def create_keypair(user, current_session, encryption_key, expire=86400):
existing_keypairs = 0
for keypair in user.hmac_keypairs:
if not keypair.check_and_archive(current_session):
existing_keypairs += 1
if existing_keypairs >= 2:
raise UserError("You can only have at most 2 keypairs")
key = Fernet(encryption_key)
# default to 1 day, max to 30 days
try:
expire = int(expire)
except ValueError:
raise UserError("Expiration has to be an integer representing"
" expiration time in seconds")
if expire > 2592000:
raise UserError("Max expiration time is 30 days(2592000 seconds)")
expire = min(expire, 2592000)
result = dict(access_key=random_str(20), secret_key=random_str(40))
keypair = HMACKeyPair(access_key=result['access_key'],
secret_key=key.encrypt(result['secret_key']),
expire=expire,
user_id=user.id)
current_session.add(keypair)
current_session.commit()
return result
def test_id_token_has_nonce(oauth_test_client):
nonce = random_str(10)
data = {"confirm": "yes", "nonce": nonce}
oauth_test_client.authorize(data=data)
response_json = oauth_test_client.token(data=data).response.json
id_token = validate_jwt(response_json["id_token"])
assert "nonce" in id_token
assert nonce == id_token["nonce"]
def set_csrf(response):
"""
Create a cookie for CSRF protection if one does not yet exist.
"""
if not flask.request.cookies.get('csrftoken'):
secure = app.config.get('SESSION_COOKIE_SECURE', True)
response.set_cookie('csrftoken', random_str(40), secure=secure)
return response
def test_id_token_has_nonce(client, oauth_client):
nonce = random_str(10)
data = {
'client_id': oauth_client.client_id,
'redirect_uri': oauth_client.url,
'response_type': 'code',
'scope': 'openid user',
'state': random_str(10),
'confirm': 'yes',
'nonce': nonce,
}
response_json = (
oauth2.get_token_response(client, oauth_client, code_request_data=data)
.json
)
id_token = validate_jwt(response_json['id_token'], {'openid'})
assert 'nonce' in id_token
assert nonce == id_token['nonce']
def test_user_delete_cascade(db_session):
"""
test deleting a user will cascade to its children
"""
user = User(username="******")
client = Client(
name="test_client",
user=user,
client_id=random_str(40),
client_secret=random_str(60),
)
db_session.add(user)
db_session.add(client)
db_session.flush()
assert len(user.clients) == 1
db_session.delete(user)
assert db_session.query(Client).filter_by(
client_id=client.client_id).count() == 0
def generate_csrf_token():
"""
Generate a token used for CSRF protection.
If the session does not currently have such a CSRF token, assign it one
from a random string. Then return the session's CSRF token.
"""
if '_csrf_token' not in flask.session:
flask.session['_csrf_token'] = random_str(20)
return flask.session['_csrf_token']
def set_csrf(response):
"""
Create a cookie for CSRF protection if one does not yet exist
"""
if not flask.request.cookies.get("csrftoken"):
secure = config.get("SESSION_COOKIE_SECURE", True)
response.set_cookie("csrftoken", random_str(40), secure=secure)
if flask.request.method in ["POST", "PUT", "DELETE"]:
current_session.commit()
return response
