Ejemplo n.º 1
0
    def test_token_by_client_credentials(self, settings, client, user):

        settings.DEBUG = True

        client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        Scope(identifier='scope1').save()

        # Valid token by client credentials request.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'client_credentials', 'scope': 'scope1'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' not in resp.content_json
        assert 'token_type' in resp.content_json

        access_token = resp.content_json['access_token']
        token = Token.objects.get(access_token=access_token)
        assert user == token.user
Ejemplo n.º 2
0
    def test_token_by_user_credentials(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        # Missing params.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'password'}, Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_request')

        # Invalid params.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'password', 'username': '******', 'password': '******'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')

        # Valid token by password request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'password', 'username': '******',
                                             'password': '******'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
        self.assertTrue('expires_in' in resp.content_json)
Ejemplo n.º 3
0
    def test_token_by_client_credentials(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        Scope(identifier='scope1').save()

        # Valid token by client credentials request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'client_credentials', 'scope': 'scope1'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' not in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)

        access_token = resp.content_json['access_token']
        token = Token.objects.get(access_token=access_token)
        self.assertEqual(user_1, token.user)
Ejemplo n.º 4
0
    def test_refresh_token_http_basic(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        client_2 = Client(user=user_1, title='OGOClient', identifier='OGOClient', password='******')
        client_2.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        token_1 = Token(client=client_1, user=user_1)
        token_1.save()

        token_2 = Token(client=client_2, user=user_1)
        token_2.save()

        date_issued = token_1.date_issued
        access_token = token_1.access_token
        refresh_token = token_1.refresh_token

        refresh_token_wrong_client = token_2.refresh_token

        # Missing required params.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_request')

        # Invalid refresh token supplied.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': 'invalid'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')

        # Refresh token from another client is supplied.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token_wrong_client},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')

        # Valid request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
        self.assertTrue('expires_in' not in resp.content_json)

        self.assertNotEqual(access_token, resp.content_json['access_token'])
        self.assertNotEqual(refresh_token, resp.content_json['refresh_token'])

        token_updated = Token.objects.get(access_token=resp.content_json['access_token'])
        self.assertNotEqual(date_issued, token_updated.date_issued)
Ejemplo n.º 5
0
    def test_authorization_code_http_basic(self, settings, client, user):

        def login():
            return client.login(username=user.username, password='******')

        settings.DEBUG = True  # Bypass https requirement

        client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        # Logging the user in.
        login()

        Scope(identifier='scope1').save()

        # Valid code request.
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1', 'client_id': client_1.identifier})

        assert resp.status_code == 200

        # User confirms auth.
        resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        assert resp.status_code == 302
        params = parse_location_header(resp)
        assert 'code' in params

        # Auth code given.
        code = params['code']

        # Invalid token by code request.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'code': code, 'redirect_uri': redirect_1.uri},
            Authorization='Basic Tqrqwer==')

        assert resp.status_code == 401
        assert 'www-authenticate' in resp._headers
        assert resp._headers['www-authenticate'][1] == 'Basic'

        # Valid token by code request.
        # HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code, 'redirect_uri': redirect_1.uri},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' in resp.content_json
        assert 'token_type' in resp.content_json
Ejemplo n.º 6
0
    def test_authorization_code_http_basic(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        settings.DEBUG = True

        # Logging the user in.
        self.client.login(username='******', password='******')

        Scope(identifier='scope1').save()

        # Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1',
                                               'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        params = parse_location_header(resp)
        self.assertIn('code', params)

        # Auth code given.
        code = params['code']

        # Invalid token by code request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
                                            'redirect_uri': redirect_1.uri},
                                Authorization='Basic Tqrqwer==')
        self.assertEqual(resp.status_code, 401)
        self.assertIn('www-authenticate', resp._headers)
        self.assertEqual(resp._headers['www-authenticate'][1], 'Basic')

        # Valid token by code request.
        # HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
        resp = self.client.post(
            URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
                        'redirect_uri': redirect_1.uri},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
Ejemplo n.º 7
0
    def test_authorization_code_unsafe(self, settings, client, user):

        def login():
            return client.login(username=user.username, password='******')

        settings.DEBUG = True  # Bypass https requirement

        client_1 = Client(user=user, title='OClient')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        Scope(identifier='scope1').save()

        # Logging the user in.
        assert login()

        # Valid code request.
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1', 'client_id': client_1.identifier})

        assert resp.status_code == 200

        # User confirms auth.
        resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        assert resp.status_code == 302

        params = parse_location_header(resp)
        assert 'code' in params

        # Auth code given.
        code = params['code']

        # Valid token by code request.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
             'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier, 'client_secret': client_1.password})

