effect = headers.__contains__
|
| |
+ with pytest.raises(Unauthorized) as excinfo:
|
| |
+ waiverdb.auth.get_user(request)
|
| |
+ assert 'Token required but invalid' in str(excinfo.value)
|
| |
+
|
| |
+ @mock.patch.object(flask_oidc.OpenIDConnect, '_get_token_info')
|
| |
+ def test_get_user_good(self, mocked_get_token, session):
|
| |
+ # http://vsbattles.wikia.com/wiki/Son_Goku
|
| |
+ name = 'Son Goku'
|
| |
+ mocked_get_token.return_value = {'active': True, 'username': name,
|
| |
+ 'scope': 'openid waiverdb_scope'}
|
| |
+ headers = {'Authorization': 'Bearer foobar'}
|
| |
+ request = mock.MagicMock()
|
| |
+ request.headers.return_value = mock.MagicMock(spec_set=dict)
|
| |
+ request.headers.__getitem__.side_effect = headers.__getitem__
|
| |
+ request.headers.__setitem__.side_effect = headers.__setitem__
|
| |
+ request.headers.__contains__.side_effect = headers.__contains__
|
| |
+ user, header = waiverdb.auth.get_user(request)
|
| |
+ assert user == name
|
| |
Is this file supposed to be committed? Whatever this secret is, it's not a secret anymore :-)
Is this more like, an example config for development purposes? In that case, it makes sense I guess... Will it work unmodified for anyone who wants to run it? And does it matter that we have now leaked this secret here?