Ejemplos de parse_redirect en Python

Ejemplo n.º 1

def test_auth_flow_denied(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)
        with app.test_client() as client:
            # First login on provider site
            login(client)

            r = client.get(url_for('oauth2test.login'))
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)

            # Authorize page
            r = client.get(next_url, query_string=data)
            assert r.status_code == 200

            # User rejects request
            data['confirm'] = 'no'
            data['scope'] = 'test:scope'
            data['state'] = ''

            r = client.post(next_url, data=data)
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)
            assert next_url == redirect_uri
            assert data.get('error') == 'access_denied'

        # Returned
        r = client.get(next_url, query_string=data)
        assert r.status_code == 200
        assert r.data == b'Access denied: error=access_denied'

Ejemplo n.º 2

Archivo: test_provider.py Proyecto: bruno314/invenio-oauth2server

def test_auth_flow_denied(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)
        with app.test_client() as client:
            # First login on provider site
            login(client)

            r = client.get(url_for('oauth2test.login'))
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)

            # Authorize page
            r = client.get(next_url, query_string=data)
            assert r.status_code == 200

            # User rejects request
            data['confirm'] = 'no'
            data['scope'] = 'test:scope'
            data['state'] = ''

            r = client.post(next_url, data=data)
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)
            assert next_url == redirect_uri
            assert data.get('error') == 'access_denied'

        # Returned
        r = client.get(next_url, query_string=data)
        assert r.status_code == 200
        assert r.data == b'Access denied: error=access_denied'

Ejemplo n.º 3

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def test_auth_flow_denied(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for("oauth2test.authorized", _external=True)
        with app.test_client() as client:
            # First login on provider site
            login(client)

            r = client.get(url_for("oauth2test.login"))
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)

            # Authorize page
            r = client.get(next_url, query_string=data)
            assert r.status_code == 200

            # User rejects request
            data["confirm"] = "no"
            data["scope"] = "test:scope"
            data["state"] = ""

            r = client.post(next_url, data=data)
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)
            assert next_url == redirect_uri
            assert data.get("error") == "access_denied"

        # Returned
        r = client.get(next_url, query_string=data)
        assert r.status_code == 200
        assert r.data == b"Access denied: error=access_denied"

Ejemplo n.º 4

def test_implicit_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            for client_id in ['dev', 'confidential']:
                data = dict(
                    redirect_uri=redirect_uri,
                    response_type='token',  # For implicit grant type
                    client_id=client_id,
                    scope='test:scope',
                    state='teststate'
                )

                # Authorize page
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    **data
                ), follow_redirects=True)
                assert r.status_code == 200

                # User confirms request
                data['confirm'] = 'yes'
                data['scope'] = 'test:scope'
                data['state'] = 'teststate'

                r = client.post(url_for('invenio_oauth2server.authorize'),
                                data=data)
                assert r.status_code == 302
                # Important - access token exists in URI fragment and must not
                # be sent to the client.
                next_url, data = parse_redirect(r.location,
                                                parse_fragment=True)

                assert data['access_token']
                assert data['token_type'] == 'Bearer'
                assert data['state'] == 'teststate'
                assert data['scope'] == 'test:scope'
                assert data.get('refresh_token') is None
                assert next_url == redirect_uri

                # Authentication flow has now been completed, and the client
                # can use the access token to make request to the provider.
                r = client.get(url_for('invenio_oauth2server.info',
                                       access_token=data['access_token']))
                assert r.status_code == 200
                assert json.loads(r.get_data()).get('client') == client_id
                assert json.loads(r.get_data()).get('user') == app.user1_id
                assert json.loads(r.get_data()).get('scopes') \
                    == [u'test:scope']

Ejemplo n.º 5

Archivo: test_provider.py Proyecto: bruno314/invenio-oauth2server

def test_implicit_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            for client_id in ['dev', 'confidential']:
                data = dict(
                    redirect_uri=redirect_uri,
                    response_type='token',  # For implicit grant type
                    client_id=client_id,
                    scope='test:scope',
                    state='teststate'
                )

                # Authorize page
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    **data
                ), follow_redirects=True)
                assert r.status_code == 200

