hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2025-01-05 22:34:22 +03:00
Code Issues Projects Releases Wiki Activity
3e2e1f7712
graphql-engine/server/tests-py/test_jwt.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

805 lines
28 KiB
Python
Raw Normal View History

server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
from datetime import datetime, timedelta, timezone
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
import math
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
import json
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
import time
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
adds basic support for remote schemas/schema stitching (#952)
2018-11-23 16:02:46 +03:00
import pytest
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
import jwt
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
from test_subscriptions import init_ws_conn
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
bump python test suite dependencies This PR upgrades some of the pinned dependencies do not build with python 3.10 - cffi, ruamel, py. Further, it upgrades other packages where the effort is minimal. For the reviewers: Please review it commit by commit. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3367 GitOrigin-RevId: c5401fe289d3185a79c4d382297f86fbde139825
2022-01-17 10:39:59 +03:00
from ruamel.yaml import YAML
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
from validate import check_query
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
yaml=YAML(typ='safe', pure=True)
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def format_claims(conf, claims):
match conf.get('claims_format', 'json'):
case 'stringified_json':
return json.dumps(claims)
case _:
return claims
def set_claims(claims, hasura_claims, namespace_path=None):
match namespace_path:
case None:
claims['https://hasura.io/jwt/claims'] = hasura_claims
case "$":
claims.update(hasura_claims)
case "$.hasura_claims":
claims['hasura_claims'] = hasura_claims
case "$.hasura.claims":
claims['hasura'] = {}
claims['hasura']['claims'] = hasura_claims
case "$.hasura['claims%']":
claims['hasura'] = {}
claims['hasura']['claims%'] = hasura_claims
case _:
raise Exception(
'''claims_namespace_path should not be anything
other than $.hasura_claims, $.hasura['claims%'] or $ for testing. The
value of claims_namespace_path was {}'''.format(namespace_path))
return claims
def get_header_fmt(conf):
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
try:
hdr_fmt = conf['header']['type']
if hdr_fmt == 'Authorization':
return (hdr_fmt, None)
elif hdr_fmt == 'Cookie':
return (hdr_fmt, conf['header']['name'])
server: configuration to specify which Header to pick for JWT Authentication PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9942 GitOrigin-RevId: 4f18d29f07c213a001d43b88e3ce2991230e28e6
2023-08-04 13:35:56 +03:00
elif hdr_fmt == "CustomHeader":
return (hdr_fmt, conf['header']['name'])
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
else:
raise Exception('Invalid JWT header format: %s' % conf)
except KeyError:
print('header conf not found in JWT conf, defaulting to Authorization')
hdr_fmt = ('Authorization', None)
return hdr_fmt
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
def mk_authz_header(conf, token):
(header, name) = get_header_fmt(conf)
if header == 'Authorization':
return {'Authorization': 'Bearer ' + token}
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
elif header == 'Cookie' and name:
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
return {'Cookie': name + '=' + token}
server: configuration to specify which Header to pick for JWT Authentication PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9942 GitOrigin-RevId: 4f18d29f07c213a001d43b88e3ce2991230e28e6
2023-08-04 13:35:56 +03:00
elif header == 'CustomHeader' and name:
return {name: token}
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
else:
raise Exception('Invalid JWT header format')
