Python toggles.ENFORCE_JWT_SCOPES类代码示例

    def test_inactive_user(self, auth_type, scopes_enforced):
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            self.student.is_active = False
            self.student.save()

            resp = self._get_response(self.student, auth_type)
            self.assertEqual(resp.status_code, status.HTTP_200_OK)

 def test_dot_create_jwt_for_token(self, scopes_enforced, client_restricted):
     with ENFORCE_JWT_SCOPES.override(scopes_enforced):
         jwt_token = self._create_jwt_for_token(
             DOTAdapter(),
             use_asymmetric_key=None,
             client_restricted=client_restricted,
         )
         self._assert_jwt_is_valid(jwt_token, should_be_asymmetric_key=scopes_enforced and client_restricted)

    def test_another_user(self, auth_type, scopes_enforced, mock_log):
        """
        Returns 200 with empty list for OAuth, Session, and JWT auth.
        Returns 200 for jwt_restricted and user:me filter unset.
        """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            resp = self.get_response(auth_type, requesting_user=self.other_student)

            self.assertEqual(resp.status_code, status.HTTP_200_OK)
            self.assertEqual(len(resp.data), 0)

    def test_jwt_no_filter(self, auth_type, scopes_enforced, mock_log):
        """ Returns 403 when scopes are enforced with JwtHasContentOrgFilterForRequestedCourse. """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            jwt_token = self._create_jwt_token(self.student, auth_type, include_org_filter=False)
            resp = self.get_response(AuthType.jwt, token=jwt_token)

            is_enforced = scopes_enforced and auth_type == AuthType.jwt_restricted
            self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN if is_enforced else status.HTTP_200_OK)

            if is_enforced:
                self._assert_in_log("JwtHasContentOrgFilterForRequestedCourse", mock_log.warning)

    def test_jwt_no_scopes(self, auth_type, scopes_enforced, mock_log):
        """ Returns 403 when scopes are enforced with JwtHasScope. """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            jwt_token = self._create_jwt_token(self.student, auth_type, scopes=[])
            resp = self._get_response(self.student, AuthType.jwt, token=jwt_token)

            is_enforced = scopes_enforced and auth_type == AuthType.jwt_restricted
            self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN if is_enforced else status.HTTP_200_OK)

            if is_enforced:
                self._assert_in_log("JwtHasScope", mock_log.warning)

    def test_jwt_on_behalf_of_other_user(self, auth_type, scopes_enforced, mock_log):
        """ Returns 403 when scopes are enforced with JwtHasUserFilterForRequestedUser. """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            jwt_token = self._create_jwt_token(self.other_student, auth_type, include_me_filter=True)
            resp = self.get_response(AuthType.jwt, token=jwt_token)

            if scopes_enforced and auth_type == AuthType.jwt_restricted:
                self.assertEqual(resp.status_code, status.HTTP_403_FORBIDDEN)
                self._assert_in_log("JwtHasUserFilterForRequestedUser", mock_log.warning)
            else:
                self.assertEqual(resp.status_code, status.HTTP_200_OK)
                self.assertEqual(len(resp.data), 0)

    def test_jwt_on_behalf_of_user(self, auth_type, scopes_enforced):
        """
        We have to override this super method due to this API
        being restricted to staff users only.
        """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            jwt_token = self._create_jwt_token(self.student, auth_type, include_me_filter=True)
            # include_me_filter=True means a JWT filter will require the username
            # of the requesting user to be in the requested URL
            url = self.get_url(self.student) + '?username={}'.format(self.student.username)

            resp = self.get_response(AuthType.jwt, token=jwt_token, url=url)
            assert status.HTTP_200_OK == resp.status_code

    def test_another_user(self, auth_type, scopes_enforced, mock_log):
        """ Returns 403 for OAuth and Session auth with IsUserInUrl. """
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            resp = self._get_response(self.student_no_cert, auth_type)