                # User confirms request
                data['confirm'] = 'yes'
                data['scope'] = 'test:scope'
                data['state'] = 'teststate'

                r = client.post(url_for('invenio_oauth2server.authorize'),
                                data=data)
                assert r.status_code == 302
                # Important - access token exists in URI fragment and must not
                # be sent to the client.
                next_url, data = parse_redirect(r.location,
                                                parse_fragment=True)

                assert data['access_token']
                assert data['token_type'] == 'Bearer'
                assert data['state'] == 'teststate'
                assert data['scope'] == 'test:scope'
                assert data.get('refresh_token') is None
                assert next_url == redirect_uri

                # Authentication flow has now been completed, and the client
                # can use the access token to make request to the provider.
                r = client.get(url_for('invenio_oauth2server.info',
                                       access_token=data['access_token']))
                assert r.status_code == 200
                assert json.loads(r.get_data()).get('client') == client_id
                assert json.loads(r.get_data()).get('user') == app.user1.id
                assert json.loads(r.get_data()).get('scopes') \
                    == [u'test:scope']

Ejemplo n.º 6

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def test_implicit_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        redirect_uri = url_for("oauth2test.authorized", _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            for client_id in ["dev", "confidential"]:
                data = dict(
                    redirect_uri=redirect_uri,
                    response_type="token",  # For implicit grant type
                    client_id=client_id,
                    scope="test:scope",
                    state="teststate",
                )

                # Authorize page
                r = client.get(url_for("invenio_oauth2server.authorize", **data), follow_redirects=True)
                assert r.status_code == 200

                # User confirms request
                data["confirm"] = "yes"
                data["scope"] = "test:scope"
                data["state"] = "teststate"

                r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
                assert r.status_code == 302
                # Important - access token exists in URI fragment and must not
                # be sent to the client.
                next_url, data = parse_redirect(r.location, parse_fragment=True)

                assert data["access_token"]
                assert data["token_type"] == "Bearer"
                assert data["state"] == "teststate"
                assert data["scope"] == "test:scope"
                assert data.get("refresh_token") is None
                assert next_url == redirect_uri

                # Authentication flow has now been completed, and the client
                # can use the access token to make request to the provider.
                r = client.get(url_for("invenio_oauth2server.info", access_token=data["access_token"]))
                assert r.status_code == 200
                assert json.loads(r.get_data()).get("client") == client_id
                assert json.loads(r.get_data()).get("user") == app.user1_id
                assert json.loads(r.get_data()).get("scopes") == [u"test:scope"]

Ejemplo n.º 7

def web_auth_flow(provider_fixture):
        app = provider_fixture
        # Go to login - should redirect to oauth2 server for login an
        # authorization
        with app.app_context():
            with app.test_client() as client:
                r = client.get('/oauth2test/test-ping')

                # First login on provider site
                login(client)

                r = client.get('/oauth2test/login')
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)

                # Authorize page
                r = client.get(next_url, query_string=data)
                assert r.status_code == 200

                # User confirms request
                data['confirm'] = 'yes'
                data['scope'] = 'test:scope'
                data['state'] = ''

                r = client.post(next_url, data=data)
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert next_url == 'http://{0}/oauth2test/authorized'.format(
                    app.config['SERVER_NAME'])
                assert 'code' in data

                # User is redirected back to client site.
                # - The client view /oauth2test/authorized will in the
                #   background fetch the access token.
                r = client.get(next_url, query_string=data)
                assert r.status_code == 200

                # Authentication flow has now been completed, and the access
                # token can be used to access protected resources.
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 200
                assert json.loads(r.get_data()) == dict(ping='pong')

                # Authentication flow has now been completed, and the access
                # token can be used to access protected resources.
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 200
                assert json.loads(r.get_data()) == dict(ping='pong')

                r = client.get('/oauth2test/test-info')
                assert r.status_code == 200
                json_resp = json.loads(r.get_data())
                assert json_resp['client'] == 'confidential'
                assert json_resp['user'] == app.user1_id
                assert json_resp['scopes'] == [u'test:scope']

                # Access token doesn't provide access to this URL.
                r = client.get(
                    '/oauth2test/test-invalid',
                    base_url='http://{0}'.format(app.config['SERVER_NAME'])
                )
                assert r.status_code == 401

                # # Now logout
                r = client.get('/oauth2test/logout')
                assert r.status_code == 200
                assert r.data == "logout"

