def setUp(self):
super(IntegrationTestLTI, self).setUp() # lint-amnesty, pylint: disable=super-with-arguments
self.hostname = 'testserver'
self.client.defaults['SERVER_NAME'] = self.hostname
self.url_prefix = 'http://{}'.format(self.hostname)
self.configure_lti_provider(
name='Other Tool Consumer 1',
enabled=True,
lti_consumer_key='other1',
lti_consumer_secret='secret1',
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='LTI Test Tool Consumer',
enabled=True,
lti_consumer_key=LTI_CONSUMER_KEY,
lti_consumer_secret=LTI_CONSUMER_SECRET,
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='Tool Consumer with Secret in Settings',
enabled=True,
lti_consumer_key=OTHER_LTI_CONSUMER_KEY,
lti_consumer_secret='',
lti_max_timestamp_age=10,
)
self.lti = Client(
client_key=LTI_CONSUMER_KEY,
client_secret=LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
def test_client_realm_sign_with_additional_realm(self):
client = Client("client-key", realm="moo-realm")
uri, header, body = client.sign("http://example-uri", realm="baa-realm")
self.assertTrue(
header["Authorization"].startswith('OAuth realm="baa-realm",'))
# make sure sign() does not override the default realm
self.assertEqual(client.realm, "moo-realm")
def test_can_load_consumer_secret_from_settings(self):
lti = Client(
client_key=OTHER_LTI_CONSUMER_KEY,
client_secret=OTHER_LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
(uri, _headers, body) = lti.sign(
uri=self.url_prefix + LTI_TPA_LOGIN_URL,
http_method='POST',
headers={'Content-Type': FORM_ENCODED},
body={
'user_id':
LTI_USER_ID,
'custom_tpa_next':
'/account/finish_auth/?course_id=my_course_id&enrollment_action=enroll',
})
with self.settings(SOCIAL_AUTH_LTI_CONSUMER_SECRETS={
OTHER_LTI_CONSUMER_KEY: OTHER_LTI_CONSUMER_SECRET
}):
login_response = self.client.post(path=uri,
content_type=FORM_ENCODED,
data=body)
# The user should be redirected to the registration form
self.assertEqual(login_response.status_code, 302)
self.assertTrue(login_response['Location'].endswith(
reverse('signin_user')))
register_response = self.client.get(login_response['Location'])
self.assertContains(
register_response,
'"currentProvider": "Tool Consumer with Secret in Settings"',
)
self.assertContains(register_response, '"errorMessage": null')
def test_rsa_method(self):
private_key = ("-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDk1/bxy"
"S8Q8jiheHeYYp/4rEKJopeQRRKKpZI4s5i+UPwVpupG\nAlwXWfzXw"
"SMaKPAoKJNdu7tqKRniqst5uoHXw98gj0x7zamu0Ck1LtQ4c7pFMVa"
"h\n5IYGhBi2E9ycNS329W27nJPWNCbESTu7snVlG8V8mfvGGg3xNjT"
"MO7IdrwIDAQAB\nAoGBAOQ2KuH8S5+OrsL4K+wfjoCi6MfxCUyqVU9"
"GxocdM1m30WyWRFMEz2nKJ8fR\np3vTD4w8yplTOhcoXdQZl0kRoaD"
"zrcYkm2VvJtQRrX7dKFT8dR8D/Tr7dNQLOXfC\nDY6xveQczE7qt7V"
"k7lp4FqmxBsaaEuokt78pOOjywZoInjZhAkEA9wz3zoZNT0/i\nrf6"
"qv2qTIeieUB035N3dyw6f1BGSWYaXSuerDCD/J1qZbAPKKhyHZbVaw"
"Ft3UMhe\n542UftBaxQJBAO0iJy1I8GQjGnS7B3yvyH3CcLYGy296+"
"XO/2xKp/d/ty1OIeovx\nC60pLNwuFNF3z9d2GVQAdoQ89hUkOtjZL"
"eMCQQD0JO6oPHUeUjYT+T7ImAv7UKVT\nSuy30sKjLzqoGw1kR+wv7"
"C5PeDRvscs4wa4CW9s6mjSrMDkDrmCLuJDtmf55AkEA\nkmaMg2PNr"
"jUR51F0zOEFycaaqXbGcFwe1/xx9zLmHzMDXd4bsnwt9kk+fe0hQzV"
"S\nJzatanQit3+feev1PN3QewJAWv4RZeavEUhKv+kLe95Yd0su7lT"
"LVduVgh4v5yLT\nGa6FHdjGPcfajt+nrpB1n8UQBEH9ZxniokR/IPv"
"dMlxqXA==\n-----END RSA PRIVATE KEY-----")
client = Client('client_key',
signature_method=SIGNATURE_RSA,
rsa_key=private_key,
timestamp='1234567890',
nonce='abc')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="RSA-SHA1", '
'oauth_consumer_key="client_key", '
'oauth_signature="ktvzkUhtrIawBcq21DRJrAyysTc3E1Zq5GdGu8EzH'
'OtbeaCmOBDLGHAcqlm92mj7xp5E1Z6i2vbExPimYAJL7FzkLnkRE5YEJR4'
'rNtIgAf1OZbYsIUmmBO%2BCLuStuu5Lg3tAluwC7XkkgoXCBaRKT1mUXzP'
'HJILzZ8iFOvS6w5E%3D"')
self.assertEqual(h['Authorization'], correct)
def get_request_token(public_key, secret_key, url, method=u'POST'):
'''
:param public_key:
:param secret_key:
:param url:
:param method:
'''
c = Client(
unicode(public_key),
unicode(secret_key),
signature_type=SIGNATURE_TYPE_QUERY
)
uri, headers, body = c.sign(
uri=url,
http_method=method)
http = httplib2.Http()
response, content = httplib2.Http.request(http, uri,
method=method,
body=body,
headers=headers
)
if response.get('status') != '200':
raise Exception("Invalid request token response: %s." % content)
tokens = dict(urlparse.parse_qsl(content))
