3 files changed, 78 insertions, 7 deletions

diff --git a/macaroonbakery/tests/common.py b/macaroonbakery/tests/common.py
index 972b3ad..aacdaf3 100644
--- a/macaroonbakery/tests/common.py
+++ b/macaroonbakery/tests/common.py
@@ -80,7 +80,7 @@ class ThirdPartyStrcmpChecker(bakery.ThirdPartyCaveatChecker):
             condition = cav_info.condition.decode('utf-8')
         if condition != self.str:
             raise bakery.ThirdPartyCaveatCheckFailed(
-                '{} doesn\'t match {}'.format(condition, self.str))
+                '{} doesn\'t match {}'.format(repr(condition), repr(self.str)))
         return []
 
 
diff --git a/macaroonbakery/tests/test_discharge.py b/macaroonbakery/tests/test_discharge.py
index 0802070..5360317 100644
--- a/macaroonbakery/tests/test_discharge.py
+++ b/macaroonbakery/tests/test_discharge.py
@@ -1,5 +1,6 @@
 # Copyright 2017 Canonical Ltd.
 # Licensed under the LGPLv3, see LICENCE file for details.
+import os
 import unittest
 
 import macaroonbakery.bakery as bakery
@@ -351,14 +352,14 @@ class TestDischarge(unittest.TestCase):
         # Since no declarations are added by the discharger,
         class ThirdPartyCaveatCheckerF(bakery.ThirdPartyCaveatChecker):
             def check_third_party_caveat(self, ctx, cav_info):
-                if cav_info.condition == b'x':
+                if cav_info.condition == 'x':
                     return [checkers.declared_caveat('foo', 'fooval1')]
-                if cav_info.condition == b'y':
+                if cav_info.condition == 'y':
                     return [
                         checkers.declared_caveat('foo', 'fooval2'),
                         checkers.declared_caveat('baz', 'bazval')
                     ]
-                raise common.ThirdPartyCaveatCheckFailed('not matched')
+                raise bakery.ThirdPartyCaveatCheckFailed('not matched')
 
         def get_discharge(cav, payload):
             return bakery.discharge(
@@ -448,7 +449,7 @@ class TestDischarge(unittest.TestCase):
                                             location='as2-loc')]
                 if self._loc == 'as2-loc':
                     return []
-                raise common.ThirdPartyCaveatCheckFailed(
+                raise bakery.ThirdPartyCaveatCheckFailed(
                     'unknown location {}'.format(self._loc))
 
         def get_discharge(cav, payload):
@@ -472,3 +473,45 @@ class TestDischarge(unittest.TestCase):
                         len(cav.caveat_id) > 3):
                     self.fail('caveat id on caveat {} of macaroon {} '
                               'is too big ({})'.format(j, i, cav.id))
+
+    def test_third_party_discharge_macaroon_wrong_root_key_and_third_party_caveat(self):
+
+        root_keys = bakery.MemoryKeyStore()
+        ts = bakery.Bakery(
+            key=bakery.generate_key(),
+            checker=common.test_checker(),
+            root_key_store=root_keys,
+            identity_client=common.OneIdentity(),
+        )
+        locator = bakery.ThirdPartyStore()
+        bs = common.new_bakery('bs-loc', locator)
+
+        # ts creates a macaroon with a third party caveat addressed to bs.
+        ts_macaroon = ts.oven.macaroon(bakery.LATEST_VERSION,
+                                       common.ages,
+                                       None, [bakery.LOGIN_OP])
+        ts_macaroon.add_caveat(
+            checkers.Caveat(location='bs-loc', condition='true'),
+            ts.oven.key, locator,
+        )
+
+        def get_discharge(cav, payload):
+            return bakery.discharge(
+                common.test_context,
+                cav.caveat_id_bytes,
+                payload,
+                bs.oven.key,
+                common.ThirdPartyStrcmpChecker('true'),
+                bs.oven.locator,
+            )
+
+        d = bakery.discharge_all(ts_macaroon, get_discharge)
+
+        # The authorization should succeed at first.
+        ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
+        # Corrupt the root key and try again.
+        # We should get a DischargeRequiredError because the verification has failed.
+        root_keys._key = os.urandom(24)
+        with self.assertRaises(bakery.PermissionDenied) as err:
+            ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
+        self.assertEqual(str(err.exception), 'verification failed: Decryption failed. Ciphertext failed verification')
diff --git a/macaroonbakery/tests/test_httpbakery.py b/macaroonbakery/tests/test_httpbakery.py
index 4aac850..c372f13 100644
--- a/macaroonbakery/tests/test_httpbakery.py
+++ b/macaroonbakery/tests/test_httpbakery.py
@@ -1,6 +1,7 @@
 from unittest import TestCase
 
-from macaroonbakery.httpbakery import WebBrowserInteractionInfo
+import macaroonbakery.httpbakery as httpbakery
+import macaroonbakery.bakery as bakery
 
 
 class TestWebBrowserInteractionInfo(TestCase):
@@ -9,8 +10,35 @@ class TestWebBrowserInteractionInfo(TestCase):
         info_dict = {
             'VisitURL': 'https://example.com/visit',
             'WaitTokenURL': 'https://example.com/wait'}
-        interaction_info = WebBrowserInteractionInfo.from_dict(info_dict)
+        interaction_info = httpbakery.WebBrowserInteractionInfo.from_dict(info_dict)
         self.assertEqual(
             interaction_info.visit_url, 'https://example.com/visit')
         self.assertEqual(
             interaction_info.wait_token_url, 'https://example.com/wait')
+
+
+class TestError(TestCase):
+
+    def test_from_dict_upper_case_fields(self):
+        err = httpbakery.Error.from_dict({
+            'Message': 'm',
+            'Code': 'c',
+        })
+        self.assertEqual(err, httpbakery.Error(
+            code='c',
+            message='m',
+            info=None,
+            version=bakery.LATEST_VERSION,
+        ))
+
+    def test_from_dict_lower_case_fields(self):
+        err = httpbakery.Error.from_dict({
+            'message': 'm',
+            'code': 'c',
+        })
+        self.assertEqual(err, httpbakery.Error(
+            code='c',
+            message='m',
+            info=None,
+            version=bakery.LATEST_VERSION,
+        ))