def test_temporary_credential_signatures_errors(self):
self.prepare_data()
url = '/oauth/initiate'
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_signature', data['error_description'])
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': 'a'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_signature_method', data['error_description'])
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_signature_method': 'INVALID',
'oauth_callback': 'oob',
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': 'b',
'oauth_signature': 'c'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'unsupported_signature_method')
def test_plaintext_signature(self):
self.prepare_data()
server = self.create_server()
url = '/oauth/token'
# case 1: success
self.prepare_temporary_credential(server)
auth_header = ('OAuth oauth_consumer_key="client",'
'oauth_signature_method="PLAINTEXT",'
'oauth_token="abc",'
'oauth_verifier="abc-verifier",'
'oauth_signature="secret&abc-secret"')
request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertIn('oauth_token', data)
# case 2: invalid signature
self.prepare_temporary_credential(server)
request = self.factory.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_signature_method': 'PLAINTEXT',
'oauth_token': 'abc',
'oauth_verifier': 'abc-verifier',
'oauth_signature': 'invalid-signature'
})
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_signature')
def test_hmac_sha1_signature(self):
self.prepare_data()
server = self.create_server()
url = '/oauth/token'
params = [
('oauth_consumer_key', 'client'),
('oauth_token', 'abc'),
('oauth_verifier', 'abc-verifier'),
('oauth_signature_method', 'HMAC-SHA1'),
('oauth_timestamp', str(int(time.time()))),
('oauth_nonce', 'hmac-sha1-nonce'),
]
base_string = signature.construct_base_string(
'POST', 'http://testserver/oauth/token', params)
sig = signature.hmac_sha1_signature(base_string, 'secret',
'abc-secret')
params.append(('oauth_signature', sig))
auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params])
auth_header = 'OAuth ' + auth_param
# case 1: success
self.prepare_temporary_credential(server)
request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertIn('oauth_token', data)
# case 2: exists nonce
self.prepare_temporary_credential(server)
request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_nonce')
def test_hmac_sha1_signature(self):
self.prepare_data()
url = '/oauth/initiate'
params = [
('oauth_consumer_key', 'client'),
('oauth_callback', 'oob'),
('oauth_signature_method', 'HMAC-SHA1'),
('oauth_timestamp', str(int(time.time()))),
('oauth_nonce', 'hmac-sha1-nonce'),
]
base_string = signature.construct_base_string(
'POST', 'http://localhost/oauth/initiate', params
)
sig = signature.hmac_sha1_signature(base_string, 'secret', None)
params.append(('oauth_signature', sig))
auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params])
auth_header = 'OAuth ' + auth_param
headers = {'Authorization': auth_header}
# case 1: success
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
# case 2: exists nonce
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_nonce')
def test_invalid_signature(self):
self.app.config.update({
'OAUTH1_SUPPORTED_SIGNATURE_METHODS': ['INVALID']
})
self.prepare_data()
url = '/oauth/initiate'
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'unsupported_signature_method')
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'INVALID',
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': 'invalid-nonce',
'oauth_signature': 'secret&'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'unsupported_signature_method')
def test_invalid_token_and_verifiers(self):
self.prepare_data()
url = '/oauth/token'
hook = self.server._hooks['create_temporary_credential']
# case 5
hook({
'oauth_token': 'abc',
'oauth_token_secret': 'abc-secret'
}, 'client', 'oob')
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'abc'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_verifier', data['error_description'])
# case 6
hook({
'oauth_token': 'abc',
'oauth_token_secret': 'abc-secret'
}, 'client', 'oob')
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'abc',
'oauth_verifier': 'abc'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_request')
self.assertIn('oauth_verifier', data['error_description'])
def test_rsa_sha1_signature(self):
self.prepare_data()
server = self.create_server()
url = '/oauth/token'
self.prepare_temporary_credential(server)
params = [
('oauth_consumer_key', 'client'),
('oauth_token', 'abc'),
('oauth_verifier', 'abc-verifier'),
('oauth_signature_method', 'RSA-SHA1'),
('oauth_timestamp', str(int(time.time()))),
('oauth_nonce', 'rsa-sha1-nonce'),
]
base_string = signature.construct_base_string(
'POST', 'http://testserver/oauth/token', params)
sig = signature.rsa_sha1_signature(base_string,