                # And try to access the information again
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 403

Ejemplo n.º 8

def test_refresh_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        base_url = 'https://{0}'.format(app.config['SERVER_NAME'])
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            data = dict(
                redirect_uri=redirect_uri,
                scope='test:scope',
                response_type='code',
                client_id='confidential',
                state='mystate'
            )

            r = client.get(url_for('invenio_oauth2server.authorize', **data))
            assert r.status_code == 200

            data['confirm'] = 'yes'
            data['scope'] = 'test:scope'
            data['state'] = 'mystate'

            # Obtain one time code
            r = client.post(
                url_for('invenio_oauth2server.authorize'), data=data
            )
            r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data['code']
            assert res_data['state'] == 'mystate'

            # Exchange one time code for access token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='authorization_code',
                    code=res_data['code'],
                )
            )
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp['access_token']
            assert json_resp['refresh_token']
            assert json_resp['scope'] == 'test:scope'
            assert json_resp['token_type'] == 'Bearer'
            refresh_token = json_resp['refresh_token']
            old_access_token = json_resp['access_token']

            # Access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                           access_token=old_access_token))
            assert r.status_code == 200

            # Obtain new access token with refresh token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='refresh_token',
                    refresh_token=refresh_token,
                )
            )
            r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp['access_token']
            assert json_resp['refresh_token']
            assert json_resp['access_token'] != old_access_token
            assert json_resp['refresh_token'] != refresh_token
            assert json_resp['scope'] == 'test:scope'
            assert json_resp['token_type'] == 'Bearer'

            # New access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=json_resp['access_token']))
            assert r.status_code == 200

            # Old access token no longer valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token,),
                           base_url=base_url)
            assert r.status_code == 401

Ejemplo n.º 9

def test_expired_refresh_flow(provider_fixture):
    """Test refresh flow with an expired token."""
    app = provider_fixture
    # First login on provider site
    with app.test_request_context():
        with app.test_client() as client:
            login(client)

            data = dict(
                redirect_uri=url_for('oauth2test.authorized', _external=True),
                scope='test:scope',
                response_type='code',
                client_id='confidential',
                state='mystate'
            )

            r = client.get(url_for('invenio_oauth2server.authorize', **data))
            assert r.status_code == 200

            data['confirm'] = 'yes'
            data['scope'] = 'test:scope'
            data['state'] = 'mystate'

            # Obtain one time code
            r = client.post(
                url_for('invenio_oauth2server.authorize'), data=data
            )
            assert r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data['code']
            assert res_data['state'] == 'mystate'

            # Exchange one time code for access token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='authorization_code',
                    code=res_data['code'],
                )
            )
            assert r.status_code == 200
            assert json.loads(r.get_data())['access_token']
            assert json.loads(r.get_data())['refresh_token']
            assert json.loads(r.get_data())['expires_in'] > 0
            assert json.loads(r.get_data())['scope'] == 'test:scope'
            assert json.loads(r.get_data())['token_type'] == 'Bearer'
            assert json.loads(r.get_data())['user']['id']
            refresh_token = json.loads(r.get_data())['refresh_token']
            old_access_token = json.loads(r.get_data())['access_token']

            # Access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token))
            assert r.status_code == 200

            Token.query.filter_by(access_token=old_access_token).update(
                dict(expires=datetime.utcnow() - timedelta(seconds=1))
            )
            db.session.commit()

            # Access token is expired
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token))
            assert r.status_code == 401

            # Obtain new access token with refresh token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='refresh_token',
                    refresh_token=refresh_token,
                )
            )
            assert r.status_code == 200
            resp_json = json.loads(r.get_data())
            assert resp_json['access_token']
            assert resp_json['refresh_token']
            assert resp_json['expires_in'] > 0
            assert resp_json['access_token'] != old_access_token
            assert resp_json['refresh_token'] != refresh_token
            assert resp_json['scope'] == 'test:scope'
            assert resp_json['token_type'] == 'Bearer'
            assert resp_json['user']['id']

            # New access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=resp_json['access_token']))
            assert r.status_code == 200

            # Old access token no longer valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token))
            assert r.status_code == 401

Ejemplo n.º 10

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def test_not_allowed_public_refresh_flow(expiration_fixture):
    """Public token should not allow refreshing."""
    app = expiration_fixture
    # First login on provider site
    with app.test_request_context():
        with app.test_client() as client:
            login(client)

            data = dict(
                redirect_uri=url_for("oauth2test.authorized", _external=True),
                scope="test:scope",
                response_type="code",
                client_id="dev",
                state="mystate",
            )

            r = client.get(url_for("invenio_oauth2server.authorize", **data))
            assert r.status_code == 200

            data["confirm"] = "yes"
            data["scope"] = "test:scope"
            data["state"] = "mystate"