token = tokens.get('oauth_token')
token_secret = tokens.get('oauth_token_secret')
return unicode(token), unicode(token_secret)
def test_uri_provided_realm(self):
client = Client("foo", callback_uri="https://c.b/cb", client_secret="bar")
uri = self.uri + "?realm=foo"
_, headers, _ = client.sign(uri)
u, h, b, s = self.endpoint.create_request_token_response(uri, headers=headers)
self.assertEqual(s, 200)
self.assertIn("oauth_token", b)
def test_check_redirect_uri(self):
client = Client('foo')
uri, headers, _ = client.sign(self.uri)
h, b, s = self.endpoint.create_request_token_response(
uri, headers=headers)
self.assertEqual(s, 400)
self.assertIn('invalid_request', b)
def get_access_token(request_token, request_token_secret,
access_token_url, access_token_method,
public_key, secret_key,
verifier):
"""
Returns access token and access token secret
"""
c = Client(public_key,
secret_key,
resource_owner_key=request_token,
resource_owner_secret=request_token_secret,
signature_type=SIGNATURE_TYPE_QUERY,
verifier=verifier
)
uri, headers, body = c.sign(uri=access_token_url, http_method=access_token_method)
http = httplib2.Http()
response, content = httplib2.Http.request(http, uri, method=access_token_method, body=body,
headers=headers)
if response.get('status') != '200':
raise Exception("Invalid access token response: %s." % content)
tokens = dict(urlparse.parse_qsl(content))
access_token = tokens.get('oauth_token')
access_token_secret = tokens.get('oauth_token_secret')
return access_token, access_token_secret
def setUp(self):
super().setUp()
self.hostname = 'testserver'
self.client.defaults['SERVER_NAME'] = self.hostname
self.url_prefix = f'http://{self.hostname}'
self.configure_lti_provider(
name='Other Tool Consumer 1',
enabled=True,
lti_consumer_key='other1',
lti_consumer_secret='secret1',
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='LTI Test Tool Consumer',
enabled=True,
lti_consumer_key=LTI_CONSUMER_KEY,
lti_consumer_secret=LTI_CONSUMER_SECRET,
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='Tool Consumer with Secret in Settings',
enabled=True,
lti_consumer_key=OTHER_LTI_CONSUMER_KEY,
lti_consumer_secret='',
lti_max_timestamp_age=10,
)
self.lti = Client(
client_key=LTI_CONSUMER_KEY,
client_secret=LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
def test_client_realm_sign_with_additional_realm(self):
client = Client("client-key", realm="moo-realm")
uri, header, body = client.sign("example-uri", realm="baa-realm")
self.assertTrue(
header["Authorization"].startswith('OAuth realm="baa-realm",'))
# make sure sign() does not override the default realm
self.assertEqual(client.realm, "moo-realm")
def setUp(self):
super(IntegrationTestLTI, self).setUp()
self.configure_lti_provider(
name='Other Tool Consumer 1',
enabled=True,
lti_consumer_key='other1',
lti_consumer_secret='secret1',
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='LTI Test Tool Consumer',
enabled=True,
lti_consumer_key=LTI_CONSUMER_KEY,
lti_consumer_secret=LTI_CONSUMER_SECRET,
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='Tool Consumer with Secret in Settings',
enabled=True,
lti_consumer_key=OTHER_LTI_CONSUMER_KEY,
lti_consumer_secret='',
lti_max_timestamp_age=10,
)
self.lti = Client(
client_key=LTI_CONSUMER_KEY,
client_secret=LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
def setUp(self):
self.validator = MagicMock(wraps=RequestValidator())
self.validator.check_client_key.return_value = True
self.validator.check_request_token.return_value = True
self.validator.check_verifier.return_value = True
self.validator.allowed_signature_methods = ['HMAC-SHA1']
self.validator.get_client_secret.return_value = 'bar'
self.validator.get_request_token_secret.return_value = 'secret'
self.validator.get_realms.return_value = ['foo']
self.validator.timestamp_lifetime = 600
self.validator.validate_client_key.return_value = True
self.validator.validate_request_token.return_value = True
self.validator.validate_verifier.return_value = True
self.validator.validate_timestamp_and_nonce.return_value = True
self.validator.invalidate_request_token.return_value = True
self.validator.dummy_client = 'dummy'
self.validator.dummy_secret = 'dummy'
self.validator.dummy_request_token = 'dummy'
self.validator.save_access_token = MagicMock()
