def testGetAuthorizedScopesDifferentScope(self):
self.users_stub.SetOAuthUser(scopes=['scope1', 'scope2'])
authorized_scopes = oauth.get_authorized_scopes(('scope1', 'scope3'))
self.assertCountEqual(['scope1'], authorized_scopes)
self.users_stub.SetOAuthUser(scopes=['scope1', 'scope3'])
authorized_scopes = oauth.get_authorized_scopes(['scope2', 'scope3'])
self.assertCountEqual(['scope3'], authorized_scopes)
def _set_bearer_user_vars(allowed_client_ids, scopes):
"""Validate the oauth bearer token and set endpoints auth user variables.
If the bearer token is valid, this sets ENDPOINTS_USE_OAUTH_SCOPE. This
provides enough information that our endpoints.get_current_user() function
can get the user.
Args:
allowed_client_ids: List of client IDs that are acceptable.
scopes: List of acceptable scopes.
"""
all_scopes, sufficient_scopes = _process_scopes(scopes)
try:
authorized_scopes = oauth.get_authorized_scopes(sorted(all_scopes))
except oauth.Error:
_logger.debug('Unable to get authorized scopes.', exc_info=True)
return
if not _are_scopes_sufficient(authorized_scopes, sufficient_scopes):
_logger.debug('Authorized scopes did not satisfy scope requirements.')
return
client_id = oauth.get_client_id(authorized_scopes)
# The client ID must be in allowed_client_ids. If allowed_client_ids is
# empty, don't allow any client ID. If allowed_client_ids is set to
# SKIP_CLIENT_ID_CHECK, all client IDs will be allowed.
if (list(allowed_client_ids) != SKIP_CLIENT_ID_CHECK and
client_id not in allowed_client_ids):
_logger.warning('Client ID is not allowed: %s', client_id)
return
os.environ[_ENV_USE_OAUTH_SCOPE] = ' '.join(authorized_scopes)
_logger.debug('get_current_user() will return user from matched oauth_user.')
def testMultipleScopesSuccess(self):
self.users_stub.SetOAuthUser(scopes=['scope1', 'scope2', 'scope3'])
authorized_scopes = oauth.get_authorized_scopes(
('scope1', 'scope2', 'scope4'))
client_id = oauth.get_client_id(('scope1', 'scope2', 'scope4'))
user = oauth.get_current_user(['scope1', 'scope2', 'scope5'])
self.assertCountEqual(['scope1', 'scope2'], authorized_scopes)
self.assertEqual('123456789.apps.googleusercontent.com', client_id)
self.assertEqual('*****@*****.**', user.email())
self.assertEqual('0', user.user_id())
self.assertEqual('gmail.com', user.auth_domain())
self.assertFalse(oauth.is_current_user_admin(('scope1', 'scope2')))
authorized_scopes = oauth.get_authorized_scopes(
['scope1', 'scope2', 'scope4'])
client_id = oauth.get_client_id(['scope1', 'scope2', 'scope4'])
user = oauth.get_current_user(['scope1', 'scope2', 'scope4'])
self.assertCountEqual(['scope1', 'scope2'], authorized_scopes)
self.assertEqual('123456789.apps.googleusercontent.com', client_id)
self.assertEqual('*****@*****.**', user.email())
self.assertEqual('0', user.user_id())
self.assertEqual('gmail.com', user.auth_domain())
self.assertFalse(oauth.is_current_user_admin(('scope1', 'scope2')))
def testGetAuthorizedScopesCacheSharedWithGetCurrentUser(self):
self.users_stub.SetOAuthUser(scopes=['scope1', 'scope2'])
oauth.get_current_user(['scope1', 'scope3'])
self.users_stub.SetOAuthUser(scopes=['scope2', 'scope3'])
authorized_scopes = oauth.get_authorized_scopes(['scope1', 'scope3'])
self.assertCountEqual(['scope1'], authorized_scopes)
