def test_unauthorized_signup(remote, models_fixture):
"""Test unauthorized redirect on signup callback handler."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
example_response = {'access_token': 'test_access_token'}
example_account_info = {
'user': {
'email': existing_email,
'external_id': '1234',
'external_method': 'test_method'
}
}
# Mock remote app's handler
current_oauthclient.signup_handlers[remote.name] = {
'info': lambda resp: example_account_info,
}
_security.confirmable = True
_security.login_without_confirmation = False
user.confirmed_at = None
app.config['OAUTHCLIENT_REMOTE_APPS'][remote.name] = {}
resp = authorized_signup_handler(example_response, remote)
check_redirect_location(resp, lambda x: x.startswith('/login/'))
def test_unauthorized_signup(remote, models_fixture):
"""Test unauthorized redirect on signup callback handler."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
example_response = {'access_token': 'test_access_token'}
example_account_info = {'user': {
'email': existing_email,
'external_id': '1234',
'external_method': 'test_method'
}}
# Mock remote app's handler
current_oauthclient.signup_handlers[remote.name] = {
'info': lambda resp: example_account_info,
}
_security.confirmable = True
_security.login_without_confirmation = False
user.confirmed_at = None
app.config['OAUTHCLIENT_REMOTE_APPS'][remote.name] = {}
resp = authorized_signup_handler(example_response, remote)
check_redirect_location(resp, lambda x: x.startswith('/login/'))
def test_authorized_rest_handler(app_rest):
"""Test authorized callback handler."""
oauth = current_oauthclient.oauth
remote = oauth.remote_apps['github']
# General error
example_response = {'error': 'error'}
resp = authorized_rest(example_response, remote)
expected_url_args = {
"message": "Authorization with remote service failed.",
"code": 400,
}
check_response_redirect_url_args(resp, expected_url_args)
# Bad verification error
example_response = {'error': 'bad_verification_code'}
resp = authorized_rest(example_response, remote)
check_redirect_location(resp, '/oauth/login/github/')
# Incorrect client credentials
example_response = {'error': 'incorrect_client_credentials'}
with pytest.raises(OAuthResponseError):
authorized_rest(example_response, remote)
# Redirect uri mismatch
example_response = {'error': 'redirect_uri_mismatch'}
with pytest.raises(OAuthResponseError):
authorized_rest(example_response, remote)
def test_valid_authorized_userprofiles(userprofiles_fixture):
"""Test authorized signup handler with userprofiles enabled."""
app = userprofiles_fixture
with app.test_client() as client:
_authorized_valid_config(app)
resp = client.post(
url_for('shibboleth_authenticator.authorized', remote_app='idp'),
data=dict(SAMLResponse=_load_file('valid.xml.base64')))
assert resp.status_code == 302
assert current_user.email == '*****@*****.**'
assert current_user.is_authenticated
_authorized_valid_config(app)
resp = client.post(
url_for('shibboleth_authenticator.authorized', remote_app='idp'),
data=dict(SAMLResponse=_load_file('expired.xml.base64')))
assert resp.status_code == 403
assert not current_user.is_authenticated
from shibboleth_authenticator.views import serializer
# test valid request with next parameter
next_url = '/test/redirect'
state = serializer.dumps({
'app': 'idp',
'sid': _create_identifier(),
'next': next_url,
})
resp = client.post(url_for('shibboleth_authenticator.authorized',
remote_app='idp'),
data=dict(
SAMLResponse=_load_file('valid.xml.base64'),
RelayState=state,
))
check_redirect_location(resp, lambda x: x.endswith(next_url))
assert current_user.email == '*****@*****.**'
assert current_user.is_authenticated
# test invalid state token
state = serializer.dumps({
'app': 'idp',
'sid': 'invalid',
'next': next_url,
})
resp = client.post(url_for('shibboleth_authenticator.authorized',
remote_app='idp'),
data=dict(
SAMLResponse=_load_file('valid.xml.base64'),
RelayState=state,
))
assert resp.status_code == 400
resp = client.post(url_for('shibboleth_authenticator.authorized',
remote_app='idp'),
data=dict(
SAMLResponse=_load_file('valid.xml.base64'),
RelayState='',
))
assert resp.status_code == 400
def test_already_linked_exception(app):
"""Test error when service is already linked to another account."""
@oauth_error_handler
def mock_handler():
raise AlreadyLinkedError(None, None)
resp = mock_handler()
check_redirect_location(resp, '/account/settings/linkedaccounts/')
def test_already_linked_exception(app):
"""Test error when service is already linked to another account."""
