1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
# ------------------------------------
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# ------------------------------------
"""
Tests for the HTTP challenge authentication implementation. These tests aren't parallelizable, because
the challenge cache is global to the process.
"""
import functools
import time
from uuid import uuid4
try:
from unittest.mock import Mock, patch
except ImportError: # python < 3.3
from mock import Mock, patch # type: ignore
from azure.core.credentials import AccessToken
from azure.core.exceptions import ServiceRequestError
from azure.core.pipeline import Pipeline
from azure.core.pipeline.policies import SansIOHTTPPolicy
from azure.core.pipeline.transport import HttpRequest
from azure.keyvault.keys._shared import ChallengeAuthPolicy, HttpChallenge, HttpChallengeCache
import pytest
from _shared.helpers import mock_response, Request, validating_transport
def empty_challenge_cache(fn):
@functools.wraps(fn)
def wrapper():
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
return fn()
return wrapper
def get_random_url():
"""The challenge cache is keyed on URLs. Random URLs defend against tests interfering with each other."""
return "https://{}/{}".format(uuid4(), uuid4()).replace("-", "")
@empty_challenge_cache
def test_enforces_tls():
url = "http://not.secure"
HttpChallengeCache.set_challenge_for_url(url, HttpChallenge(url, "Bearer authorization=_, resource=_"))
credential = Mock()
pipeline = Pipeline(transport=Mock(), policies=[ChallengeAuthPolicy(credential)])
with pytest.raises(ServiceRequestError):
pipeline.run(HttpRequest("GET", url))
@empty_challenge_cache
def test_challenge_cache():
url_a = get_random_url()
challenge_a = HttpChallenge(url_a, "Bearer authorization=authority A, resource=resource A")
url_b = get_random_url()
challenge_b = HttpChallenge(url_b, "Bearer authorization=authority B, resource=resource B")
for url, challenge in zip((url_a, url_b), (challenge_a, challenge_b)):
HttpChallengeCache.set_challenge_for_url(url, challenge)
assert HttpChallengeCache.get_challenge_for_url(url) == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + "/some/path?with-query=string") == challenge
assert HttpChallengeCache.get_challenge_for_url(url + ":443") == challenge
HttpChallengeCache.remove_challenge_for_url(url)
assert not HttpChallengeCache.get_challenge_for_url(url)
def test_challenge_parsing():
authority = "https://login.authority.net/tenant"
resource = "https://challenge.resource"
challenge = HttpChallenge(
"https://request.uri", challenge="Bearer authorization={}, resource={}".format(authority, resource)
)
assert challenge.get_authorization_server() == authority
assert challenge.get_resource() == resource
@empty_challenge_cache
def test_scope():
"""The policy's token requests should always be for an AADv2 scope"""
expected_content = b"a duck"
def test_with_challenge(challenge, expected_scope):
expected_token = "expected_token"
class Requests:
count = 0
def send(request):
Requests.count += 1
if Requests.count == 1:
# first request should be unauthorized and have no content
assert not request.body
assert request.headers["Content-Length"] == "0"
return challenge
elif Requests.count == 2:
# second request should be authorized according to challenge and have the expected content
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return Mock(status_code=200)
raise ValueError("unexpected request")
def get_token(*scopes):
assert len(scopes) == 1
assert scopes[0] == expected_scope
return AccessToken(expected_token, 0)
credential = Mock(get_token=Mock(wraps=get_token))
pipeline = Pipeline(policies=[ChallengeAuthPolicy(credential=credential)], transport=Mock(send=send))
request = HttpRequest("POST", get_random_url())
request.set_bytes_body(expected_content)
pipeline.run(request)
assert credential.get_token.call_count == 1
endpoint = "https://authority.net/tenant"
# an AADv1 resource becomes an AADv2 scope with the addition of '/.default'
resource = "https://challenge.resource"
scope = resource + "/.default"
challenge_with_resource = Mock(
status_code=401,
headers={"WWW-Authenticate": 'Bearer authorization="{}", resource={}'.format(endpoint, resource)},
)
challenge_with_scope = Mock(
status_code=401, headers={"WWW-Authenticate": 'Bearer authorization="{}", scope={}'.format(endpoint, scope)}
)
test_with_challenge(challenge_with_resource, scope)
test_with_challenge(challenge_with_scope, scope)
@empty_challenge_cache
def test_policy_updates_cache():
"""
It's possible for the challenge returned for a request to change, e.g. when a vault is moved to a new tenant.
When the policy receives a 401, it should update the cached challenge for the requested URL, if one exists.
