diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-10-27 10:34:43 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-10-27 10:34:43 +0300 |
| commit | 7ed16628456d3c9946e4288bacda7a4195b61730 (patch) | |
| tree | f488db33fa94112d0dc8ea469679997f123f8a06 | |
| parent | b5a7ec15b05567f727309619e27709b0595d07f4 (diff) | |
| download | muck-poc-7ed16628456d3c9946e4288bacda7a4195b61730.tar.gz | |
Change: check for required scopes
| -rw-r--r-- | muck/authz.py | 23 | ||||
| -rw-r--r-- | muck/authz_tests.py | 27 |
2 files changed, 41 insertions, 9 deletions
diff --git a/muck/authz.py b/muck/authz.py index e9336b8..c48294c 100644 --- a/muck/authz.py +++ b/muck/authz.py @@ -13,10 +13,27 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. -# import muck +import muck class AuthorizationChecker: - def request_is_allowed(self, r): - return False and r + def __init__(self, signing_key_text): + self._tc = muck.TokenChecker(signing_key_text.strip().encode('ascii')) + + def request_is_allowed(self, r, required_scopes): + token = self._get_token(r) + if token is None: + return False + + scope = token.get('scope', '') + scopes = set(scope.split()) + required_scopes = set(required_scopes) + return scopes.intersection(required_scopes) == required_scopes + + def _get_token(self, r): + authz = r.get_authorization() + try: + return self._tc.parse_header(authz) + except muck.Error: + return None diff --git a/muck/authz_tests.py b/muck/authz_tests.py index 7e16cbe..0128c6b 100644 --- a/muck/authz_tests.py +++ b/muck/authz_tests.py @@ -20,16 +20,31 @@ import muck class AuthorizationCheckerTests(unittest.TestCase): - def test_denies_if_token_parsing_fails(self): + def setUp(self): + self.ac = muck.AuthorizationChecker(muck.test_key_text) + + def create_token(self, scopes): claims = { - 'foo': 'bar', + 'scope': ' '.join(scopes), } - token = muck.create_token(claims, muck.test_key_text) + return muck.create_token(claims, muck.test_key_text) + def create_request(self, scopes): + token = self.create_token(scopes) r = muck.Request(method='GET') r.add_headers({ - 'Authorization': 'Bearer {}'.format(token) + 'Authorization': 'Bearer {}'.format(token), }) + return r + + def test_denies_if_token_parsing_fails(self): + r = muck.Request(method='GET') + self.assertFalse(self.ac.request_is_allowed(r, [])) + + def test_denies_if_token_lacks_required_scope(self): + r = self.create_request([]) + self.assertFalse(self.ac.request_is_allowed(r, ['foo'])) - ac = muck.AuthorizationChecker() - self.assertFalse(ac.request_is_allowed(r)) + def test_allows_for_acceptable_request(self): + r = self.create_request(['foo']) + self.assertTrue(self.ac.request_is_allowed(r, ['foo'])) |