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
# The tests below would ideally use parameterization rather than subclassing,
# but that doesn't work because of `hge_fixture_env`, which creates a "soft"
# dependency between the environment variables and `hge_server`. Parameterizing
# the former *should* force the latter to be recreated for each new set of
# environment variables, but `hge_server` isn't actually aware there's a
# dependency. See `TestParameterizedFixtures` in test_tests.py for more
# information.
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.admin_secret
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
class AbstractTestJwtBasic:
def test_jwt_valid_claims_success(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['user', 'editor'],
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
self.conf['status'] = 200
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_invalid_role_in_request_header(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['contractor', 'editor'],
'x-hasura-default-role': 'contractor'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'access-denied',
'path': '$'
},
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
'message': 'Your requested role is not in allowed roles'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_no_allowed_roles_in_claim(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-missing-role-claims',
'path': '$'
},
'message': 'JWT claim does not contain x-hasura-allowed-roles'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_invalid_allowed_roles_in_claim(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': 'user',
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-invalid-claims',
'path': '$'
},
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
'message': 'invalid x-hasura-allowed-roles; should be a list of roles: parsing [] failed, expected Array, but encountered String'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_no_default_role(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-missing-role-claims',
'path': '$'
},
'message': 'JWT claim does not contain x-hasura-default-role'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_expired(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
'x-hasura-user-id': '1',
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
exp = datetime.now() - timedelta(minutes=1)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.claims['exp'] = round(exp.timestamp())
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTExpired'
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_invalid_signature(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
'x-hasura-user-id': '1',
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
wrong_key = str(self.gen_rsa_key())
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
other_algo = 'HS256'
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
if jwt_configuration.algorithm == 'HS256':
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
other_algo = 'HS384'
token = jwt.encode(self.claims, wrong_key, algorithm=other_algo)
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWSError JWSInvalidSignature'
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
fix server tests (#2510)
2019-07-11 13:55:34 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_no_audience_in_conf(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['aud'] = 'hasura-test-suite'
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['url'] = endpoint
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
fix server tests (#2510)
2019-07-11 13:55:34 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_no_issuer_in_conf(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
claims_namespace_path = jwt_configuration.server_configuration.get('claims_namespace_path')
self.claims = set_claims(self.claims, hasura_claims, claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = 'rubbish-issuer'
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
self.conf['headers'].update(authz_header)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['url'] = endpoint
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
@pytest.fixture(autouse=True)
run graphql tests on both http and websocket; add parallelism (close #1868) (#1921) Examples 1) ` pytest --hge-urls "http://127.0.0.1:8080" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" -vv ` 2) `pytest --hge-urls "http://127.0.0.1:8080" "http://127.0.0.1:8081" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" "postgresql://admin@127.0.0.1:5432/hge_tests2" -vv ` ### Solution and Design <!-- How is this issue solved/fixed? What is the design? --> <!-- It's better if we elaborate --> #### Reducing execution time of tests - The Schema setup and teardown, which were earlier done per test method, usually takes around 1 sec. - For mutations, the model has now been changed to only do schema setup and teardown once per test class. - A data setup and teardown will be done once per test instead (usually takes ~10ms). - For the test class to get this behaviour, one can can extend the class `DefaultTestMutations`. - The function `dir()` should be define which returns the location of the configuration folder. - Inside the configuration folder, there should be - Files `<conf_dir>/schema_setup.yaml` and `<conf_dir>/schema_teardown.yaml`, which has the metadata query executed during schema setup and teardown respectively - Files named `<conf_dir>/values_setup.yaml` and `<conf_dir>/values_teardown.yaml`. These files are executed to setup and remove data from the tables respectively. #### Running Graphql queries on both http and websockets - Each GraphQL query/mutation is run on the both HTTP and websocket protocols - Pytests test parameterisation is used to achieve this - The errors over websockets are slightly different from that on HTTP - The code takes care of converting the errors in HTTP to errors in websockets #### Parallel executation of tests. - The plugin pytest-xdist helps in running tests on parallel workers. - We are using this plugin to group tests by file and run on different workers. - Parallel test worker processes operate on separate postgres databases(and separate graphql-engines connected to these databases). Thus tests on one worker will not affect the tests on the other worker. - With two workers, this decreases execution times by half, as the tests on event triggers usually takes a long time, but does not consume much CPU.