read_file_path('rsa_private.pem'))
params.append(('oauth_signature', sig))
auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params])
auth_header = 'OAuth ' + auth_param
request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertIn('oauth_token', data)
# case: invalid signature
self.prepare_temporary_credential(server)
auth_param = auth_param.replace('rsa-sha1-nonce', 'alt-sha1-nonce')
auth_header = 'OAuth ' + auth_param
request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_signature')
def test_invalid_token_request_parameters(self):
self.prepare_data()
url = '/oauth/token'
# case 1
rv = self.client.post(url)
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_consumer_key', data['error_description'])
# case 2
rv = self.client.post(url, data={'oauth_consumer_key': 'a'})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_client')
# case 3
rv = self.client.post(url, data={'oauth_consumer_key': 'client'})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_token', data['error_description'])
# case 4
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'a'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_token')
def test_plaintext_signature(self):
self.prepare_data()
url = '/oauth/token'
# case 1: success
self.prepare_temporary_credential()
auth_header = ('OAuth oauth_consumer_key="client",'
'oauth_signature_method="PLAINTEXT",'
'oauth_token="abc",'
'oauth_verifier="abc-verifier",'
'oauth_signature="secret&abc-secret"')
headers = {'Authorization': auth_header}
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
# case 2: invalid signature
self.prepare_temporary_credential()
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_signature_method': 'PLAINTEXT',
'oauth_token': 'abc',
'oauth_verifier': 'abc-verifier',
'oauth_signature': 'invalid-signature'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_signature')
def test_invalid_token_request_parameters(self):
self.prepare_data()
server = self.create_server()
url = '/oauth/token'
# case 1
request = self.factory.post(url)
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_consumer_key', data['error_description'])
# case 2
request = self.factory.post(url, data={'oauth_consumer_key': 'a'})
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_client')
# case 3
request = self.factory.post(url, data={'oauth_consumer_key': 'client'})
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_token', data['error_description'])
# case 4
request = self.factory.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'a'
})
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_token')
def test_rsa_sha1_signature(self):
self.prepare_data()
url = '/oauth/initiate'
params = [
('oauth_consumer_key', 'client'),
('oauth_callback', 'oob'),
('oauth_signature_method', 'RSA-SHA1'),
('oauth_timestamp', str(int(time.time()))),
('oauth_nonce', 'rsa-sha1-nonce'),
]
base_string = signature.construct_base_string(
'POST', 'http://localhost/oauth/initiate', params
)
sig = signature.rsa_sha1_signature(
base_string, read_file_path('rsa_private.pem'))
params.append(('oauth_signature', sig))
auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params])
auth_header = 'OAuth ' + auth_param
headers = {'Authorization': auth_header}
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
# case: invalid signature
auth_param = auth_param.replace('rsa-sha1-nonce', 'alt-sha1-nonce')
auth_header = 'OAuth ' + auth_param
headers = {'Authorization': auth_header}
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_signature')
def test_plaintext_signature(self):
self.prepare_data()
url = '/oauth/initiate'
# case 1: use payload
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
# case 2: use header
auth_header = (
'OAuth oauth_consumer_key="client",'
'oauth_signature_method="PLAINTEXT",'
'oauth_callback="oob",'
'oauth_signature="secret&"'
)
headers = {'Authorization': auth_header}
rv = self.client.post(url, headers=headers)
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
# case 3: invalid signature
rv = self.client.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'invalid-signature'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_signature')
def test_validate_timestamp_and_nonce(self):
self.prepare_data()
url = '/oauth/initiate'
# case 5
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_timestamp', data['error_description'])
# case 6
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_timestamp': str(int(time.time()))
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_nonce', data['error_description'])
# case 7
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_timestamp': '123'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_request')
self.assertIn('oauth_timestamp', data['error_description'])
# case 8
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_timestamp': 'sss'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_request')