            # Obtain one time code
            r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
            assert r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data["code"]
            assert res_data["state"] == "mystate"

            # Exchange one time code for access token
            r = client.post(
                url_for("invenio_oauth2server.access_token"),
                data=dict(client_id="dev", client_secret="dev", grant_type="authorization_code", code=res_data["code"]),
            )
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp["access_token"]
            assert json_resp["refresh_token"]
            assert json_resp["expires_in"] > 0
            assert json_resp["scope"] == "test:scope"
            assert json_resp["token_type"] == "Bearer"
            refresh_token = json_resp["refresh_token"]
            old_access_token = json_resp["access_token"]

            # Access token valid
            r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token))
            assert r.status_code == 200

            Token.query.filter_by(access_token=old_access_token).update(
                dict(expires=datetime.utcnow() - timedelta(seconds=1))
            )
            db.session.commit()

            # Access token is expired
            r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), follow_redirects=True)
            assert r.status_code == 401

            # Obtain new access token with refresh token
            r = client.post(
                url_for("invenio_oauth2server.access_token"),
                data=dict(
                    client_id="dev", client_secret="dev", grant_type="refresh_token", refresh_token=refresh_token
                ),
                follow_redirects=True,
            )

            # Only confidential clients can refresh expired token.
            assert r.status_code == 401

Ejemplo n.º 11

Archivo: test_provider.py Proyecto: bruno314/invenio-oauth2server

def web_auth_flow(provider_fixture):
        app = provider_fixture
        # Go to login - should redirect to oauth2 server for login an
        # authorization
        with app.app_context():
            with app.test_client() as client:
                r = client.get('/oauth2test/test-ping')

                # First login on provider site
                login(client)

                r = client.get('/oauth2test/login')
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)

                # Authorize page
                r = client.get(next_url, query_string=data)
                assert r.status_code == 200

                # User confirms request
                data['confirm'] = 'yes'
                data['scope'] = 'test:scope'
                data['state'] = ''

                r = client.post(next_url, data=data)
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert next_url == 'http://{0}/oauth2test/authorized'.format(
                    app.config['SERVER_NAME'])
                assert 'code' in data

                # User is redirected back to client site.
                # - The client view /oauth2test/authorized will in the
                #   background fetch the access token.
                r = client.get(next_url, query_string=data)
                assert r.status_code == 200

                # Authentication flow has now been completed, and the access
                # token can be used to access protected resources.
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 200
                assert json.loads(r.get_data()) == dict(ping='pong')

                # Authentication flow has now been completed, and the access
                # token can be used to access protected resources.
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 200
                assert json.loads(r.get_data()) == dict(ping='pong')

                r = client.get('/oauth2test/test-info')
                assert r.status_code == 200
                json_resp = json.loads(r.get_data())
                assert json_resp['client'] == 'confidential'
                assert json_resp['user'] == app.user1.id
                assert json_resp['scopes'] == [u'test:scope']

                # Access token doesn't provide access to this URL.
                r = client.get(
                    '/oauth2test/test-invalid',
                    base_url='http://{0}'.format(app.config['SERVER_NAME'])
                )
                assert r.status_code == 401

                # # Now logout
                r = client.get('/oauth2test/logout')
                assert r.status_code == 200
                assert r.data == "logout"

                # And try to access the information again
                r = client.get('/oauth2test/test-ping')
                assert r.status_code == 403

Ejemplo n.º 12

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def web_auth_flow(provider_fixture):
    app = provider_fixture
    # Go to login - should redirect to oauth2 server for login an
    # authorization
    with app.app_context():
        with app.test_client() as client:
            r = client.get("/oauth2test/test-ping")

            # First login on provider site
            login(client)

            r = client.get("/oauth2test/login")
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)

            # Authorize page
            r = client.get(next_url, query_string=data)
            assert r.status_code == 200

            # User confirms request
            data["confirm"] = "yes"
            data["scope"] = "test:scope"
            data["state"] = ""

            r = client.post(next_url, data=data)
            assert r.status_code == 302
            next_url, data = parse_redirect(r.location)
            assert next_url == "http://{0}/oauth2test/authorized".format(app.config["SERVER_NAME"])
            assert "code" in data