2019-04-08 10:22:38 +03:00
def transact(self, setup):
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
bump python test suite dependencies This PR upgrades some of the pinned dependencies do not build with python 3.10 - cffi, ruamel, py. Further, it upgrades other packages where the effort is minimal. For the reviewers: Please review it commit by commit. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3367 GitOrigin-RevId: c5401fe289d3185a79c4d382297f86fbde139825
2022-01-17 10:39:59 +03:00
self.conf = yaml.load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
exp_time = curr_time + timedelta(hours=10)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.claims = {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}
run graphql tests on both http and websocket; add parallelism (close #1868) (#1921) Examples 1) ` pytest --hge-urls "http://127.0.0.1:8080" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" -vv ` 2) `pytest --hge-urls "http://127.0.0.1:8080" "http://127.0.0.1:8081" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" "postgresql://admin@127.0.0.1:5432/hge_tests2" -vv ` ### Solution and Design <!-- How is this issue solved/fixed? What is the design? --> <!-- It's better if we elaborate --> #### Reducing execution time of tests - The Schema setup and teardown, which were earlier done per test method, usually takes around 1 sec. - For mutations, the model has now been changed to only do schema setup and teardown once per test class. - A data setup and teardown will be done once per test instead (usually takes ~10ms). - For the test class to get this behaviour, one can can extend the class `DefaultTestMutations`. - The function `dir()` should be define which returns the location of the configuration folder. - Inside the configuration folder, there should be - Files `<conf_dir>/schema_setup.yaml` and `<conf_dir>/schema_teardown.yaml`, which has the metadata query executed during schema setup and teardown respectively - Files named `<conf_dir>/values_setup.yaml` and `<conf_dir>/values_teardown.yaml`. These files are executed to setup and remove data from the tables respectively. #### Running Graphql queries on both http and websockets - Each GraphQL query/mutation is run on the both HTTP and websocket protocols - Pytests test parameterisation is used to achieve this - The errors over websockets are slightly different from that on HTTP - The code takes care of converting the errors in HTTP to errors in websockets #### Parallel executation of tests. - The plugin pytest-xdist helps in running tests on parallel workers. - We are using this plugin to group tests by file and run on different workers. - Parallel test worker processes operate on separate postgres databases(and separate graphql-engines connected to these databases). Thus tests on one worker will not affect the tests on the other worker. - With two workers, this decreases execution times by half, as the tests on event triggers usually takes a long time, but does not consume much CPU.
2019-04-08 10:22:38 +03:00
@pytest.fixture(scope='class')
server/tests-py: Set up postgis extensions using a fixture. Let's put it in one place. This is a precursor to moving database provisioning into the Python integration tests. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/5453 GitOrigin-RevId: 5920b0b1177d94496485fcb4e178b946534ee4eb
2022-08-15 17:29:02 +03:00
def setup(self, postgis, hge_ctx):
run graphql tests on both http and websocket; add parallelism (close #1868) (#1921) Examples 1) ` pytest --hge-urls "http://127.0.0.1:8080" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" -vv ` 2) `pytest --hge-urls "http://127.0.0.1:8080" "http://127.0.0.1:8081" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" "postgresql://admin@127.0.0.1:5432/hge_tests2" -vv ` ### Solution and Design <!-- How is this issue solved/fixed? What is the design? --> <!-- It's better if we elaborate --> #### Reducing execution time of tests - The Schema setup and teardown, which were earlier done per test method, usually takes around 1 sec. - For mutations, the model has now been changed to only do schema setup and teardown once per test class. - A data setup and teardown will be done once per test instead (usually takes ~10ms). - For the test class to get this behaviour, one can can extend the class `DefaultTestMutations`. - The function `dir()` should be define which returns the location of the configuration folder. - Inside the configuration folder, there should be - Files `<conf_dir>/schema_setup.yaml` and `<conf_dir>/schema_teardown.yaml`, which has the metadata query executed during schema setup and teardown respectively - Files named `<conf_dir>/values_setup.yaml` and `<conf_dir>/values_teardown.yaml`. These files are executed to setup and remove data from the tables respectively. #### Running Graphql queries on both http and websockets - Each GraphQL query/mutation is run on the both HTTP and websocket protocols - Pytests test parameterisation is used to achieve this - The errors over websockets are slightly different from that on HTTP - The code takes care of converting the errors in HTTP to errors in websockets #### Parallel executation of tests. - The plugin pytest-xdist helps in running tests on parallel workers. - We are using this plugin to group tests by file and run on different workers. - Parallel test worker processes operate on separate postgres databases(and separate graphql-engines connected to these databases). Thus tests on one worker will not affect the tests on the other worker. - With two workers, this decreases execution times by half, as the tests on event triggers usually takes a long time, but does not consume much CPU.