self.endpoint = AccessTokenEndpoint(self.validator)
self.client = Client('foo',
client_secret='bar',
resource_owner_key='token',
resource_owner_secret='secret',
verifier='verfier')
self.uri, self.headers, self.body = self.client.sign(
'https://i.b/access_token')
def test_can_load_consumer_secret_from_settings(self):
lti = Client(
client_key=OTHER_LTI_CONSUMER_KEY,
client_secret=OTHER_LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
(uri, _headers, body) = lti.sign(
uri=self.url_prefix + LTI_TPA_LOGIN_URL, http_method='POST',
headers={'Content-Type': FORM_ENCODED},
body={
'user_id': LTI_USER_ID,
'custom_tpa_next': '/account/finish_auth/?course_id=my_course_id&enrollment_action=enroll',
}
)
with self.settings(SOCIAL_AUTH_LTI_CONSUMER_SECRETS={OTHER_LTI_CONSUMER_KEY: OTHER_LTI_CONSUMER_SECRET}):
login_response = self.client.post(path=uri, content_type=FORM_ENCODED, data=body)
# The user should be redirected to the registration form
self.assertEqual(login_response.status_code, 302)
self.assertTrue(login_response['Location'].endswith(reverse('signin_user')))
register_response = self.client.get(login_response['Location'])
self.assertEqual(register_response.status_code, 200)
self.assertIn(
'"currentProvider": "Tool Consumer with Secret in Settings"',
register_response.content
)
self.assertIn('"errorMessage": null', register_response.content)
def test_rsa_method(self):
private_key = (
"-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDk1/bxy"
"S8Q8jiheHeYYp/4rEKJopeQRRKKpZI4s5i+UPwVpupG\nAlwXWfzXw"
"SMaKPAoKJNdu7tqKRniqst5uoHXw98gj0x7zamu0Ck1LtQ4c7pFMVa"
"h\n5IYGhBi2E9ycNS329W27nJPWNCbESTu7snVlG8V8mfvGGg3xNjT"
"MO7IdrwIDAQAB\nAoGBAOQ2KuH8S5+OrsL4K+wfjoCi6MfxCUyqVU9"
"GxocdM1m30WyWRFMEz2nKJ8fR\np3vTD4w8yplTOhcoXdQZl0kRoaD"
"zrcYkm2VvJtQRrX7dKFT8dR8D/Tr7dNQLOXfC\nDY6xveQczE7qt7V"
"k7lp4FqmxBsaaEuokt78pOOjywZoInjZhAkEA9wz3zoZNT0/i\nrf6"
"qv2qTIeieUB035N3dyw6f1BGSWYaXSuerDCD/J1qZbAPKKhyHZbVaw"
"Ft3UMhe\n542UftBaxQJBAO0iJy1I8GQjGnS7B3yvyH3CcLYGy296+"
"XO/2xKp/d/ty1OIeovx\nC60pLNwuFNF3z9d2GVQAdoQ89hUkOtjZL"
"eMCQQD0JO6oPHUeUjYT+T7ImAv7UKVT\nSuy30sKjLzqoGw1kR+wv7"
"C5PeDRvscs4wa4CW9s6mjSrMDkDrmCLuJDtmf55AkEA\nkmaMg2PNr"
"jUR51F0zOEFycaaqXbGcFwe1/xx9zLmHzMDXd4bsnwt9kk+fe0hQzV"
"S\nJzatanQit3+feev1PN3QewJAWv4RZeavEUhKv+kLe95Yd0su7lT"
"LVduVgh4v5yLT\nGa6FHdjGPcfajt+nrpB1n8UQBEH9ZxniokR/IPv"
"dMlxqXA==\n-----END RSA PRIVATE KEY-----"
)
client = Client('client_key', signature_method=SIGNATURE_RSA,
rsa_key=private_key, timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="RSA-SHA1", '
'oauth_consumer_key="client_key", '
'oauth_signature="ktvzkUhtrIawBcq21DRJrAyysTc3E1Zq5GdGu8EzH'
'OtbeaCmOBDLGHAcqlm92mj7xp5E1Z6i2vbExPimYAJL7FzkLnkRE5YEJR4'
'rNtIgAf1OZbYsIUmmBO%2BCLuStuu5Lg3tAluwC7XkkgoXCBaRKT1mUXzP'
'HJILzZ8iFOvS6w5E%3D"')
self.assertEqual(h['Authorization'], correct)
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret')
_, headers, _ = client.sign(self.uri + '/extra')
v, r = self.endpoint.validate_protected_resource_request(
self.uri, headers=headers)
self.assertFalse(v)
def test_hmac_sha1_method(self):
client = Client('client_key', timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="HMAC-SHA1", '
'oauth_consumer_key="client_key", '
'oauth_signature="hH5BWYVqo7QI4EmPBUUe9owRUUQ%3D"')
self.assertEqual(h['Authorization'], correct)
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret')
_, headers, _ = client.sign(self.uri + '/extra')
v, r = self.endpoint.validate_protected_resource_request(
self.uri, headers=headers)
self.assertFalse(v)
def test_hmac_sha1_method(self):
client = Client('client_key', timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="HMAC-SHA1", '
'oauth_consumer_key="client_key", '
'oauth_signature="hH5BWYVqo7QI4EmPBUUe9owRUUQ%3D"')
self.assertEqual(h['Authorization'], correct)
def test_uri_provided_realm(self):
client = Client('foo', callback_uri='https://c.b/cb',
client_secret='bar')
uri = self.uri + '?realm=foo'
_, headers, _ = client.sign(uri)
h, b, s = self.endpoint.create_request_token_response(
uri, headers=headers)
self.assertEqual(s, 200)
self.assertIn('oauth_token', b)
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret',
verifier='verfier')
_, headers, _ = client.sign(self.uri + '/extra')
h, b, s = self.endpoint.create_access_token_response(self.uri,
headers=headers)
