def get_token_scopes(access_token):
"""
The referenced function accepts a token string as argument and
should return a dict containing a scope field that is either a space-separated list of scopes
belonging to the supplied token.
:param access_token:
:return: a dict containing a scope field that is either a space-separated list of scopes
belonging to the supplied token.
"""
token = Token.find(access_token)
if not token:
logger.debug("Access token %r not found", access_token)
raise auth_services.NotAuthorizedException(detail="Invalid token")
logger.debug("Found a token: %r", token)
# only if the token has been issued to a user
# the user has to be automatically logged in
logger.debug("The token user: %r", token.user)
if token.user:
auth_services.login_user(token.user)
# store the current client
g.oauth2client = token.client
# if the client is a Registry, store it on the current session
from lifemonitor.api.models import WorkflowRegistry
registry = WorkflowRegistry.find_by_client_id(token.client.client_id)
logger.debug("Token issued to a WorkflowRegistry: %r", registry
is not None)
if registry:
auth_services.login_registry(registry)
return {"scope": token.scope}
def test_unauthorized_user_with_expired_registry_token(
app_client, user1, authorized_func, client_credentials_registry):
helpers.enable_auto_login(user1['user'])
user = user1['user']
logger.debug(f"The user: {user}")
services.login_user(user)
registry = client_credentials_registry
services.login_registry(registry)
assert registry.name in user.oauth_identity, "Missing user identity"
identity = user.oauth_identity[registry.name]
# extract the identity token
token = identity.token
# ensure the token doesn't have a refresh token
token.pop('refresh_token', False)
# make the token expired
token['expires_at'] = token['created_at']
user_info = identity.user_info
logger.debug(user_info)
# calling the decorator with such a token
# will result in a redirection
response = authorized_func()
logger.debug(response)
assert isinstance(response, Response)
assert response.status_code == 307, "Unexpected status code"
# the redirection to the original endpoint is marked with param 'redirection'
# and if the token is still expired an error will be reported
with app_client.application.test_request_context('/?redirection=true'):
services.login_user(user)
services.login_registry(registry)
with pytest.raises(services.NotAuthorizedException) as e:
authorized_func()
utils.assert_error_message(
messages.unauthorized_user_with_expired_registry_token.format(
registry.name, registry.name), e)
def test_unauthorized_user_without_identity(app_client,
client_credentials_registry,
authorized_func):
user = models.User()
services.login_user(user)
registry = client_credentials_registry
services.login_registry(registry)
with pytest.raises(services.NotAuthorizedException) as e:
authorized_func()
utils.assert_error_message(
messages.unauthorized_user_without_registry_identity.format(
registry.name), e)
def test_identity(app_client, user1, client_credentials_registry):
login_registry(client_credentials_registry)
user = user1['user']
logger.debug(user)
logger.debug(user.oauth_identity)
assert user.current_identity is not None, "Current identity should not be empty"
identity = user.current_identity[client_credentials_registry.name]
assert identity,\
f"Current identity should contain an identity issued by the provider {client_credentials_registry.name}"
assert user.current_identity[client_credentials_registry.name].provider == client_credentials_registry.server_credentials, \
"Unexpected identity provider"
serialization = serializers.UserSchema().dump(user)
logger.debug(serialization)
assert "identities" in serialization, \
"Unable to find the property 'identity' on the serialized user"
assert serialization['identities'][client_credentials_registry.name]['provider']['name'] == client_credentials_registry.name,\
"Invalid provider"