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' in resp.content_json
        assert 'token_type' in resp.content_json
Ejemplo n.º 8
0
    def test_authorization_code_http_basic(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        # Logging the user in.
        self.client.login(username='******', password='******')

        # Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        params = parse_location_header(resp)
        self.assertIn('code', params)

        # Auth code given.
        code = params['code']

        # Invalid token by code request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
                                             'redirect_uri': redirect_1.uri},
                                Authorization='Basic Tqrqwer==')
        self.assertEqual(resp.status_code, 401)
        self.assertIn('www-authenticate', resp._headers)
        self.assertEqual(resp._headers['www-authenticate'][1], 'Basic')

        # Valid token by code request.
        # HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
                                             'redirect_uri': redirect_1.uri},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
Ejemplo n.º 9
0
    def test_authorization_code_unsafe(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        Scope(identifier='scope1').save()

        # Logging the user in.
        self.client.login(username='******', password='******')

        # Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1',
                                               'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        params = parse_location_header(resp)
        self.assertIn('code', params)

        # Auth code given.
        code = params['code']

        # Valid token by code request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
                                            'redirect_uri': redirect_1.uri,
                                            'client_id': client_1.identifier,
                                            'client_secret': client_1.password})

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
Ejemplo n.º 10
0
    def test_token_by_user_credentials(self, settings, client, user):

        settings.DEBUG = True

        client_1 = Client(user=user, title='OClient', identifier='OClient', password='******', token_lifetime=15)
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        Scope(identifier='scope1').save()

        # Missing params.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'password', 'scope': 'scope1'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_request'

        # Invalid params.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'password', 'scope': 'scope1', 'username': '******', 'password': '******'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'

        # Valid token by password request.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'password', 'scope': 'scope1', 'username': user.username, 'password': '******'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' in resp.content_json
        assert 'token_type' in resp.content_json
        assert 'expires_in' in resp.content_json
Ejemplo n.º 11
0
    def test_authorization_code_unsafe(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        # Logging the user in.
        self.client.login(username='******', password='******')

        # Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        params = parse_location_header(resp)
        self.assertIn('code', params)

        # Auth code given.
        code = params['code']

        # Valid token by code request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
                                             'redirect_uri': redirect_1.uri,
                                             'client_id': client_1.identifier,
                                             'client_secret': client_1.password})

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)
Ejemplo n.º 12
0
    def test_token_by_client_credentials(self):

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        # Valid token by client credentials request.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'client_credentials'},
                                Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' not in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)

        access_token = resp.content_json['access_token']
        token = Token.objects.get(access_token=access_token)
        self.assertEqual(user_1, token.user)
Ejemplo n.º 13
0
    def test_grant_authorization_code(self, settings, client, user):

        # Secure connection check
        with settings(DEBUG=False):
            resp = client.get(URL_TOKEN, {})
            assert resp.status_code == 403

        settings.DEBUG = True

        resp = client.post(URL_TOKEN, {'grant_type': 'a'})
        assert resp.status_code == 400
        assert resp.content_json['error'] == 'unsupported_grant_type'

        client_1 = Client(user=user, title='OClient')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        code_1 = AuthorizationCode(user=user, client=client_1, uri=redirect_1.uri)
        code_1.save()

        Scope(identifier='scope1').save()

        # Missing client authentication data.
        resp = client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1'})
        assert resp.status_code == 401
        assert resp.content_json['error'] == 'invalid_client'

        # Missing all required params.
        resp = client.post(
            URL_TOKEN, 
            {'grant_type': 'authorization_code', 'scope': 'scope1', 
             'client_id': client_1.identifier, 'client_secret': client_1.password})
        
        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_request'

        # Missing redirect URI.
        resp = client.post(
            URL_TOKEN, 
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': 'wrong_code',
             'client_id': client_1.identifier, 'client_secret': client_1.password})
        
        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_request'

        # Missing code.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1',
             'redirect_uri': 'http://wrong-url.com', 'client_id': client_1.identifier,
             'client_secret': client_1.password})

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_request'

        # Wrong code.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': 'invalid',
             'redirect_uri': 'http://localhost:8000/abc/',
             'client_id': client_1.identifier, 'client_secret': client_1.password})

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'

        # Wrong URI.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code_1.code,
             'redirect_uri': 'http://wrong-url.com/', 'client_id': client_1.identifier,
             'client_secret': client_1.password})

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'

        # Valid call for a token.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code_1.code,
             'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier, 'client_secret': client_1.password})

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' in resp.content_json
        assert 'token_type' in resp.content_json