self.assertEqual(s, 401)
def test_sign_empty_body(self):
client = Client('client_key')
_, h, b = client.sign(
'http://i.b/path',
http_method='POST',
body='',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['Content-Type'],
'application/x-www-form-urlencoded')
def test_sign_body(self):
client = Client("client_key")
_, h, b = client.sign(
"http://i.b/path",
http_method="POST",
body="",
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
self.assertEqual(h["Content-Type"], "application/x-www-form-urlencoded")
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret',
verifier='verfier')
_, headers, _ = client.sign(self.uri + '/extra')
h, b, s = self.endpoint.create_access_token_response(
self.uri, headers=headers)
self.assertEqual(s, 401)
def test_hmac_sha256_method(self):
client = Client('client_key', signature_method=SIGNATURE_HMAC_SHA256,
timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="HMAC-SHA256", '
'oauth_consumer_key="client_key", '
'oauth_signature="JzgJWBxX664OiMW3WE4MEjtYwOjI%2FpaUWHqtdHe68Es%3D"')
self.assertEqual(h['Authorization'], correct)
def test_decoding(self):
client = Client('client_key', decoding='utf-8')
uri, headers, body = client.sign('http://a.b/path?query', body='a=b',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertIsInstance(uri, bytes_type)
self.assertIsInstance(body, bytes_type)
for k, v in headers.items():
self.assertIsInstance(k, bytes_type)
self.assertIsInstance(v, bytes_type)
def test_decoding(self):
client = Client('client_key', decoding='utf-8')
uri, headers, body = client.sign('http://a.b/path?query',
http_method='POST', body='a=b',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertIsInstance(uri, bytes_type)
self.assertIsInstance(body, bytes_type)
for k, v in headers.items():
self.assertIsInstance(k, bytes_type)
self.assertIsInstance(v, bytes_type)
def test_params_in_query(self):
client = Client('client_key', signature_type=SIGNATURE_TYPE_QUERY,
timestamp='1378988215', nonce='14205877133089081931378988215')
u, _, _ = client.sign('http://i.b/path', http_method='POST')
correct = ('http://i.b/path?oauth_nonce=14205877133089081931378988215&'
'oauth_timestamp=1378988215&'
'oauth_version=1.0&'
'oauth_signature_method=HMAC-SHA1&'
'oauth_consumer_key=client_key&'
'oauth_signature=08G5Snvw%2BgDAzBF%2BCmT5KqlrPKo%3D')
self.assertEqual(u, correct)
def test_params_in_query(self):
client = Client('client_key', signature_type=SIGNATURE_TYPE_QUERY,
timestamp='1378988215', nonce='14205877133089081931378988215')
u, _, _ = client.sign('http://i.b/path', http_method='POST')
correct = ('http://i.b/path?oauth_nonce=14205877133089081931378988215&'
'oauth_timestamp=1378988215&'
'oauth_version=1.0&'
'oauth_signature_method=HMAC-SHA1&'
'oauth_consumer_key=client_key&'
'oauth_signature=08G5Snvw%2BgDAzBF%2BCmT5KqlrPKo%3D')
self.assertEqual(u, correct)
def test_sign_unicode(self):
client = Client('client_key', nonce='abc', timestamp='abc')
_, h, b = client.sign('http://i.b/path', http_method='POST',
body='status=%E5%95%A6%E5%95%A6',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(b, 'status=%E5%95%A6%E5%95%A6')
self.assertIn('oauth_signature="yrtSqp88m%2Fc5UDaucI8BXK4oEtk%3D"', h['Authorization'])
_, h, b = client.sign('http://i.b/path', http_method='POST',
body='status=%C3%A6%C3%A5%C3%B8',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(b, 'status=%C3%A6%C3%A5%C3%B8')
self.assertIn('oauth_signature="oG5t3Eg%2FXO5FfQgUUlTtUeeZzvk%3D"', h['Authorization'])
def test_sign_unicode(self):
client = Client('client_key', nonce='abc', timestamp='abc')
_, h, b = client.sign('http://i.b/path', http_method='POST',
body='status=%E5%95%A6%E5%95%A6',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(b, 'status=%E5%95%A6%E5%95%A6')
self.assertIn('oauth_signature="yrtSqp88m%2Fc5UDaucI8BXK4oEtk%3D"', h['Authorization'])
_, h, b = client.sign('http://i.b/path', http_method='POST',
body='status=%C3%A6%C3%A5%C3%B8',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(b, 'status=%C3%A6%C3%A5%C3%B8')
self.assertIn('oauth_signature="oG5t3Eg%2FXO5FfQgUUlTtUeeZzvk%3D"', h['Authorization'])
def test_decoding(self):
client = Client("client_key", decoding="utf-8")
uri, headers, body = client.sign(
"http://a.b/path?query",
http_method="POST",
body="a=b",
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