self.assertIn('oauth_timestamp', data['error_description'])
# case 9
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_timestamp': '-1',
'oauth_signature_method': 'PLAINTEXT'
})
self.assertEqual(data['error'], 'invalid_request')
self.assertIn('oauth_timestamp', data['error_description'])
def test_invalid_authorization(self):
self.prepare_data()
url = '/oauth/authorize'
# case 1
rv = self.client.post(url, data={'user_id': '1'})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_token', data['error_description'])
# case 2
rv = self.client.post(url, data={'user_id': '1', 'oauth_token': 'a'})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_token')
def test_authorize_granted(self):
self.prepare_data()
server = self.create_server()
user = User.objects.get(username='******')
initiate_url = '/oauth/initiate'
authorize_url = '/oauth/authorize'
# case 1
request = self.factory.post(initiate_url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
self.assertIn('oauth_token', data)
request = self.factory.post(authorize_url, data={
'oauth_token': data['oauth_token']
})
resp = server.create_authorization_response(request, user)
self.assertEqual(resp.status_code, 302)
self.assertIn('oauth_verifier', resp['Location'])
self.assertIn('https://a.b', resp['Location'])
# case 2
request = self.factory.post(initiate_url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'https://i.test',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
self.assertIn('oauth_token', data)
request = self.factory.post(authorize_url, data={
'oauth_token': data['oauth_token']
})
resp = server.create_authorization_response(request, user)
self.assertEqual(resp.status_code, 302)
self.assertIn('oauth_verifier', resp['Location'])
self.assertIn('https://i.test', resp['Location'])
def test_authorize_granted(self):
self.prepare_data()
initiate_url = '/oauth/initiate'
authorize_url = '/oauth/authorize'
rv = self.client.post(initiate_url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
rv = self.client.post(authorize_url,
data={
'user_id': '1',
'oauth_token': data['oauth_token']
})
self.assertEqual(rv.status_code, 302)
self.assertIn('oauth_verifier', rv.headers['Location'])
self.assertIn('https://a.b', rv.headers['Location'])
rv = self.client.post(initiate_url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'https://i.test',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
data = decode_response(rv.data)
self.assertIn('oauth_token', data)
rv = self.client.post(authorize_url,
data={
'user_id': '1',
'oauth_token': data['oauth_token']
})
self.assertEqual(rv.status_code, 302)
self.assertIn('oauth_verifier', rv.headers['Location'])
self.assertIn('https://i.test', rv.headers['Location'])
def test_duplicated_oauth_parameters(self):
self.prepare_data()
url = '/oauth/token?oauth_consumer_key=client'
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'abc',
'oauth_verifier': 'abc'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'duplicated_oauth_protocol_parameter')
def test_invalid_initiate(self):
server = self.create_server()
url = '/oauth/initiate'
request = self.factory.post(url, data={
'oauth_consumer_key': 'client',
'oauth_callback': 'oob',
'oauth_signature_method': 'PLAINTEXT',
'oauth_signature': 'secret&'
})
resp = server.create_temporary_credentials_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'invalid_client')
def test_duplicated_oauth_parameters(self):
self.prepare_data()
server = self.create_server()
url = '/oauth/token?oauth_consumer_key=client'
request = self.factory.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_token': 'abc',
'oauth_verifier': 'abc'
})
resp = server.create_token_response(request)
data = decode_response(resp.content)
self.assertEqual(data['error'], 'duplicated_oauth_protocol_parameter')
def test_temporary_credential_parameters_errors(self):
self.prepare_data()
url = '/oauth/initiate'
rv = self.client.get(url)
data = decode_response(rv.data)
self.assertEqual(data['error'], 'method_not_allowed')
# case 1
rv = self.client.post(url)
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_consumer_key', data['error_description'])
# case 2
rv = self.client.post(url, data={'oauth_consumer_key': 'client'})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'missing_required_parameter')
self.assertIn('oauth_callback', data['error_description'])
# case 3
rv = self.client.post(url,
data={
'oauth_consumer_key': 'client',
'oauth_callback': 'invalid_url'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_request')
self.assertIn('oauth_callback', data['error_description'])
# case 4
rv = self.client.post(url,
data={
'oauth_consumer_key': 'invalid-client',
'oauth_callback': 'oob'
})
data = decode_response(rv.data)
self.assertEqual(data['error'], 'invalid_client')