            # Restricted JWT tokens without the user:me filter have access to other users
            expected_jwt_access_granted = scopes_enforced and auth_type == AuthType.jwt_restricted

            self.assertEqual(
                resp.status_code,
                status.HTTP_200_OK if expected_jwt_access_granted else status.HTTP_403_FORBIDDEN,
            )
            if not expected_jwt_access_granted:
                self._assert_in_log("IsUserInUrl", mock_log.info)

def _get_use_asymmetric_key_value(is_restricted, use_asymmetric_key):
    """
    Returns the value to use for use_asymmetric_key.
    """
    # TODO: (ARCH-162)
    # If JWT scope enforcement is enabled, we need to sign tokens
    # given to restricted applications with a key that
    # other IDAs do not have access to. This prevents restricted
    # applications from getting access to API endpoints available
    # on other IDAs which have not yet been protected with the
    # scope-related DRF permission classes. Once all endpoints have
    # been protected, we can enable all IDAs to use the same new
    # (asymmetric) key.
    if use_asymmetric_key is None:
        use_asymmetric_key = ENFORCE_JWT_SCOPES.is_enabled() and is_restricted
    return use_asymmetric_key

    def test_restricted_non_jwt_access_token_fields(self, enforce_jwt_scopes_enabled):
        with ENFORCE_JWT_SCOPES.override(enforce_jwt_scopes_enabled):
            response = self._post_request(self.user, self.restricted_dot_app)
            self.assertEqual(response.status_code, 200)
            data = json.loads(response.content)
            self.assertIn('access_token', data)
            self.assertIn('expires_in', data)
            self.assertIn('scope', data)
            self.assertIn('token_type', data)

            # Verify token expiration.
            self.assertEqual(data['expires_in'] < 0, True)
            access_token = dot_models.AccessToken.objects.get(token=data['access_token'])
            self.assertEqual(
                models.RestrictedApplication.verify_access_token_as_expired(access_token),
                True
            )

    def test_another_user_with_certs_shared_public(self, auth_type, scopes_enforced):
        """
        Returns 200 with cert list for OAuth, Session, and JWT auth.
        Returns 200 for jwt_restricted and user:me filter unset.
        """
        self.student.profile.year_of_birth = 1977
        self.student.profile.save()
        UserPreferenceFactory.build(
            user=self.student,
            key='account_privacy',
            value='all_users',
        ).save()

        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            resp = self.get_response(auth_type, requesting_user=self.other_student)

            self.assertEqual(resp.status_code, status.HTTP_200_OK)
            self.assertEqual(len(resp.data), 1)

    def test_restricted_jwt_access_token(self, enforce_jwt_scopes_enabled, expiration_expected):
        """
        Verify that when requesting a JWT token from a restricted Application
        within the DOT subsystem, that our claims is marked as already expired
        (i.e. expiry set to Jan 1, 1970)
        """
        with ENFORCE_JWT_SCOPES.override(enforce_jwt_scopes_enabled):
            response = self._post_request(self.user, self.restricted_dot_app, token_type='jwt')
            self.assertEqual(response.status_code, 200)
            data = json.loads(response.content)

            self.assertIn('expires_in', data)
            self.assertEqual(data['expires_in'] < 0, expiration_expected)
            self.assertEqual(data['token_type'], 'JWT')
            self.assert_valid_jwt_access_token(
                data['access_token'],
                self.user,
                data['scope'].split(' '),
                should_be_expired=expiration_expected,
                should_be_asymmetric_key=enforce_jwt_scopes_enabled,
                should_be_restricted=True,
            )

    def test_jwt_on_behalf_of_user(self, auth_type, scopes_enforced):
        with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
            jwt_token = self._create_jwt_token(self.student, auth_type, include_me_filter=True)

            resp = self.get_response(AuthType.jwt, token=jwt_token)
            self.assertEqual(resp.status_code, status.HTTP_200_OK)

 def test_staff_user(self, auth_type, scopes_enforced):
     with ENFORCE_JWT_SCOPES.override(active=scopes_enforced):
         resp = self.get_response(auth_type, requesting_user=self.global_staff)
         self.assertEqual(resp.status_code, status.HTTP_200_OK)
         self.assert_success_response_for_student(resp)

 def should_expire_access_token(cls, application):
     set_token_expired = not ENFORCE_JWT_SCOPES.is_enabled()
     jwt_not_requested = get_request_or_stub().POST.get('token_type', '').lower() != 'jwt'
     restricted_application = cls.objects.filter(application=application).exists()
     return restricted_application and (jwt_not_requested or set_token_expired)