self.assertIsInstance(uri, bytes_type)
self.assertIsInstance(body, bytes_type)
for k, v in headers.items():
self.assertIsInstance(k, bytes_type)
self.assertIsInstance(v, bytes_type)
def test_hmac_sha256_method(self):
client = Client('client_key',
signature_method=SIGNATURE_HMAC_SHA256,
timestamp='1234567890',
nonce='abc')
u, h, b = client.sign('http://example.com')
correct = (
'OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="HMAC-SHA256", '
'oauth_consumer_key="client_key", '
'oauth_signature="JzgJWBxX664OiMW3WE4MEjtYwOjI%2FpaUWHqtdHe68Es%3D"'
)
self.assertEqual(h['Authorization'], correct)
def test_plaintext_method(self):
client = Client('client_key',
signature_method=SIGNATURE_PLAINTEXT,
timestamp='1234567890',
nonce='abc',
client_secret='foo',
resource_owner_secret='bar')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PLAINTEXT", '
'oauth_consumer_key="client_key", '
'oauth_signature="foo%26bar"')
self.assertEqual(h['Authorization'], correct)
def test_params_in_body(self):
client = Client('client_key', signature_type=SIGNATURE_TYPE_BODY,
timestamp='1378988215', nonce='14205877133089081931378988215')
_, h, b = client.sign('http://i.b/path', http_method='POST', body='a=b',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['Content-Type'], 'application/x-www-form-urlencoded')
correct = ('a=b&oauth_nonce=14205877133089081931378988215&'
'oauth_timestamp=1378988215&'
'oauth_version=1.0&'
'oauth_signature_method=HMAC-SHA1&'
'oauth_consumer_key=client_key&'
'oauth_signature=2JAQomgbShqoscqKWBiYQZwWq94%3D')
self.assertEqual(b, correct)
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret')
_, headers, _ = client.sign(self.uri + '/extra')
v, r = self.endpoint.validate_protected_resource_request(
self.uri, headers=headers)
self.assertFalse(v)
# the validator log should have `False` values
self.assertTrue(r.validator_log['client'])
self.assertTrue(r.validator_log['realm'])
self.assertTrue(r.validator_log['resource_owner'])
self.assertFalse(r.validator_log['signature'])
def test_plaintext_method(self):
client = Client('client_key',
signature_method=SIGNATURE_PLAINTEXT,
timestamp='1234567890',
nonce='abc',
client_secret='foo',
resource_owner_secret='bar')
u, h, b = client.sign('http://example.com')
correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PLAINTEXT", '
'oauth_consumer_key="client_key", '
'oauth_signature="foo%26bar"')
self.assertEqual(h['Authorization'], correct)
def test_params_in_body(self):
client = Client('client_key', signature_type=SIGNATURE_TYPE_BODY,
timestamp='1378988215', nonce='14205877133089081931378988215')
_, h, b = client.sign('http://i.b/path', http_method='POST', body='a=b',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['Content-Type'], 'application/x-www-form-urlencoded')
correct = ('a=b&oauth_nonce=14205877133089081931378988215&'
'oauth_timestamp=1378988215&'
'oauth_version=1.0&'
'oauth_signature_method=HMAC-SHA1&'
'oauth_consumer_key=client_key&'
'oauth_signature=2JAQomgbShqoscqKWBiYQZwWq94%3D')
self.assertEqual(b, correct)
def test_validate_signature(self):
client = Client('foo',
resource_owner_key='token',
resource_owner_secret='secret')
_, headers, _ = client.sign(self.uri + '/extra')
v, r = self.endpoint.validate_protected_resource_request(
self.uri, headers=headers)
self.assertFalse(v)
# the validator log should have `False` values
self.assertTrue(r.validator_log['client'])
self.assertTrue(r.validator_log['realm'])
self.assertTrue(r.validator_log['resource_owner'])
self.assertFalse(r.validator_log['signature'])
def setUp(self):
self.validator = MagicMock(wraps=RequestValidator())
self.validator.check_client_key.return_value = True
self.validator.allowed_signature_methods = ['HMAC-SHA1']
self.validator.get_client_secret.return_value = 'bar'
self.validator.timestamp_lifetime = 600
self.validator.validate_client_key.return_value = True
self.validator.validate_timestamp_and_nonce.return_value = True
self.validator.dummy_client = 'dummy'
self.validator.dummy_secret = 'dummy'
self.endpoint = SignatureOnlyEndpoint(self.validator)
self.client = Client('foo', client_secret='bar')
self.uri, self.headers, self.body = self.client.sign(
'https://i.b/protected_resource')
def send_back(self, grade: float) -> bool:
"""Send the given grade back to the lms."""