2019-04-08 10:22:38 +03:00
self.dir = 'queries/graphql_query/permissions'
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/setup.yaml')
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
yield
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/teardown.yaml')
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@staticmethod
def gen_rsa_key():
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
)
return pem
@pytest.mark.jwt('rsa')
class TestJwtBasicWithRsa(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519')
class TestJwtBasicWithEd25519(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es')
class TestJwtBasicWithEs(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'header': {'type': 'Cookie', 'name': 'hasura_user'},
})
class TestJwtBasicWithRsaAndCookie(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519', {
'header': {'type': 'Cookie', 'name': 'hasura_user'},
})
class TestJwtBasicWithEd25519AndCookie(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'header': {'type': 'Cookie', 'name': 'hasura_user'},
})
class TestJwtBasicWithEsAndCookie(AbstractTestJwtBasic):
pass
server: configuration to specify which Header to pick for JWT Authentication PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9942 GitOrigin-RevId: 4f18d29f07c213a001d43b88e3ce2991230e28e6
2023-08-04 13:35:56 +03:00
@pytest.mark.jwt('rsa', {
'header': {'type': 'CustomHeader', 'name': 'hasura_user'},
})
class TestJwtBasicWithRsaAndCustomHeader(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'claims_format': 'stringified_json',
})
class TestJwtBasicWithRsaAndStringifiedJsonClaims(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519', {
'claims_format': 'stringified_json',
})
class TestJwtBasicWithEd25519AndStringifiedJsonClaims(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'claims_format': 'stringified_json',
})
class TestJwtBasicWithEsAndStringifiedJsonClaims(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'claims_namespace_path': '$',
})
class TestJwtBasicWithRsaAndClaimsNamespacePathAtRoot(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519', {
'claims_namespace_path': '$',
})
class TestJwtBasicWithEd25519AndClaimsNamespacePathAtRoot(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'claims_namespace_path': '$',
})
class TestJwtBasicWithEsAndClaimsNamespacePathAtRoot(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'claims_namespace_path': '$.hasura_claims',
})
class TestJwtBasicWithRsaAndClaimsNamespacePathAtOneLevelOfNesting(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519', {
'claims_namespace_path': '$.hasura_claims',
})
class TestJwtBasicWithEd25519AndClaimsNamespacePathAtOneLevelOfNesting(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'claims_namespace_path': '$.hasura_claims',
})
class TestJwtBasicWithEsAndClaimsNamespacePathAtOneLevelOfNesting(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'claims_namespace_path': '$.hasura.claims',
})
class TestJwtBasicWithRsaAndClaimsNamespacePathAtTwoLevelsOfNesting(AbstractTestJwtBasic):
pass
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('ed25519', {
'claims_namespace_path': '$.hasura.claims',
})
class TestJwtBasicWithEd25519AndClaimsNamespacePathAtTwoLevelsOfNesting(AbstractTestJwtBasic):
pass
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'claims_namespace_path': '$.hasura.claims',
})
class TestJwtBasicWithEsAndClaimsNamespacePathAtTwoLevelsOfNesting(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'claims_namespace_path': '$.hasura[\'claims%\']',
})
class TestJwtBasicWithRsaAndClaimsNamespacePathWithSpecialCharacters(AbstractTestJwtBasic):
pass
@pytest.mark.jwt('ed25519', {
'claims_namespace_path': '$.hasura[\'claims%\']',
})
class TestJwtBasicWithEd25519AndClaimsNamespacePathWithSpecialCharacters(AbstractTestJwtBasic):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'claims_namespace_path': '$.hasura[\'claims%\']',
})
class TestJwtBasicWithEsAndClaimsNamespacePathWithSpecialCharacters(AbstractTestJwtBasic):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.admin_secret
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class AbstractTestJwtExpirySkew:
def test_jwt_expiry_leeway(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
self.claims = set_claims(self.claims, hasura_claims)
exp = datetime.now(timezone.utc) - timedelta(seconds = 30)
self.claims['exp'] = round(exp.timestamp())
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'data': {
'article': [{
'id': 1,
'title': 'Article 1',
'content': 'Sample article content 1',
'is_published': False,
'author': {
'id': 1,
'name': 'Author 1'
}
}]
}
}
self.conf['url'] = endpoint
self.conf['status'] = 200
check_query(hge_ctx, self.conf, add_auth=False)
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
self.conf = yaml.load(c)
curr_time = datetime.now()
exp_time = curr_time + timedelta(hours=10)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
def setup(self, postgis, hge_ctx):
self.dir = 'queries/graphql_query/permissions'
hge_ctx.v1q_f(self.dir + '/setup.yaml')
yield
hge_ctx.v1q_f(self.dir + '/teardown.yaml')
@pytest.mark.jwt('rsa', {
'allowed_skew': 60,
})
class TestJwtExpirySkewWithRsa(AbstractTestJwtExpirySkew):
pass
@pytest.mark.jwt('ed25519', {
'allowed_skew': 60,
})
class TestJwtExpirySkewWithEd25519(AbstractTestJwtExpirySkew):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'allowed_skew': 60,