            # User is redirected back to client site.
            # - The client view /oauth2test/authorized will in the
            #   background fetch the access token.
            r = client.get(next_url, query_string=data)
            assert r.status_code == 200

            # Authentication flow has now been completed, and the access
            # token can be used to access protected resources.
            r = client.get("/oauth2test/test-ping")
            assert r.status_code == 200
            assert json.loads(r.get_data()) == dict(ping="pong")

            # Authentication flow has now been completed, and the access
            # token can be used to access protected resources.
            r = client.get("/oauth2test/test-ping")
            assert r.status_code == 200
            assert json.loads(r.get_data()) == dict(ping="pong")

            r = client.get("/oauth2test/test-info")
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp["client"] == "confidential"
            assert json_resp["user"] == app.user1_id
            assert json_resp["scopes"] == [u"test:scope"]

            # Access token doesn't provide access to this URL.
            r = client.get("/oauth2test/test-invalid", base_url="http://{0}".format(app.config["SERVER_NAME"]))
            assert r.status_code == 401

            # # Now logout
            r = client.get("/oauth2test/logout")
            assert r.status_code == 200
            assert r.data == "logout"

            # And try to access the information again
            r = client.get("/oauth2test/test-ping")
            assert r.status_code == 403

Ejemplo n.º 13

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def test_refresh_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        base_url = "https://{0}".format(app.config["SERVER_NAME"])
        redirect_uri = url_for("oauth2test.authorized", _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            data = dict(
                redirect_uri=redirect_uri,
                scope="test:scope",
                response_type="code",
                client_id="confidential",
                state="mystate",
            )

            r = client.get(url_for("invenio_oauth2server.authorize", **data))
            assert r.status_code == 200

            data["confirm"] = "yes"
            data["scope"] = "test:scope"
            data["state"] = "mystate"

            # Obtain one time code
            r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
            r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data["code"]
            assert res_data["state"] == "mystate"

            # Exchange one time code for access token
            r = client.post(
                url_for("invenio_oauth2server.access_token"),
                data=dict(
                    client_id="confidential",
                    client_secret="confidential",
                    grant_type="authorization_code",
                    code=res_data["code"],
                ),
            )
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp["access_token"]
            assert json_resp["refresh_token"]
            assert json_resp["scope"] == "test:scope"
            assert json_resp["token_type"] == "Bearer"
            refresh_token = json_resp["refresh_token"]
            old_access_token = json_resp["access_token"]

            # Access token valid
            r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token))
            assert r.status_code == 200

            # Obtain new access token with refresh token
            r = client.post(
                url_for("invenio_oauth2server.access_token"),
                data=dict(
                    client_id="confidential",
                    client_secret="confidential",
                    grant_type="refresh_token",
                    refresh_token=refresh_token,
                ),
            )
            r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp["access_token"]
            assert json_resp["refresh_token"]
            assert json_resp["access_token"] != old_access_token
            assert json_resp["refresh_token"] != refresh_token
            assert json_resp["scope"] == "test:scope"
            assert json_resp["token_type"] == "Bearer"

            # New access token valid
            r = client.get(url_for("invenio_oauth2server.info", access_token=json_resp["access_token"]))
            assert r.status_code == 200

            # Old access token no longer valid
            r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), base_url=base_url)
            assert r.status_code == 401

Ejemplo n.º 14

Archivo: test_provider.py Proyecto: bruno314/invenio-oauth2server

def test_invalid_authorize_requests(provider_fixture):
    app = provider_fixture
    # First login on provider site
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            login(client)

            for client_id in ['dev', 'confidential']:
                scope = 'test:scope'
                response_type = 'code'

                error_url = url_for('invenio_oauth2server.errors')

                # Valid request authorize request
                r = client.get(
                    url_for('invenio_oauth2server.authorize'),
                    data={
                        'redirect_uri': redirect_uri,
                        'scope': scope,
                        'response_type': response_type,
                        'client_id': client_id,
                    })
                assert r.status_code == 200

                # Invalid scope
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope='INVALID',
                    response_type=response_type,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_scope'
                assert next_url == redirect_uri

                # Invalid response type
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type='invalid',
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'unauthorized_client'
                assert next_url == redirect_uri

                # Missing response_type
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert next_url == redirect_uri

                # Duplicate parameter
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type='invalid',
                    client_id=client_id,
                ) + "&client_id={0}".format(client_id))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert next_url == redirect_uri