content = settings.XML_REPLACE % (random.randint(
1, 99999999), self.sourcedid, str(grade))
content = content.encode()
headers = {
"Content-Type": "application/xml",
"Content-Length": str(len(content)),
}
c = Client(client_key=self.lms.key, client_secret=self.lms.secret)
try:
uri, headers, body = c.sign(self.url,
"POST",
body=content,
headers=headers)
response = requests.post(uri, data=body, headers=headers)
except (requests.RequestException, ValueError):
logger.warning(
"Could not join the LMS to send the grade back at url %s" %
self.url)
return False
try:
if not 200 <= response.status_code < 300:
logger.warning((
"Consumer sent an error response after sending grade for user '%s' and "
"sheet '%s' in class '%s' (Status: %d): %s") %
(self.user.quser, self.ident,
self.activity.wclass.qclass,
response.status_code, response.text))
return False
root = ElementTree.fromstring(response.text)
if not root[0][0][2][0].text == "success":
logger.warning((
"Consumer sent an error response after sending grade for user '%s' and "
"sheet '%s' in class '%s': %s") %
(self.user.quser, self.ident,
self.activity.wclass.qclass,
root[0][0][2][2].text))
return False
except (DefusedXmlException, IndexError, ParseError):
logger.exception((
"Consumer sent a badly formatted response after sending grade for user '%s' and "
"sheet '%s' in class '%s': ") % (self.user.quser, self.ident,
self.activity.wclass.qclass))
return False
return True
def setUp(self):
self.validator = MagicMock(wraps=RequestValidator())
self.validator.check_client_key.return_value = True
self.validator.check_request_token.return_value = True
self.validator.check_verifier.return_value = True
self.validator.allowed_signature_methods = ['HMAC-SHA1']
self.validator.get_client_secret.return_value = 'bar'
self.validator.get_request_token_secret.return_value = 'secret'
self.validator.get_realms.return_value = ['foo']
self.validator.timestamp_lifetime = 600
self.validator.validate_client_key.return_value = True
self.validator.validate_request_token.return_value = True
self.validator.validate_verifier.return_value = True
self.validator.validate_timestamp_and_nonce.return_value = True
self.validator.dummy_client = 'dummy'
self.validator.dummy_secret = 'dummy'
self.validator.dummy_request_token = 'dummy'
self.validator.save_access_token = MagicMock()
self.endpoint = AccessTokenEndpoint(self.validator)
self.client = Client('foo',
client_secret='bar',
resource_owner_key='token',
resource_owner_secret='secret',
verifier='verfier')
self.uri, self.headers, self.body = self.client.sign(
'https://i.b/access_token')
def test_rsa(self):
client = Client('client_key', signature_method=SIGNATURE_RSA)
# instance is using the correct signer method
self.assertEqual(Client.SIGNATURE_METHODS[SIGNATURE_RSA],
client.SIGNATURE_METHODS[client.signature_method])
# don't need an RSA key to instantiate
self.assertIsNone(client.rsa_key)
def setUp(self):
super(IntegrationTestLTI, self).setUp()
self.configure_lti_provider(
name='Other Tool Consumer 1', enabled=True,
lti_consumer_key='other1',
lti_consumer_secret='secret1',
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='LTI Test Tool Consumer', enabled=True,
lti_consumer_key=LTI_CONSUMER_KEY,
lti_consumer_secret=LTI_CONSUMER_SECRET,
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='Tool Consumer with Secret in Settings', enabled=True,
lti_consumer_key=OTHER_LTI_CONSUMER_KEY,
lti_consumer_secret='',
lti_max_timestamp_age=10,
)
self.lti = Client(
client_key=LTI_CONSUMER_KEY,
client_secret=LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
class OAuth1(AuthBase):
"""Signs the request using OAuth 1 (RFC5849)"""
def __init__(self,
client_key,
client_secret=None,
resource_owner_key=None,
resource_owner_secret=None,
callback_uri=None,
signature_method=SIGNATURE_HMAC,
signature_type=SIGNATURE_TYPE_AUTH_HEADER,
rsa_key=None,
verifier=None):
try:
signature_type = signature_type.upper()
except AttributeError:
pass
self.client = Client(client_key, client_secret, resource_owner_key,
resource_owner_secret, callback_uri,
signature_method, signature_type, rsa_key,
verifier)
def __call__(self, r):
contenttype = r.headers.get('Content-Type', None)
decoded_body = extract_params(r.data)
if contenttype == None and decoded_body != None:
r.headers['Content-Type'] = 'application/x-www-form-urlencoded'
