dtos-manage-breast-screening/manage_breast_screening/dicom/tests/test_authentication.py at c3cf697bd6017419e2c0f172d855d270da74dd63 · NHSDigital/dtos-manage-breast-screening · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
from unittest.mock import Mock, patch

import jwt
import pytest
from django.conf import settings

from ..authentication import Authentication


@patch(f"{Authentication.__module__}.logger")
class TestAuthentication:
    @pytest.fixture(autouse=True)
    def setup_env(self):
        with patch.dict(
            "os.environ",
            {
                "API_AUDIENCE": "test_audience",
                "TENANT_ID": "test_tenant_id",
                "BYPASS_API_TOKEN_AUTH": "false",
            },
        ):
            yield

    @pytest.fixture
    def mock_jwks_signing_key(self):
        with patch.object(
            jwt.PyJWKClient,
            "get_signing_key_from_jwt",
            return_value=Mock(key="test_signing_key"),
        ):
            yield

    @patch.object(
        jwt.PyJWKClient, "get_signing_key_from_jwt", side_effect=jwt.PyJWKClientError
    )
    def test_with_no_matching_signing_key(self, mock_signing_key_error, mock_logger):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with(
            "Error fetching JWKS keys from Azure AD."
        )

    @patch(
        f"{Authentication.__module__}.jwt.decode", side_effect=jwt.ExpiredSignatureError
    )
    def test_with_expired_signature(
        self, mock_decode, mock_logger, mock_jwks_signing_key
    ):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with("Token is expired")

    @patch(
        f"{Authentication.__module__}.jwt.decode", side_effect=jwt.InvalidAudienceError
    )
    def test_with_invalid_claims(self, _, mock_logger, mock_jwks_signing_key):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with(
            "Invalid claims. Please check the audience and issuer."
        )

    @patch(
        f"{Authentication.__module__}.jwt.decode", side_effect=jwt.InvalidIssuerError
    )
    def test_with_invalid_issuer(self, _, mock_logger, mock_jwks_signing_key):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with(
            "Invalid claims. Please check the audience and issuer."
        )

    @patch(f"{Authentication.__module__}.jwt.decode", side_effect=jwt.InvalidTokenError)
    def test_with_invalid_token(self, _, mock_logger, mock_jwks_signing_key):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with("Token is invalid")

    @patch(f"{Authentication.__module__}.jwt.decode", side_effect=Exception)
    def test_with_unexpected_exception(self, _, mock_logger, mock_jwks_signing_key):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) is None
        mock_logger.exception.assert_called_with(
            "Unable to parse authentication token."
        )

    @patch(
        f"{Authentication.__module__}.jwt.decode", return_value={"sub": "1234567890"}
    )
    def test_with_valid_token(self, _, mock_logger, mock_jwks_signing_key):
        authenticator = Authentication()
        assert authenticator(Mock(headers={"Authorization": "Bearer abc123"})) == {
            "sub": "1234567890"
        }
        mock_logger.exception.assert_not_called()

    def test_request_auth_object_is_set(self, mock_logger, mock_jwks_signing_key):
        with patch(
            f"{Authentication.__module__}.jwt.decode",
            return_value={"oid": "test_oid", "sub": "test_user"},
        ):
            authenticator = Authentication()
            request = Mock(headers={"Authorization": "Bearer abc123"})
            assert authenticator(request) == {"oid": "test_oid", "sub": "test_user"}
            assert request.auth == {"oid": "test_oid", "sub": "test_user"}

    def test_authentication_bypass_enabled(self, mock_logger, mock_jwks_signing_key):
        with patch.object(settings, "BYPASS_API_AUTHENTICATION", return_value=True):
            authenticator = Authentication()
            assert authenticator(
                Mock(headers={"Authorization": "Bearer anytoken"})
            ) == {"oid": "bypass_object_id", "sub": "bypass_user"}