        # An additional call for code issues token and code invalidation.
        resp = client.post(
            URL_TOKEN,
            {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': '1234567',
             'redirect_uri': 'http://localhost:8000/abc/',
             'client_id': client_1.identifier, 'client_secret': client_1.password})

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'
Ejemplo n.º 14
0
    def test_refresh_token_http_basic(self, settings, client, user):

        settings.DEBUG = True

        client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
        client_1.save()

        client_2 = Client(user=user, title='OGOClient', identifier='OGOClient', password='******')
        client_2.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        token_1 = Token(client=client_1, user=user)
        token_1.save()

        token_2 = Token(client=client_2, user=user)
        token_2.save()

        date_issued = token_1.date_issued
        access_token = token_1.access_token
        refresh_token = token_1.refresh_token

        refresh_token_wrong_client = token_2.refresh_token

        # Missing required params.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'refresh_token'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_request'

        # Invalid refresh token supplied.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': 'invalid'},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'

        # Refresh token from another client is supplied.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token_wrong_client},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 400
        assert resp.content_json['error'] == 'invalid_grant'

        # Valid request.
        resp = client.post(
            URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token},
            Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')

        assert resp.status_code == 200
        assert 'access_token' in resp.content_json
        assert 'refresh_token' in resp.content_json
        assert 'token_type' in resp.content_json
        assert 'expires_in' not in resp.content_json

        assert access_token != resp.content_json['access_token']
        assert refresh_token != resp.content_json['refresh_token']

        token_updated = Token.objects.get(access_token=resp.content_json['access_token'])
        assert date_issued != token_updated.date_issued
Ejemplo n.º 15
0
    def test_auth(self):

        # User is not logged in.
        resp = self.client.get(URL_AUTHORIZE, {'client_id': '100'})
        self.assertEqual(resp.status_code, 302)

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        # Logging the user in.
        self.client.login(username='******', password='******')

        # Secure connection check
        settings.DEBUG = False
        resp = self.client.get(URL_AUTHORIZE, {})
        self.assertEqual(resp.status_code, 403)
        settings.DEBUG = True

        # Missing client id.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code'})
        self.assertEqual(resp.status_code, 400)

        # Missing response type.
        resp = self.client.get(URL_AUTHORIZE, {'client_id': '100'})
        self.assertEqual(resp.status_code, 400)

        # Wrong response type
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'habrahabr'})
        self.assertEqual(resp.status_code, 400)

        # Invalid client id.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': 'invalid'})
        self.assertEqual(resp.status_code, 400)

        client_1 = Client(user=user_1, title='OClient', identifier='cl012345')
        client_1.save()

        client_2 = Client(user=user_1, title='OGOClient')
        client_2.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        redirect_2 = RedirectionEndpoint(client=client_2, uri='http://redirect-test1.com')
        redirect_2.save()

        redirect_3 = RedirectionEndpoint(client=client_2, uri='http://redirect-test2.com')
        redirect_3.save()

        # Client 2 - No redirect URI in request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_2.identifier})
        self.assertEqual(resp.status_code, 400)

        # Client 2 - Unknown URI in request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'redirect_uri': 'http://noitisnot.com', 'client_id': client_2.identifier})
        self.assertEqual(resp.status_code, 400)

        # Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User declines auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made'})
        self.assertEqual(resp.status_code, 302)
        self.assertEqual(parse_location_header(resp)['error'], 'access_denied')

        # Again Valid code request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms auth.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        self.assertIn('code', parse_location_header(resp))

        # ============= Implicit grant tests.

        # Valid token request.
        resp = self.client.get(URL_AUTHORIZE, {'response_type': 'token', 'client_id': client_1.identifier})
        self.assertEqual(resp.status_code, 200)

        # User confirms token grant.
        resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        self.assertEqual(resp.status_code, 302)
        params = parse_location_header(resp, True)
        self.assertIn('access_token', params)
        self.assertIn('token_type', params)
Ejemplo n.º 16
0
    def test_auth(self, settings, client, user):

        def login():
            return client.login(username=user.username, password='******')

        # User is not logged in, redirect to login page
        resp = client.get(URL_AUTHORIZE, {'client_id': '100'})
        assert resp.status_code == 302

        # Logging the user in.
        assert login()

        # Secure connection check
        resp = client.get(URL_AUTHORIZE, {})
        assert resp.status_code == 403

        settings.DEBUG = True

        client_1 = Client(user=user, title='OClient', identifier='cl012345')
        client_1.save()

        client_2 = Client(user=user, title='OGOClient')
        client_2.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        redirect_2 = RedirectionEndpoint(client=client_2, uri='http://redirect-test1.com')
        redirect_2.save()

        redirect_3 = RedirectionEndpoint(client=client_2, uri='http://redirect-test2.com')
        redirect_3.save()