"""
url = get_random_url()
first_scope = "https://first-scope"
first_token = "first-scope-token"
second_scope = "https://second-scope"
second_token = "second-scope-token"
challenge_fmt = 'Bearer authorization="https://login.authority.net/tenant", resource={}'
# mocking a tenant change:
# 1. first request -> respond with challenge
# 2. second request should be authorized according to the challenge
# 3. third request should match the second (using a cached access token)
# 4. fourth request should also match the second -> respond with a new challenge
# 5. fifth request should be authorized according to the new challenge
# 6. sixth request should match the fifth
transport = validating_transport(
requests=(
Request(url),
Request(url, required_headers={"Authorization": "Bearer {}".format(first_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(first_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(first_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(second_token)}),
Request(url, required_headers={"Authorization": "Bearer {}".format(second_token)}),
),
responses=(
mock_response(status_code=401, headers={"WWW-Authenticate": challenge_fmt.format(first_scope)}),
mock_response(status_code=200),
mock_response(status_code=200),
mock_response(status_code=401, headers={"WWW-Authenticate": challenge_fmt.format(second_scope)}),
mock_response(status_code=200),
mock_response(status_code=200),
),
)
credential = Mock(get_token=Mock(return_value=AccessToken(first_token, time.time() + 3600)))
pipeline = Pipeline(policies=[ChallengeAuthPolicy(credential=credential)], transport=transport)
# policy should complete and cache the first challenge and access token
for _ in range(2):
pipeline.run(HttpRequest("GET", url))
assert credential.get_token.call_count == 1
# The next request will receive a new challenge. The policy should handle it and update caches.
credential.get_token.return_value = AccessToken(second_token, time.time() + 3600)
for _ in range(2):
pipeline.run(HttpRequest("GET", url))
assert credential.get_token.call_count == 2
@empty_challenge_cache
def test_token_expiration():
"""policy should not use a cached token which has expired"""
url = get_random_url()
expires_on = time.time() + 3600
first_token = "*"
second_token = "**"
token = AccessToken(first_token, expires_on)
def get_token(*_, **__):
return token
credential = Mock(get_token=Mock(wraps=get_token))
transport = validating_transport(
requests=[
Request(),
Request(required_headers={"Authorization": "Bearer " + first_token}),
Request(required_headers={"Authorization": "Bearer " + first_token}),
Request(required_headers={"Authorization": "Bearer " + second_token}),
],
responses=[
mock_response(
status_code=401, headers={"WWW-Authenticate": 'Bearer authorization="{}", resource=foo'.format(url)}
)
]
+ [mock_response()] * 3,
)
pipeline = Pipeline(policies=[ChallengeAuthPolicy(credential=credential)], transport=transport)
for _ in range(2):
pipeline.run(HttpRequest("GET", url))
assert credential.get_token.call_count == 1
token = AccessToken(second_token, time.time() + 3600)
with patch("time.time", lambda: expires_on):
pipeline.run(HttpRequest("GET", url))
assert credential.get_token.call_count == 2
@empty_challenge_cache
def test_preserves_options_and_headers():
"""After a challenge, the original request should be sent with its options and headers preserved.
If a policy mutates the options or headers of the challenge (unauthorized) request, the options of the service
request should be present when it is sent with authorization.
"""
url = get_random_url()
token = "**"
def get_token(*_, **__):
return AccessToken(token, 0)
credential = Mock(get_token=Mock(wraps=get_token))
transport = validating_transport(
requests=[Request()] * 2 + [Request(required_headers={"Authorization": "Bearer " + token})],
responses=[
mock_response(
status_code=401, headers={"WWW-Authenticate": 'Bearer authorization="{}", resource=foo'.format(url)}
)
]
+ [mock_response()] * 2,
)
challenge_policy = ChallengeAuthPolicy(credential=credential)
policies = get_policies_for_request_mutation_test(challenge_policy)
pipeline = Pipeline(policies=policies, transport=transport)
response = pipeline.run(HttpRequest("GET", url))
# ensure the mock sans I/O policies were called
for policy in policies:
if hasattr(policy, "on_request"):
assert policy.on_request.called, "mock policy wasn't invoked"
def get_policies_for_request_mutation_test(challenge_policy):
# create mock policies to add, remove, and verify an option and header
key = "foo"
value = "bar"
do_not_handle = lambda _: False
def add(request):
# add the expected option and header
request.context.options[key] = value
request.http_request.headers[key] = value
adder = Mock(spec_set=SansIOHTTPPolicy, on_request=Mock(wraps=add), on_exception=do_not_handle)
def remove(request):
# remove expected header and all options of unauthorized (challenge) requests
if not request.http_request.headers.get("Authorization"):
request.http_request.headers.pop(key, None)
request.context.options = {}
remover = Mock(spec_set=SansIOHTTPPolicy, on_request=Mock(wraps=remove), on_exception=do_not_handle)
def verify(request):
# authorized (non-challenge) requests should have the expected option and header
if request.http_request.headers.get("Authorization"):
assert request.context.options.get(key) == value, "request option not preserved across challenge"
assert request.http_request.headers.get(key) == value, "headers not preserved across challenge"
verifier = Mock(spec=SansIOHTTPPolicy, on_request=Mock(wraps=verify))
# Mutating the challenge request shouldn't affect the authorized request.
# This is the pipeline flow:
# 1. add option and header
# 2. challenge auth
# 3. remove option, header from unauthorized request
# 4. verify option, header on authorized request
return [adder, challenge_policy, remover, verifier]
|
