def test_verify_signed_user_url_wrong_userid(dummy_user, create_user):
# this test is a bit stupid, because the only way we can fail this
# check is if two users have the same signing_secret AND someone
# changes the user id at the beginning of the token
user = create_user(123)
user.signing_secret = dummy_user.signing_secret
url = signed_url_for_user(dummy_user, 'core.contact')
url = url.replace(f'user_token={dummy_user.id}', f'user_token={user.id}')
with pytest.raises(BadRequest) as exc_info:
verify_signed_user_url(url, 'GET')
assert 'The persistent link you used is invalid' in str(exc_info.value)
def _process(self, endpoint, params):
try:
if session.user:
url = signed_url_for_user(session.user, endpoint, _external=True, **params)
Logger.get('url_signing').info("%s signed URL for endpoint '%s' with params %r", session.user, endpoint,
params)
else:
url = url_for(endpoint, _external=True, **params)
except BuildError as exc:
# if building fails for a valid endpoint we can be pretty sure that it's due to
# some required params missing
abort(422, messages={'params': [str(exc)]})
return jsonify(url=url)
def test_signed_url_for_user_sorted(dummy_user):
dummy_user.signing_secret = 'fourtytwo'
url = signed_url_for_user(dummy_user, 'core.contact', a=1, b=2)
url2 = signed_url_for_user(dummy_user, 'core.contact', b=2, a=1)
assert url == url2
def test_signed_url_for_user(dummy_user, endpoint, kwargs, expected):
dummy_user.signing_secret = 'sixtynine'
url = signed_url_for_user(dummy_user, endpoint, **kwargs)
assert url == expected
def test_get_request_user_complete(dummy_user, app, test_client, dummy_token, create_user):
class RHTest(RH):
def _process(self):
user, source = get_request_user()
assert session.user == user
if not user:
return 'none'
return f'{user.id}|{source}'
@allow_signed_url
class RHTestSigned(RHTest):
pass
@oauth_scope('read:user')
class RHTestScope(RHTest):
pass
app.add_url_rule('/test/default', 'test_default', make_view_func(RHTest), methods=('GET', 'POST'))
app.add_url_rule('/test/signed', 'test_signed', make_view_func(RHTestSigned))
app.add_url_rule('/test/scope', 'test_scope', make_view_func(RHTestScope), methods=('GET', 'POST'))
# no auth
assert test_client.get('/test/default').data == b'none'
assert test_client.get('/test/signed').data == b'none'
assert test_client.get('/test/scope').data == b'none'
# signature auth
resp = test_client.get(signed_url_for_user(dummy_user, 'test_default'))
assert resp.status_code == 400
assert b'Signature auth is not allowed for this URL' in resp.data
resp = test_client.get(signed_url_for_user(dummy_user, 'test_signed'))
assert resp.status_code == 200
assert resp.data == b'1337|signed_url'
resp = test_client.get(signed_url_for_user(dummy_user, 'test_scope'))
assert resp.status_code == 400
assert b'Signature auth is not allowed for this URL' in resp.data
# oauth - token with read:user scope
oauth_headers = {'Authorization': f'Bearer {dummy_token._plaintext_token}'}
resp = test_client.get('/test/default', headers=oauth_headers)
assert resp.status_code == 403
assert b'insufficient_scope' in resp.data
resp = test_client.post('/test/default', headers=oauth_headers)
assert resp.status_code == 403
assert b'insufficient_scope' in resp.data
resp = test_client.get('/test/signed', headers=oauth_headers)
assert resp.status_code == 403
assert b'insufficient_scope' in resp.data
resp = test_client.get('/test/scope', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
resp = test_client.post('/test/scope', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
# oauth - token with read:everything scope
dummy_token._scopes.append('read:everything')
dummy_token.app_user_link.scopes.append('read:everything')
dummy_token.app_user_link.application.allowed_scopes.append('read:everything')
resp = test_client.get('/test/default', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
# default post requires full:everything
resp = test_client.post('/test/default', headers=oauth_headers)
assert resp.status_code == 403
assert b'insufficient_scope' in resp.data
resp = test_client.get('/test/signed', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
resp = test_client.get('/test/scope', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
# custom scopes are not method-specific
resp = test_client.post('/test/scope', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
# full:everything should allow posting to any endpoint
dummy_token._scopes.append('full:everything')
dummy_token.app_user_link.scopes.append('full:everything')
dummy_token.app_user_link.application.allowed_scopes.append('full:everything')
resp = test_client.post('/test/default', headers=oauth_headers)
assert resp.status_code == 200
assert resp.data == b'1337|oauth'
# oauth + signature is not allowed
resp = test_client.get(signed_url_for_user(dummy_user, 'test_signed'), headers=oauth_headers)
assert resp.status_code == 400
assert b'OAuth tokens and signed URLs cannot be mixed' in resp.data
# request with a user being set in the actual session (session cookies in the browser)
with test_client.session_transaction() as sess:
sess.set_session_user(create_user(123))
assert test_client.get('/test/default').data == b'123|session'
assert test_client.get('/test/signed').data == b'123|session'
assert test_client.get('/test/scope').data == b'123|session'
# oauth + session is not allowed
resp = test_client.get('/test/default', headers=oauth_headers)
assert resp.status_code == 400
assert b'OAuth tokens and session cookies cannot be mixed' in resp.data
# regular requests still need a CSRF token
resp = test_client.post('/test/default')
assert resp.status_code == 400
assert b'problem with your current session' in resp.data
# signed links override the session user
resp = test_client.get(signed_url_for_user(dummy_user, 'test_signed'))
assert resp.status_code == 200
assert resp.data == b'1337|signed_url'
def test_verify_signed_user_url_invalid_user(dummy_user):
url = signed_url_for_user(dummy_user, 'core.contact')
url = url.replace('user_token=', 'user_token=111')
with pytest.raises(BadRequest) as exc_info:
verify_signed_user_url(url, 'GET')
assert 'The persistent link you used is invalid' in str(exc_info.value)
def test_verify_signed_user_url_lists(dummy_user, args):
dummy_user.signing_secret = 'sixtynine'
url = signed_url_for_user(dummy_user, 'core.contact', foo=args)
assert verify_signed_user_url(url, 'GET') == dummy_user