        Scope(identifier='scope1').save()

        # Missing client id.
        login()
        resp = client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1'})
        assert resp.status_code == 400

        # Invalid client id.
        login()
        resp = client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1', 'client_id': 'invalid'})
        assert resp.status_code == 400

        # Client 2 - No redirect URI in request.
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1', 'client_id': client_2.identifier})

        assert resp.status_code == 400

        # Client 2 - Unknown URI in request.
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1',
             'redirect_uri': 'http://noitisnot.com', 'client_id': client_2.identifier})

        assert resp.status_code == 400

        # Missing response type.
        login()
        resp = client.get(URL_AUTHORIZE, {'client_id': client_1.identifier, 'state': 'abc', 'scope': 'scope1'})
        assert resp.status_code == 302
        assert parse_location_header(resp)['error'] == 'unsupported_response_type'
        assert parse_location_header(resp)['state'] == 'abc'

        # Wrong response type
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'client_id': client_1.identifier, 'response_type': 'habrahabr', 'state': 'abc', 'scope': 'scope1'})

        assert resp.status_code == 302
        assert parse_location_header(resp)['error'] == 'unsupported_response_type'
        assert parse_location_header(resp)['state'] == 'abc'

        # Valid code request.
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1', 'state': 'somestate', 'client_id': client_1.identifier})
        assert resp.status_code == 200

        # User declines auth.
        resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made'})
        assert resp.status_code == 302
        assert parse_location_header(resp)['error'] == 'access_denied'

        # Again Valid code request.
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'code', 'scope': 'scope1', 'state': 'somestatetwo', 'client_id': client_1.identifier})
        assert resp.status_code == 200

        # User confirms auth.
        resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        assert resp.status_code == 302
        assert 'code' in parse_location_header(resp)
        assert parse_location_header(resp)['state'] == 'somestatetwo'

        # ============= Implicit grant tests.

        # Valid token request.
        login()
        resp = client.get(
            URL_AUTHORIZE,
            {'response_type': 'token', 'scope': 'scope1',
             'state': 'some_state_three', 'client_id': client_1.identifier})

        assert resp.status_code == 200

        # User confirms token grant.
        resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
        assert resp.status_code == 302

        params = parse_location_header(resp, True)
        assert 'access_token' in params
        assert 'token_type' in params
        assert params['state'] == 'some_state_three'
Ejemplo n.º 17
0
    def test_grant_authorization_code(self):

        # Secure connection check
        settings.DEBUG = False
        resp = self.client.get(URL_TOKEN, {})
        self.assertEqual(resp.status_code, 403)
        settings.DEBUG = True

        resp = self.client.post(URL_TOKEN, {'grant_type': 'a'})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'unsupported_grant_type')

        user_1 = User(username='******')
        user_1.set_password('12345')
        user_1.save()

        client_1 = Client(user=user_1, title='OClient')
        client_1.save()

        redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
        redirect_1.save()

        code_1 = AuthorizationCode(user=user_1, client=client_1, uri=redirect_1.uri)
        code_1.save()

        # Missing client authentication data.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code'})
        self.assertEqual(resp.status_code, 401)
        self.assertEqual(resp.content_json['error'], 'invalid_client')

        # Missing all required params.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'client_id': client_1.identifier,
                                             'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_request')

        # Missing redirect URI.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': 'wrong_code',
                                             'client_id': client_1.identifier, 'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_request')

        # Missing code.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'redirect_uri': 'http://wrong-url.com',
                                             'client_id': client_1.identifier, 'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_request')

        # Wrong code.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': 'invalid',
                                             'redirect_uri': 'http://localhost:8000/abc/',
                                             'client_id': client_1.identifier, 'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')

        # Wrong URI.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code_1.code,
                                             'redirect_uri': 'http://wrong-url.com/', 'client_id': client_1.identifier,
                                             'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')

        # Valid call for a token.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code_1.code,
                                             'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier,
                                             'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 200)
        self.assertTrue('access_token' in resp.content_json)
        self.assertTrue('refresh_token' in resp.content_json)
        self.assertTrue('token_type' in resp.content_json)

        # An additional call for code issues token and code invalidation.
        resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': '1234567',
                                             'redirect_uri': 'http://localhost:8000/abc/',
                                             'client_id': client_1.identifier, 'client_secret': client_1.password})
        self.assertEqual(resp.status_code, 400)
        self.assertEqual(resp.content_json['error'], 'invalid_grant')