1 files changed, 21 insertions, 6 deletions

diff --git a/muck/authz_tests.py b/muck/authz_tests.py
index 7e16cbe..0128c6b 100644
--- a/muck/authz_tests.py
+++ b/muck/authz_tests.py
@@ -20,16 +20,31 @@ import muck
 
 class AuthorizationCheckerTests(unittest.TestCase):
 
-    def test_denies_if_token_parsing_fails(self):
+    def setUp(self):
+        self.ac = muck.AuthorizationChecker(muck.test_key_text)
+
+    def create_token(self, scopes):
         claims = {
-            'foo': 'bar',
+            'scope': ' '.join(scopes),
         }
-        token = muck.create_token(claims, muck.test_key_text)
+        return muck.create_token(claims, muck.test_key_text)
 
+    def create_request(self, scopes):
+        token = self.create_token(scopes)
         r = muck.Request(method='GET')
         r.add_headers({
-            'Authorization': 'Bearer {}'.format(token)
+            'Authorization': 'Bearer {}'.format(token),
         })
+        return r
+
+    def test_denies_if_token_parsing_fails(self):
+        r = muck.Request(method='GET')
+        self.assertFalse(self.ac.request_is_allowed(r, []))
+
+    def test_denies_if_token_lacks_required_scope(self):
+        r = self.create_request([])
+        self.assertFalse(self.ac.request_is_allowed(r, ['foo']))
 
-        ac = muck.AuthorizationChecker()
-        self.assertFalse(ac.request_is_allowed(r))
+    def test_allows_for_acceptable_request(self):
+        r = self.create_request(['foo'])
+        self.assertTrue(self.ac.request_is_allowed(r, ['foo']))