r.url, r.headers, r.data = self.client.sign(unicode(r.url),
unicode(r.method), r.data,
r.headers)
return r
class OAuth1(AuthBase):
"""Signs the request using OAuth 1 (RFC5849)"""
def __init__(self, client_key,
client_secret=None,
resource_owner_key=None,
resource_owner_secret=None,
callback_uri=None,
signature_method=SIGNATURE_HMAC,
signature_type=SIGNATURE_TYPE_AUTH_HEADER,
rsa_key=None, verifier=None):
try:
signature_type = signature_type.upper()
except AttributeError:
pass
self.client = Client(client_key, client_secret, resource_owner_key,
resource_owner_secret, callback_uri, signature_method,
signature_type, rsa_key, verifier)
def __call__(self, r):
contenttype = r.headers.get('Content-Type', None)
decoded_body = extract_params(r.data)
if contenttype == None and decoded_body != None:
r.headers['Content-Type'] = 'application/x-www-form-urlencoded'
r.url, r.headers, r.data = self.client.sign(
unicode(r.url), unicode(r.method), r.data, r.headers)
return r
def setUp(self):
super(IntegrationTestLTI, self).setUp()
self.hostname = 'testserver'
self.client.defaults['SERVER_NAME'] = self.hostname
self.url_prefix = 'http://{}'.format(self.hostname)
self.configure_lti_provider(
name='Other Tool Consumer 1', enabled=True,
lti_consumer_key='other1',
lti_consumer_secret='secret1',
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='LTI Test Tool Consumer', enabled=True,
lti_consumer_key=LTI_CONSUMER_KEY,
lti_consumer_secret=LTI_CONSUMER_SECRET,
lti_max_timestamp_age=10,
)
self.configure_lti_provider(
name='Tool Consumer with Secret in Settings', enabled=True,
lti_consumer_key=OTHER_LTI_CONSUMER_KEY,
lti_consumer_secret='',
lti_max_timestamp_age=10,
)
self.lti = Client(
client_key=LTI_CONSUMER_KEY,
client_secret=LTI_CONSUMER_SECRET,
signature_type=SIGNATURE_TYPE_BODY,
)
def get_context_data(self, **kwargs):
role = self.request.GET.get('role', '')
campus = self.request.GET.get('campus', '')
lti_parameters = [
("roles", self._lti_role[role]),
("ext_roles", self._lti_ext_role[role]),
("custom_canvas_account_sis_id",
'uwcourse:{}:arts-&-sciences:psych:psych'.format(campus)),
("oauth_timestamp", generate_timestamp()),
("oauth_nonce", generate_nonce()),
("resource_link_title",
"UW LTI Development ({})".format(self.lti_app())),
]
lti_parameters += self._static_lti_parameters
# sign payload
lti_app_uri = self.lti_app_uri()
sbs = signature_base_string('POST', base_string_uri(lti_app_uri + '/'),
normalize_parameters(lti_parameters))
client_key = self._client_key
client = Client(client_key,
client_secret=self._client_secrets[client_key])
signature = sign_hmac_sha1_with_client(sbs, client)
lti_parameters.append(("oauth_signature", signature))
context = super().get_context_data(**kwargs)
context['uri'] = lti_app_uri
context['campus'] = campus
context['role_name'] = role
context['lti_parameters'] = lti_parameters
return context
def test_sign_get_with_body(self):
client = Client('client_key')
for method in ('GET', 'HEAD'):
self.assertRaises(ValueError, client.sign, 'http://a.b/path?query',
http_method=method, body='a=b',
headers={
'Content-Type': 'application/x-www-form-urlencoded'
})
def test_params_in_query(self):
client = Client(
"client_key",
signature_type=SIGNATURE_TYPE_QUERY,
timestamp="1378988215",
nonce="14205877133089081931378988215",
)
u, _, _ = client.sign("http://i.b/path", http_method="POST")
correct = (
"http://i.b/path?oauth_nonce=14205877133089081931378988215&"
"oauth_timestamp=1378988215&"
"oauth_version=1.0&"
"oauth_signature_method=HMAC-SHA1&"
"oauth_consumer_key=client_key&"
"oauth_signature=08G5Snvw%2BgDAzBF%2BCmT5KqlrPKo%3D"
)
self.assertEqual(u, correct)
def test_plaintext_method(self):
client = Client(
"client_key",
signature_method=SIGNATURE_PLAINTEXT,
timestamp="1234567890",
nonce="abc",
client_secret="foo",
resource_owner_secret="bar",
)
u, h, b = client.sign("http://example.com")
correct = (
'OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PLAINTEXT", '
'oauth_consumer_key="client_key", '
'oauth_signature="foo%26bar"'
)
self.assertEqual(h["Authorization"], correct)
def __init__(self, client_key,
client_secret=None,
resource_owner_key=None,
resource_owner_secret=None,
callback_uri=None,
signature_method=SIGNATURE_HMAC,
signature_type=SIGNATURE_TYPE_AUTH_HEADER,
rsa_key=None, verifier=None):
try:
signature_type = signature_type.upper()
except AttributeError:
pass
