100% code coverage

yhttp · Jan 19, 2020 · a914ae7 · a914ae7
1 parent 1c364fa
commit a914ae7
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/tests/test_extension.py b/tests/test_extension.py
@@ -1,6 +1,6 @@
 import pytest
 from bddrest import status, response, given
-from yhttp import text
+from yhttp import text, json
 
 from yhttp.extensions.auth import install, JWT
 
@@ -25,6 +25,12 @@ def get(req):
 
         return req.identity.name
 
+    @app.route('/admin')
+    @auth(roles='admin, god')
+    @json
+    def get(req):
+        return req.identity.roles
+
     with story(app, headers={'Authorization': token.dump(dict(name='foo'))}):
         assert status == 200
         assert response.text == 'foo'
@@ -35,6 +41,22 @@ def get(req):
         when(headers={'Authorization': 'mAlfoRMeD'})
         assert status == 401
 
+    with story(app, '/admin', headers={
+        'Authorization': token.dump(dict(name='foo', roles=['admin']))
+    }):
+        assert status == 200
+        assert response.json == ['admin']
+
+        when(headers={
+            'Authorization': token.dump(dict(name='foo', roles=['editor']))
+        })
+        assert status == 403
+
+        when(headers={
+            'Authorization': token.dump()
+        })
+        assert status == 403
+
 
 def test_exceptions(app):
     db = install(app)

diff --git a/yhttp/extensions/auth/authentication.py b/yhttp/extensions/auth/authentication.py
@@ -2,13 +2,18 @@
 
 
 def authenticate(app, roles=None):
+    if isinstance(roles, str):
+        roles = [i.strip() for i in roles.split(',')]
+
     def decorator(handler):
         @functools.wraps(handler)
         def wrapper(req, *args, **kw):
             req.identity = app.jwt.verifyrequest(req)
+            if roles is not None:
+                req.identity.authorize(roles)
 
             return handler(req, *args, **kw)
-        
+
         return wrapper
     return decorator
 

diff --git a/yhttp/extensions/auth/token.py b/yhttp/extensions/auth/token.py
@@ -14,6 +14,16 @@ def __getattr__(self, attr):
         except KeyError:
             raise AttributeError()
 
+    def authorize(self, roles):
+        if 'roles' not in self.payload:
+            raise statuses.forbidden()
+
+        for r in roles:
+            if r in self.roles:
+                return r
+
+        raise statuses.forbidden()
+
 
 class JWT:
     def __init__(self, secret, algorithm='HS256'):