@oauth_error_handler
def mock_handler():
raise AlreadyLinkedError(None, None)
resp = mock_handler()
check_redirect_location(resp, '/account/settings/linkedaccounts/')
def test_authorized_handler(app, remote):
"""Test authorized callback handler."""
# General error
example_response = {'error': 'error'}
resp = authorized(example_response, remote)
check_redirect_location(resp, '/')
# Bad verification error
example_response = {'error': 'bad_verification_code'}
resp = authorized(example_response, remote)
check_redirect_location(resp, '/oauth/login/github/')
# Incorrect client credentials
example_response = {'error': 'incorrect_client_credentials'}
with pytest.raises(OAuthResponseError):
authorized(example_response, remote)
# Redirect uri mismatch
example_response = {'error': 'redirect_uri_mismatch'}
with pytest.raises(OAuthResponseError):
authorized(example_response, remote)
def test_authorized_handler(app, remote):
"""Test authorized callback handler."""
# General error
example_response = {'error': 'error'}
resp = authorized(example_response, remote)
check_redirect_location(resp, '/')
# Bad verification error
example_response = {'error': 'bad_verification_code'}
resp = authorized(example_response, remote)
check_redirect_location(resp, '/oauth/login/github/')
# Incorrect client credentials
example_response = {'error': 'incorrect_client_credentials'}
with pytest.raises(OAuthResponseError):
authorized(example_response, remote)
# Redirect uri mismatch
example_response = {'error': 'redirect_uri_mismatch'}
with pytest.raises(OAuthResponseError):
authorized(example_response, remote)
def test_authorized_signup_handler(remote, models_fixture):
"""Test authorized signup handler."""
datastore = models_fixture.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
example_response = {'access_token': 'test_access_token'}
# Mock remote app's handler
current_oauthclient.signup_handlers[remote.name] = {
'setup': lambda token, resp: None
}
# Authenticate user
oauth_authenticate('dev', user)
# Mock next url
next_url = '/test/redirect'
session[token_session_key(remote.name) + '_next_url'] = next_url
# Check user is redirected to next_url
resp = authorized_signup_handler(example_response, remote)
check_redirect_location(resp, next_url)
def test_authorized_signup_handler(remote, models_fixture):
"""Test authorized signup handler."""
datastore = models_fixture.extensions['invenio-accounts'].datastore
user = datastore.find_user(email='*****@*****.**')
example_response = {'access_token': 'test_access_token'}
# Mock remote app's handler
current_oauthclient.signup_handlers[remote.name] = {
'setup': lambda token, resp: None
}
# Authenticate user
oauth_authenticate('dev', user)
# Mock next url
next_url = '/test/redirect'
session[token_session_key(remote.name) + '_next_url'] = next_url
# Check user is redirected to next_url
resp = authorized_signup_handler(example_response, remote)
check_redirect_location(resp, next_url)
def test_signup_handler(remote, app, models_fixture):
"""Test signup handler."""
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Already authenticated
login_user(user)
assert current_user.is_authenticated
resp1 = signup_handler(remote)
check_redirect_location(resp1, '/')
logout_user()
assert not current_user.is_authenticated
# No OAuth token
resp2 = signup_handler(remote)
check_redirect_location(resp2, '/')
# Not coming from authorized request
token = RemoteToken.create(user.id, 'testkey', 'mytoken', 'mysecret')
token_setter(remote, token, 'mysecret')
with pytest.raises(BuildError):
signup_handler(remote)
def test_signup_handler(remote, models_fixture):
"""Test signup handler."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Already authenticated
login_user(user)
assert current_user.is_authenticated
resp1 = signup_handler(remote)
check_redirect_location(resp1, '/')
logout_user()
assert not current_user.is_authenticated
# No OAuth token
resp2 = signup_handler(remote)
check_redirect_location(resp2, '/')
# Not coming from authorized request
token = RemoteToken.create(user.id, 'testkey', 'mytoken', 'mysecret')
token_setter(remote, token, 'mysecret')
with pytest.raises(BuildError):
signup_handler(remote)
def test_unauthorized_disconnect(app, remote):
"""Test disconnect handler when user is not authenticated."""
resp = disconnect_handler(remote)
check_redirect_location(resp, lambda x: x.startswith('/login/'))
def test_unauthorized_disconnect(app, remote):
"""Test disconnect handler when user is not authenticated."""
resp = disconnect_handler(remote)
check_redirect_location(resp, lambda x: x.startswith('/login/'))