                # Invalid client_id
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type=response_type,
                    client_id='invalid',
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_client_id'
                assert error_url in next_url

                r = client.get(next_url, query_string=data)
                assert 'invalid_client_id' in str(r.data)

                # Invalid redirect uri
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri='http://localhost/',
                    scope=scope,
                    response_type=response_type,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'mismatching_redirect_uri'
                assert error_url in next_url

Ejemplo n.º 15

def test_invalid_authorize_requests(provider_fixture):
    app = provider_fixture
    # First login on provider site
    with app.test_request_context():
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            login(client)

            for client_id in ['dev', 'confidential']:
                scope = 'test:scope'
                response_type = 'code'

                error_url = url_for('invenio_oauth2server.errors',
                                    _external=True)

                # Valid request authorize request
                r = client.get(
                    url_for('invenio_oauth2server.authorize'),
                    data={
                        'redirect_uri': redirect_uri,
                        'scope': scope,
                        'response_type': response_type,
                        'client_id': client_id,
                    })
                assert r.status_code == 200

                # Invalid scope
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope='INVALID',
                    response_type=response_type,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_scope'
                assert next_url == redirect_uri

                # Invalid response type
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type='invalid',
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'unsupported_response_type'
                assert next_url == redirect_uri

                # Missing response_type
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert next_url == redirect_uri

                # Duplicate parameter
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type='invalid',
                    client_id=client_id,
                ) + "&client_id={0}".format(client_id))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert next_url == error_url

                # Invalid client_id
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri=redirect_uri,
                    scope=scope,
                    response_type=response_type,
                    client_id='invalid',
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert error_url in next_url

                r = client.get(next_url, query_string=data)
                assert 'invalid_request' in str(r.data)

                # Invalid redirect uri
                r = client.get(url_for(
                    'invenio_oauth2server.authorize',
                    redirect_uri='http://localhost/',
                    scope=scope,
                    response_type=response_type,
                    client_id=client_id,
                ))
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data['error'] == 'invalid_request'
                assert error_url in next_url

Ejemplo n.º 16

Archivo: test_provider.py Proyecto: tiborsimko/invenio-oauth2server

def test_invalid_authorize_requests(provider_fixture):
    app = provider_fixture
    # First login on provider site
    with app.test_request_context():
        redirect_uri = url_for("oauth2test.authorized", _external=True)

        with app.test_client() as client:
            login(client)

            for client_id in ["dev", "confidential"]:
                scope = "test:scope"
                response_type = "code"

                error_url = url_for("invenio_oauth2server.errors", _external=True)

                # Valid request authorize request
                r = client.get(
                    url_for("invenio_oauth2server.authorize"),
                    data={
                        "redirect_uri": redirect_uri,
                        "scope": scope,
                        "response_type": response_type,
                        "client_id": client_id,
                    },
                )
                assert r.status_code == 200

                # Invalid scope
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize",
                        redirect_uri=redirect_uri,
                        scope="INVALID",
                        response_type=response_type,
                        client_id=client_id,
                    )
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "invalid_scope"
                assert next_url == redirect_uri

                # Invalid response type
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize",
                        redirect_uri=redirect_uri,
                        scope=scope,
                        response_type="invalid",
                        client_id=client_id,
                    )
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "unsupported_response_type"
                assert next_url == redirect_uri

                # Missing response_type
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, client_id=client_id
                    )
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "invalid_request"
                assert next_url == redirect_uri

                # Duplicate parameter
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize",
                        redirect_uri=redirect_uri,
                        scope=scope,
                        response_type="invalid",
                        client_id=client_id,
                    )
                    + "&client_id={0}".format(client_id)
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "invalid_request"
                assert next_url == error_url

                # Invalid client_id
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize",
                        redirect_uri=redirect_uri,
                        scope=scope,
                        response_type=response_type,
                        client_id="invalid",
                    )
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "invalid_request"
                assert error_url in next_url

                r = client.get(next_url, query_string=data)
                assert "invalid_request" in str(r.data)

                # Invalid redirect uri
                r = client.get(
                    url_for(
                        "invenio_oauth2server.authorize",
                        redirect_uri="http://localhost/",
                        scope=scope,
                        response_type=response_type,
                        client_id=client_id,
                    )
                )
                assert r.status_code == 302
                next_url, data = parse_redirect(r.location)
                assert data["error"] == "invalid_request"
                assert error_url in next_url

