This repository was archived by the owner on Nov 17, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtest_middleware_key_auth.py
109 lines (96 loc) · 3.79 KB
/
test_middleware_key_auth.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
import json
from django.contrib.auth import get_user_model
from rest_framework import status
from rest_framework.test import APITestCase
from api_bouncer.models import Api, Consumer
User = get_user_model()
class KeyAuthMiddlewareTests(APITestCase):
def setUp(self):
self.superuser = User.objects.create_superuser(
'john',
'john@localhost.local',
'john123john'
)
self.example_api = Api.objects.create(
name='httpbin',
hosts=['httpbin.org'],
upstream_url='https://httpbin.org'
)
self.key_auth_url = '/apis/{}/plugins/'.format(self.example_api.name)
self.consumer = Consumer.objects.create(username='django')
self.consumer_key_url = (
'/consumers/{}/key-auth/'.format(self.consumer.username)
)
def test_bounce_api_authorization_ok(self):
"""
Ensure we can perform requests on an api using a valid key.
"""
self.client.login(username='john', password='john123john')
self.client.post(self.key_auth_url)
response = self.client.post(self.consumer_key_url)
self.client.logout()
apikey = response.data['key']
url = '/get?msg=Bounce'
self.client.credentials(HTTP_HOST='httpbin.org', HTTP_APIKEY=apikey)
response = self.client.get(url)
content = response.content.decode('utf-8')
data = json.loads(content)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(data['args']['msg'], 'Bounce')
def test_bounce_api_key_in_body(self):
"""
Ensure we can perform requests on an api using a valid key sent on
request body.
"""
self.client.login(username='john', password='john123john')
data = {
'name': 'key-auth',
'config': {
'anonymous': '',
'key_names': ['apikey'],
'key_in_body': True,
'hide_credentials': False,
}
}
self.client.post(self.key_auth_url, data, format='json')
response = self.client.post(self.consumer_key_url)
self.client.logout()
apikey = response.data['key']
url = '/post'
self.client.credentials(HTTP_HOST='httpbin.org')
response = self.client.post(
url,
data={'apikey': apikey},
format='json'
)
content = response.content.decode('utf-8')
data = json.loads(content)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(
data['headers']['X-Consumer-Username'],
self.consumer.username
)
def test_bounce_api_authorization_invalid(self):
"""
Ensure we can't perform requests on an api without using a valid key.
"""
self.client.login(username='john', password='john123john')
self.client.post(self.key_auth_url, {'name': 'key-auth'})
response = self.client.post(self.consumer_key_url)
self.client.logout()
apikey = 'you_know_nothing'
url = '/get'
self.client.credentials(HTTP_HOST='httpbin.org', HTTP_APIKEY=apikey)
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_bounce_api_key_without_apikey(self):
"""
Ensure we can't perform requests on an api without sending apikey.
"""
self.client.login(username='john', password='john123john')
self.client.post(self.key_auth_url, {'name': 'key-auth'})
self.client.logout()
url = '/get'
self.client.credentials(HTTP_HOST='httpbin.org')
response = self.client.get(url)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)