mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-06 04:52:55 +00:00
d4cbc8cfeb
python based regression test setup for auth_broker. This uses a http mock for cplane as well as the JWKs url. complications: 1. We cannot just use local_proxy binary, as that requires the pg_session_jwt extension which we don't have available in the current test suite 2. We cannot use just any old http mock for local_proxy, as auth_broker requires http2 to local_proxy as such, I used the h2 library to implement an echo server - copied from the examples in the h2 docs.
38 lines
1.0 KiB
Python
38 lines
1.0 KiB
Python
import json
|
|
|
|
import pytest
|
|
from fixtures.neon_fixtures import NeonAuthBroker
|
|
from jwcrypto import jwk, jwt
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_auth_broker_happy(
|
|
static_auth_broker: NeonAuthBroker,
|
|
neon_authorize_jwk: jwk.JWK,
|
|
):
|
|
"""
|
|
Signs a JWT and uses it to authorize a query to local_proxy.
|
|
"""
|
|
|
|
token = jwt.JWT(
|
|
header={"kid": neon_authorize_jwk.key_id, "alg": "RS256"}, claims={"sub": "user1"}
|
|
)
|
|
token.make_signed_token(neon_authorize_jwk)
|
|
res = await static_auth_broker.query("foo", ["arg1"], user="anonymous", token=token.serialize())
|
|
|
|
# local proxy mock just echos back the request
|
|
# check that we forward the correct data
|
|
|
|
assert (
|
|
res["headers"]["authorization"] == f"Bearer {token.serialize()}"
|
|
), "JWT should be forwarded"
|
|
|
|
assert (
|
|
"anonymous" in res["headers"]["neon-connection-string"]
|
|
), "conn string should be forwarded"
|
|
|
|
assert json.loads(res["body"]) == {
|
|
"query": "foo",
|
|
"params": ["arg1"],
|
|
}, "Query body should be forwarded"
|