Ejemplo n.º 17

def test_not_allowed_public_refresh_flow(expiration_fixture):
    """Public token should not allow refreshing."""
    app = expiration_fixture
    # First login on provider site
    with app.test_request_context():
        with app.test_client() as client:
            login(client)

            data = dict(
                redirect_uri=url_for('oauth2test.authorized', _external=True),
                scope='test:scope',
                response_type='code',
                client_id='dev',
                state='mystate'
            )

            r = client.get(url_for('invenio_oauth2server.authorize', **data))
            assert r.status_code == 200

            data['confirm'] = 'yes'
            data['scope'] = 'test:scope'
            data['state'] = 'mystate'

            # Obtain one time code
            r = client.post(
                url_for('invenio_oauth2server.authorize'), data=data
            )
            assert r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data['code']
            assert res_data['state'] == 'mystate'

            # Exchange one time code for access token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='dev',
                    client_secret='dev',
                    grant_type='authorization_code',
                    code=res_data['code'],
                )
            )
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp['access_token']
            assert json_resp['refresh_token']
            assert json_resp['expires_in'] > 0
            assert json_resp['scope'] == 'test:scope'
            assert json_resp['token_type'] == 'Bearer'
            refresh_token = json_resp['refresh_token']
            old_access_token = json_resp['access_token']

            # Access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token))
            assert r.status_code == 200

            Token.query.filter_by(access_token=old_access_token).update(
                dict(expires=datetime.utcnow() - timedelta(seconds=1))
            )
            db.session.commit()

            # Access token is expired
            r = client.get(url_for('invenio_oauth2server.info',
                           access_token=old_access_token),
                           follow_redirects=True)
            assert r.status_code == 401

            # Obtain new access token with refresh token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='dev',
                    client_secret='dev',
                    grant_type='refresh_token',
                    refresh_token=refresh_token,
                ),
                follow_redirects=True
            )

            # Only confidential clients can refresh expired token.
            assert r.status_code == 401

Ejemplo n.º 18

Archivo: test_provider.py Proyecto: bruno314/invenio-oauth2server

def test_refresh_flow(provider_fixture):
    app = provider_fixture
    with app.test_request_context():
        base_url = 'https://{0}'.format(app.config['SERVER_NAME'])
        redirect_uri = url_for('oauth2test.authorized', _external=True)

        with app.test_client() as client:
            # First login on provider site
            login(client)

            data = dict(
                redirect_uri=redirect_uri,
                scope='test:scope',
                response_type='code',
                client_id='confidential',
                state='mystate'
            )

            r = client.get(url_for('invenio_oauth2server.authorize', **data))
            assert r.status_code == 200

            data['confirm'] = 'yes'
            data['scope'] = 'test:scope'
            data['state'] = 'mystate'

            # Obtain one time code
            r = client.post(
                url_for('invenio_oauth2server.authorize'), data=data
            )
            r.status_code == 302
            next_url, res_data = parse_redirect(r.location)
            assert res_data['code']
            assert res_data['state'] == 'mystate'

            # Exchange one time code for access token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='authorization_code',
                    code=res_data['code'],
                )
            )
            assert r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp['access_token']
            assert json_resp['refresh_token']
            assert json_resp['scope'] == 'test:scope'
            assert json_resp['token_type'] == 'Bearer'
            refresh_token = json_resp['refresh_token']
            old_access_token = json_resp['access_token']

            # Access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                           access_token=old_access_token))
            assert r.status_code == 200

            # Obtain new access token with refresh token
            r = client.post(
                url_for('invenio_oauth2server.access_token'), data=dict(
                    client_id='confidential',
                    client_secret='confidential',
                    grant_type='refresh_token',
                    refresh_token=refresh_token,
                )
            )
            r.status_code == 200
            json_resp = json.loads(r.get_data())
            assert json_resp['access_token']
            assert json_resp['refresh_token']
            assert json_resp['access_token'] != old_access_token
            assert json_resp['refresh_token'] != refresh_token
            assert json_resp['scope'] == 'test:scope'
            assert json_resp['token_type'] == 'Bearer'

            # New access token valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=json_resp['access_token']))
            assert r.status_code == 200

            # Old access token no longer valid
            r = client.get(url_for('invenio_oauth2server.info',
                                   access_token=old_access_token,),
                           base_url=base_url)
            assert r.status_code == 401