Last active
August 29, 2015 14:16
-
-
Save kumar303/c793346954d053cc0d0f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import unittest | |
| from mohawk import Receiver, Sender | |
| class TestBewit(unittest.TestCase): | |
| def setUp(self): | |
| self.credentials = {'id': 'some-sender', | |
| 'key': 'some complicated SEKRET', | |
| 'algorithm': 'sha256'} | |
| def lookup_credentials(self, *args): | |
| return self.credentials | |
| def test_successful_bewit(self): | |
| sender = Sender(self.credentials, | |
| 'https://some-service.net/asset', | |
| 'GET') | |
| signed_url = sender.bewit_url() | |
| # No exception means the request is valid. | |
| Receiver(self.lookup_credentials, | |
| url=signed_url, | |
| method='GET', | |
| accept_get_requests=True, # turn on bewit, off by default | |
| ) | |
| def test_wrong_signature(self): | |
| credentials = self.credentials.copy() | |
| credentials['key'] = 'WRONG KEY' | |
| sender = Sender(credentials, | |
| 'https://some-service.net/asset', | |
| 'GET') | |
| signed_url = sender.bewit_url() | |
| with self.assertRaises(MacMismatch): | |
| Receiver(self.lookup_credentials, | |
| url=signed_url, method='GET', | |
| accept_get_requests=True) | |
| def test_expired_bewit(self): | |
| sender = Sender(self.credentials, | |
| 'https://some-service.net/asset', | |
| 'GET') | |
| signed_url = sender.bewit_url(expires_in=...) | |
| # patch time or inject something into the receiver to force expiry... | |
| with self.assertRaises(BewitExpired): | |
| Receiver(self.lookup_credentials, | |
| url=signed_url, method='GET', accept_get_requests=True) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Seems odd to explicitly accept
method='GET'and needaccept_get_requests=True. This may be because it is a test and not in a web view where you'd usemethod=request.methodbut seemed odd.You also mentioned that bewit URLs aren't as secure. Perhaps that should be noted in the name of the argument since
accept_get_requests=Truedoesn't seem to imply any removal of security or introduce some weird term (like bewit) that may require further investigation. As someone that knows nothing of Hawk it seems safe but you mentioned it was replayable so thought I'd comment.