})
class TestJwtExpirySkewWithEs(AbstractTestJwtExpirySkew):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.admin_secret
class AbstractTestSubscriptionJwtExpiry:
def test_jwt_expiry(self, hge_key, jwt_configuration, ws_client):
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp())
}
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
hasura_claims = format_claims(jwt_configuration.server_configuration, {
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
self.claims = set_claims(self.claims, hasura_claims)
allow altering type of a column whose permissions defined only with session variables (close #2070) (#2683) * allow altering type of a column iff session vars are defined in permissions * use a sum type to define dependency reason * set jwt expiry test's expiry time to 4 seconds * derive Data instance for necessary types to simplify 'hasStaticExp'
2019-08-17 00:35:22 +03:00
exp = curr_time + timedelta(seconds=4)
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
self.claims['exp'] = round(exp.timestamp())
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
authz_header = mk_authz_header(jwt_configuration.server_configuration, token)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
payload = dict()
payload['headers'] = authz_header
server/tests-py: Provide the admin secret to the HGE server. When we run the HGE server inside the test harness, it needs to run with an admin secret for some tests to make sense. This tags each test that requires an admin secret with `pytest.mark.admin_secret`, which then generates a UUID and injects that into both the server and the test case (if required). It also simplifies the way the test harness picks up an existing admin secret, allowing it to use the environment variable instead of requiring it via a parameter. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6120 GitOrigin-RevId: 55c5b9e8c99bdad9c8304098444ddb9516749a2c
2022-09-29 20:18:49 +03:00
init_ws_conn(hge_key, ws_client, payload)
support optional parameters in database url (close #1709) (#2344)
2019-09-06 01:59:26 +03:00
time.sleep(6)
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
assert ws_client.remote_closed == True, ws_client.remote_closed
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa')
class TestSubscriptionJwtExpiryWithRsa(AbstractTestSubscriptionJwtExpiry):
pass
@pytest.mark.jwt('ed25519')
class TestSubscriptionJwtExpiryWithEd25519(AbstractTestSubscriptionJwtExpiry):
pass
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es')
class TestSubscriptionJwtExpiryWithEs(AbstractTestSubscriptionJwtExpiry):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.admin_secret
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class AbstractTestJwtAudienceCheck:
def test_jwt_valid_audience(self, hge_ctx, jwt_configuration, endpoint):
audience = jwt_configuration.server_configuration['audience']
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
audience = audience if isinstance(audience, str) else audience[0]
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
self.claims = set_claims(self.claims, hasura_claims)
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
self.claims['aud'] = audience
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_invalid_audience(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
self.claims = set_claims(self.claims, hasura_claims)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['aud'] = 'rubbish_audience'
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTNotInAudience'
}]
}
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
bump python test suite dependencies This PR upgrades some of the pinned dependencies do not build with python 3.10 - cffi, ruamel, py. Further, it upgrades other packages where the effort is minimal. For the reviewers: Please review it commit by commit. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3367 GitOrigin-RevId: c5401fe289d3185a79c4d382297f86fbde139825
2022-01-17 10:39:59 +03:00
self.conf = yaml.load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
exp_time = curr_time + timedelta(hours=1)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
server/tests-py: Set up postgis extensions using a fixture. Let's put it in one place. This is a precursor to moving database provisioning into the Python integration tests. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/5453 GitOrigin-RevId: 5920b0b1177d94496485fcb4e178b946534ee4eb
2022-08-15 17:29:02 +03:00
def setup(self, postgis, hge_ctx):
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.dir = 'queries/graphql_query/permissions'
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/setup.yaml')
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
yield
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/teardown.yaml')
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'audience': 'myapp-1234',
})
class TestJwtAudienceCheckWithRsaAndSingleAudience(AbstractTestJwtAudienceCheck):
pass
@pytest.mark.jwt('ed25519', {
'audience': 'myapp-1234',
})
class TestJwtAudienceCheckWithEd25519AndSingleAudience(AbstractTestJwtAudienceCheck):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'audience': 'myapp-1234',
})
class TestJwtAudienceCheckWithEsAndSingleAudience(AbstractTestJwtAudienceCheck):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'audience': ['myapp-1234', 'myapp-9876'],
