Add malformed authorization unit test (#2442)

npalaska · web-flow · commit 7552b8575be6 · 2021-09-04T14:42:40.000-04:00
Add malformed authorization header unit tests
diff --git a/lib/pbench/test/unit/server/conftest.py b/lib/pbench/test/unit/server/conftest.py
@@ -11,6 +11,7 @@
 from pbench.server.api import create_app, get_server_config
 from pbench.server.api.auth import Auth
 from pbench.server.database.database import Database
+from pbench.server.database.models.datasets import Dataset
 from pbench.server.database.models.template import Template
 from pbench.server.database.models.users import User
 from pbench.test.unit.server.headertypes import HeaderTypes
@@ -491,6 +492,25 @@ def pbench_token(client, server_config):
     return data["auth_token"]
 
 
+@pytest.fixture()
+def attach_dataset(pbench_token, create_user):
+    """
+    Mock a Dataset attach call to return an object. We mock the Dataset.attach
+    method to avoid DB access here, however the user authentication mechanism
+    is not yet mocked so we have to look up User data.
+
+    Args:
+        pbench_token: create a "drb" user for testing
+        create_user: create a "test" user
+    """
+    Dataset(
+        owner="drb", controller="node", name="drb", access="private"
+    ).add()  # Created by pbench_token fixture
+    Dataset(
+        owner="test", controller="node", name="test", access="private"
+    ).add()  # Created by create_user fixture
+
+
 @pytest.fixture(params=[header for header in HeaderTypes])
 def build_auth_header(request, server_config, pbench_token, pbench_admin_token, client):
     if request.param == HeaderTypes.VALID_ADMIN:
diff --git a/lib/pbench/test/unit/server/query_apis/commons.py b/lib/pbench/test/unit/server/query_apis/commons.py
@@ -79,6 +79,19 @@ def date_range(self, start: AnyStr, end: AnyStr) -> list:
             date_range.append(f"{m.year:04}-{m.month:02}")
         return date_range
 
+    @pytest.mark.parametrize(
+        "malformed_token", ("malformed", "bear token" "Bearer malformed"),
+    )
+    def test_malformed_authorization_header(
+        self, client, server_config, malformed_token, attach_dataset
+    ):
+        response = client.post(
+            server_config.rest_uri + self.pbench_endpoint,
+            headers={"Authorization": malformed_token},
+            json=self.payload,
+        )
+        assert response.status_code == HTTPStatus.FORBIDDEN
+
     def test_non_accessible_user_data(self, client, server_config, pbench_token):
         """
         Test behavior when Authorization header does not have access to other user's data
diff --git a/lib/pbench/test/unit/server/query_apis/test_datasets_publish.py b/lib/pbench/test/unit/server/query_apis/test_datasets_publish.py
@@ -8,35 +8,6 @@
 from pbench.test.unit.server.query_apis.commons import Commons
 
 
-@pytest.fixture()
-def attach_dataset(pbench_token, create_user):
-    """
-    Mock a Dataset attach call to return an object. We mock the Dataset.attach
-    method to avoid DB access here, however the user authentication mechanism
-    is not yet mocked so we have to look up User data.
-
-    Args:
-        monkeypatch: patching fixture
-        pbench_token: create a "drb" user for testing
-        create_user: create a "test" user
-    """
-    datasets = {}
-    datasets["drb"] = Dataset(
-        owner="drb",  # Created by pbench_token fixture
-        controller="node",
-        name="drb",
-        access="private",
-    )
-    datasets["drb"].add()
-    datasets["test"] = Dataset(
-        owner="test",  # Created by create_user fixture
-        controller="node",
-        name="test",
-        access="private",
-    )
-    datasets["test"].add()
-
-
 @pytest.fixture()
 def get_document_map(monkeypatch, attach_dataset):
     """
diff --git a/lib/pbench/test/unit/server/test_requests.py b/lib/pbench/test/unit/server/test_requests.py
@@ -125,10 +125,14 @@ def test_missing_authorization_header(self, client, caplog, server_config):
         assert response.status_code == HTTPStatus.UNAUTHORIZED
         self.verify_logs(caplog)
 
-    def test_malformed_authorization_header(self, client, caplog, server_config):
+    @pytest.mark.parametrize(
+        "malformed_token", ("malformed", "bear token" "Bearer malformed"),
+    )
+    def test_malformed_authorization_header(
+        self, client, caplog, server_config, malformed_token
+    ):
         response = client.put(
-            self.gen_uri(server_config),
-            headers={"Authorization": "Bearer " + "malformed"},
+            self.gen_uri(server_config), headers={"Authorization": malformed_token},
         )
         assert response.status_code == HTTPStatus.UNAUTHORIZED
         self.verify_logs(caplog)
