def test_valid_access_token_and_id_token_creates_user(
self, mock_verify_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mock_verify_token.side_effect = ['some_token', TEST_COGNITO_RESPONSE]
self.assertEqual(Group.objects.count(), 0)
set_user, auth = auth.authenticate(request)
mock_verify_token.assert_has_calls(
[mock.call('test_access_token'),
mock.call('test_id_token')])
user = User.objects.get(email='*****@*****.**')
group = Group.objects.get(name='test_group')
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.username, '*****@*****.**')
self.assertEqual(user.username, set_user.username)
self.assertEqual(Group.objects.count(), 1)
self.assertEqual(user.groups.count(), 1)
self.assertEqual(group.id, user.groups.all()[0].id)
def login(request):
state: str = request.query_params.get('state')
app_redirect_url: str = request.query_params.get(
'redirect_uri') or settings.AUTH_COGNITO_REDIRECT_URL
error_message = request.query_params.get("error_description")
code: str = request.query_params.get('code', '')
if error_message:
json_error_message = base64.b64decode(error_message.split(
"@", 1)[1]).decode("utf-8")
if isinstance(json.loads(json_error_message), dict):
error_message = json.loads(json_error_message)[
request.LANGUAGE_CODE]
else:
error_message = json.loads(json_error_message)
messages.error(request, error_message)
return HttpResponseRedirect(settings.LOGIN_FORM_VIEW_URL)
if code:
tokens: dict = get_tokens_by_code(code)
else:
id_token: str = request.query_params.get('id_token', '')
access_token: str = request.query_params.get('access_token', '')
refresh_token: str = request.query_params.get('refresh_token', '')
tokens: dict = {
'id_token': id_token,
'refresh_token': refresh_token,
'access_token': access_token,
}
response = HttpResponseRedirect(state or app_redirect_url)
for token_type in TOKEN_TYPES:
request.session[token_type] = tokens[token_type]
auth = CognitoAuthentication()
user = auth.authenticate(request)
django_login(request, user[0])
return response
def test_fetches_new_tokens_if_expired(self, mock_refresh_token,
mock_verify_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mock_verify_token.side_effect = [
ExpiredSignatureError, TEST_COGNITO_RESPONSE
]
mock_refresh_token.return_value = {
'id_token': 'new_id_token',
'access_token': 'new_access_token',
}
set_user, auth = auth.authenticate(request)
self.assertEqual(set_user.email, '*****@*****.**')
self.assertEqual(request.session['access_token'], 'new_access_token')
self.assertEqual(request.session['refresh_token'],
'test_refresh_token')
self.assertEqual(request.session['id_token'], 'new_id_token')
def test_no_shared_tokens(self):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
token = auth.get_token(request, 'access_token')
self.assertEqual(token, 'test_access_token')
def test_invalid_access_token_401(self, mock_verify_token,
mock_refresh_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mock_verify_token.side_effect = [JWTError]
mock_refresh_token.return_value = {'reason': 'bad refresh token'}
with self.assertRaises(exceptions.AuthenticationFailed):
set_user, auth = auth.authenticate(request)
def test_shared_tokens_no_session_token_present(self):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {}
request.COOKIES = {
'access_token': 'test_access_token_shared',
'refresh_token': 'test_refresh_token_shared',
'id_token': 'test_id_token_shared',
}
settings.SHARED_TOKENS = True
settings.SHARED_TOKENS_DOMAIN = '.test.com'
token = auth.get_token(request, 'access_token')
self.assertEqual(token, 'test_access_token_shared')
def test_401_if_bad_refresh_token(self, mock_refresh_token,
mock_verify_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mock_verify_token.side_effect = [
ExpiredSignatureError, {
'email': '*****@*****.**'
}
]
mock_refresh_token.return_value = {}
with self.assertRaises(exceptions.AuthenticationFailed):
set_user, auth = auth.authenticate(request)
def test_valid_access_token_and_id_token_sets_existing_user(
self, mock_verify_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mock_verify_token.side_effect = ['some_token', TEST_COGNITO_RESPONSE]
existing_user = User.objects.create(username='******',
email='*****@*****.**')
set_user, auth = auth.authenticate(request)
mock_verify_token.assert_has_calls(
[mock.call('test_access_token'),
mock.call('test_id_token')])
self.assertEqual(set_user.username, existing_user.username)
def test_valid_access_token_and_id_token_dont_update_existing_groups(
self, mock_verify_token):
auth = CognitoAuthentication()
request = mock.MagicMock()
request.session = {
'access_token': 'test_access_token',
'refresh_token': 'test_refresh_token',
'id_token': 'test_id_token',
}
mod_test_cognito_response = copy.deepcopy(TEST_COGNITO_RESPONSE)
mod_test_cognito_response['cognito:groups'] = TEST_GROUPS
mock_verify_token.side_effect = [
'some_token', mod_test_cognito_response
]
existing_user = User.objects.create(username='******',
email='*****@*****.**')
for test_group in TEST_GROUPS:
existing_group = Group.objects.create(name=test_group)
#existing_group.user_set.add(existing_user)
existing_user.groups.add(existing_group)
self.assertEqual(Group.objects.count(), len(TEST_GROUPS))
self.assertEqual(
set(existing_user.groups.values_list('name', flat=True)) -
set(TEST_GROUPS), set())
set_user, auth_ret = auth.authenticate(request)
self.assertEqual(Group.objects.count(), len(TEST_GROUPS))
self.assertEqual(
set(existing_user.groups.values_list('name', flat=True)) -
set(TEST_GROUPS), set())
mock_verify_token.assert_has_calls(
[mock.call('test_access_token'),
mock.call('test_id_token')])
self.assertEqual(set_user.username, existing_user.username)