})
class TestJwtAudienceCheckWithRsaAndListOfAudiences(AbstractTestJwtAudienceCheck):
pass
@pytest.mark.jwt('ed25519', {
'audience': ['myapp-1234', 'myapp-9876'],
})
class TestJwtAudienceCheckWithEd25519AndListOfAudiences(AbstractTestJwtAudienceCheck):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'audience': ['myapp-1234', 'myapp-9876'],
})
class TestJwtAudienceCheckWithEsAndListOfAudiences(AbstractTestJwtAudienceCheck):
pass
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.admin_secret
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
class AbstractTestJwtIssuerCheck:
def test_jwt_valid_issuer(self, hge_ctx, jwt_configuration, endpoint):
issuer = jwt_configuration.server_configuration['issuer']
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
self.claims = set_claims(self.claims, hasura_claims)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = issuer
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
def test_jwt_invalid_issuer(self, hge_ctx, jwt_configuration, endpoint):
hasura_claims = format_claims(jwt_configuration.server_configuration, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
self.claims = set_claims(self.claims, hasura_claims)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = 'rubbish_issuer'
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
token = jwt.encode(self.claims, jwt_configuration.private_key, algorithm=jwt_configuration.algorithm)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTNotInIssuer'
}]
}
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
check_query(hge_ctx, self.conf, add_auth=False)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
bump python test suite dependencies This PR upgrades some of the pinned dependencies do not build with python 3.10 - cffi, ruamel, py. Further, it upgrades other packages where the effort is minimal. For the reviewers: Please review it commit by commit. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3367 GitOrigin-RevId: c5401fe289d3185a79c4d382297f86fbde139825
2022-01-17 10:39:59 +03:00
self.conf = yaml.load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
exp_time = curr_time + timedelta(hours=1)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
server/tests-py: Set up postgis extensions using a fixture. Let's put it in one place. This is a precursor to moving database provisioning into the Python integration tests. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/5453 GitOrigin-RevId: 5920b0b1177d94496485fcb4e178b946534ee4eb
2022-08-15 17:29:02 +03:00
def setup(self, postgis, hge_ctx):
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.dir = 'queries/graphql_query/permissions'
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/setup.yaml')
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
yield
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
hge_ctx.v1q_f(self.dir + '/teardown.yaml')
server/tests-py: Parallelize JWT tests. This rewrites the JWT tests to generate and specify the secrets per test class, and to provide the server configuration to the HGE fixture. It covers the tests in: - *test_jwt.py* - *test_jwt_claims_map.py* - *test_config_api.py* - *test_graphql_queries.py* (just a couple here) This does reduce the number of code paths exercised with JWT, as we were previously running *all* tests with JWT tokens. However, this seems excessive; we don't need to tread every code path, just enough to ensure we handle the tokens appropriately. I believe that the test coverage in *test_jwt.py* does this well enough (though I'd prefer if we moved the coverage lower down in the stack as unit tests). These tests were configured in multiple different ways by *test-server.sh*; this configuration is now moved to test subclasses within the various files. This results in a bit of duplication. Unfortunately, the tests would ideally use parameterization rather than subclassing, but that doesn't work because of `hge_fixture_env`, which creates a "soft" dependency between the environment variables and `hge_server`. Parameterizing the former *should* force the latter to be recreated for each new set of environment variables, but `hge_server` isn't actually aware there's a dependency. It currently looks like this adds lines of code; we'll more than make up for it when we delete the relevant lines from *test-server.sh*. I am not doing that here because I plan on deleting the whole file in a subsequent changeset. [NDAT-538]: https://hasurahq.atlassian.net/browse/NDAT-538?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8803 GitOrigin-RevId: f7f2caa62de0b0a45e42964b69a8ae73d1575fe8
2023-04-19 13:28:49 +03:00
@pytest.mark.jwt('rsa', {
'issuer': 'https://hasura.com',
})
class TestJwtIssuerCheckWithRsa(AbstractTestJwtIssuerCheck):
pass
@pytest.mark.jwt('ed25519', {
'issuer': 'https://hasura.com',
})
class TestJwtIssuerCheckWithEd25519(AbstractTestJwtIssuerCheck):
pass
server: add support for ES-* ( ES256, ES384 and ES512) algorithms for signing the JWT PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9273 GitOrigin-RevId: e891a14e992e4345f5470e1e99dbfc21d9105c31
2023-06-08 12:26:04 +03:00
@pytest.mark.jwt('es', {
'issuer': 'https://hasura.com',
})
class TestJwtIssuerCheckWithEs(AbstractTestJwtIssuerCheck):
pass
Reference in New Issue Copy Permalink