self.client = Client(client_key, client_secret, resource_owner_key,
resource_owner_secret, callback_uri, signature_method,
signature_type, rsa_key, verifier)
def test_register_method(self):
Client.register_signature_method('PIZZA',
lambda base_string, client: 'PIZZA')
self.assertTrue('PIZZA' in Client.SIGNATURE_METHODS)
client = Client('client_key', signature_method='PIZZA',
timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
self.assertEquals(h['Authorization'], (
'OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PIZZA", '
'oauth_consumer_key="client_key", '
'oauth_signature="PIZZA"'
))
def test_register_method(self):
Client.register_signature_method('PIZZA',
lambda base_string, client: 'PIZZA')
self.assertTrue('PIZZA' in Client.SIGNATURE_METHODS)
client = Client('client_key', signature_method='PIZZA',
timestamp='1234567890', nonce='abc')
u, h, b = client.sign('http://example.com')
self.assertEqual(h['Authorization'], (
'OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PIZZA", '
'oauth_consumer_key="client_key", '
'oauth_signature="PIZZA"'
))
def test_sign_unicode(self):
client = Client("client_key", nonce="abc", timestamp="abc")
_, h, b = client.sign(
"http://i.b/path",
http_method="POST",
body="status=%E5%95%A6%E5%95%A6",
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
self.assertEqual(b, "status=%E5%95%A6%E5%95%A6")
self.assertIn('oauth_signature="yrtSqp88m%2Fc5UDaucI8BXK4oEtk%3D"', h["Authorization"])
_, h, b = client.sign(
"http://i.b/path",
http_method="POST",
body="status=%C3%A6%C3%A5%C3%B8",
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
self.assertEqual(b, "status=%C3%A6%C3%A5%C3%B8")
self.assertIn('oauth_signature="oG5t3Eg%2FXO5FfQgUUlTtUeeZzvk%3D"', h["Authorization"])
def test_sign_no_body(self):
client = Client('client_key', decoding='utf-8')
self.assertRaises(
ValueError,
client.sign,
'http://i.b/path',
http_method='POST',
body=None,
headers={'Content-Type': 'application/x-www-form-urlencoded'})
def test_register_method(self):
Client.register_signature_method("PIZZA", lambda base_string, client: "PIZZA")
self.assertTrue("PIZZA" in Client.SIGNATURE_METHODS)
client = Client("client_key", signature_method="PIZZA", timestamp="1234567890", nonce="abc")
u, h, b = client.sign("http://example.com")
self.assertEquals(
h["Authorization"],
(
'OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
'oauth_version="1.0", oauth_signature_method="PIZZA", '
'oauth_consumer_key="client_key", '
'oauth_signature="PIZZA"'
),
)
def setUp(self):
self.validator = MagicMock(wraps=RequestValidator())
self.validator.check_client_key.return_value = True
self.validator.allowed_signature_methods = ['HMAC-SHA1']
self.validator.get_client_secret.return_value = 'bar'
self.validator.get_default_realms.return_value = ['foo']
self.validator.timestamp_lifetime = 600
self.validator.check_realms.return_value = True
self.validator.validate_client_key.return_value = True
self.validator.validate_requested_realms.return_value = True
self.validator.validate_redirect_uri.return_value = True
self.validator.validate_timestamp_and_nonce.return_value = True
self.validator.dummy_client = 'dummy'
self.validator.dummy_secret = 'dummy'
self.validator.save_request_token = MagicMock()
self.endpoint = RequestTokenEndpoint(self.validator)
self.client = Client('foo', client_secret='bar', realm='foo',
callback_uri='https://c.b/cb')
self.uri, self.headers, self.body = self.client.sign(
'https://i.b/request_token')
def test_case_insensitive_headers(self):
client = Client('client_key')
# Uppercase
_, h, _ = client.sign('http://i.b/path', http_method='POST', body='',
headers={'Content-Type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['Content-Type'], 'application/x-www-form-urlencoded')
# Lowercase
_, h, _ = client.sign('http://i.b/path', http_method='POST', body='',
headers={'content-type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['content-type'], 'application/x-www-form-urlencoded')
# Capitalized
_, h, _ = client.sign('http://i.b/path', http_method='POST', body='',
headers={'Content-type': 'application/x-www-form-urlencoded'})
self.assertEqual(h['Content-type'], 'application/x-www-form-urlencoded')
# Random
_, h, _ = client.sign('http://i.b/path', http_method='POST', body='',
headers={'conTent-tYpe': 'application/x-www-form-urlencoded'})
self.assertEqual(h['conTent-tYpe'], 'application/x-www-form-urlencoded')