def test_ui_oauth2_refresh_token(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
actor_name = "jdoe"
actor_password = "******"
self.idm_client.set_actor_credentials(actor_id, actor_name,
actor_password)
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
client_obj = ActorIdentity(
name="UI Client",
details=OAuthClientIdentityDetails(default_scopes="scioncc"))
client_actor_id = self.idm_client.create_actor_identity(client_obj)
client_id = "ui"
self.idm_client.set_actor_credentials(client_actor_id,
"client:" + client_id,
"client_secret")
session = requests.session()
log.info("------------ Get token")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": actor_name,
"password": actor_password
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
log.info("------------ Refresh token")
auth_params = {
"client_id": client_id,
"grant_type": "refresh_token",
"refresh_token": access_token["refresh_token"]
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
updated_token = resp.json()
self.assertIsNotNone(updated_token)
self.assertNotIn("error", updated_token)
for item in [
"access_token", "token_type", "expires_in", "refresh_token",
"scope"
]:
self.assertIn(item, updated_token)
def _do_test_profile(self, actor_id):
actor_details1 = self.identity_management_service.read_identity_details(
actor_id)
self.assertEquals(actor_details1, None)
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.identity_management_service.define_identity_details(
actor_id, actor_details)
actor_details1 = self.identity_management_service.read_identity_details(
actor_id)
self.assertEquals(actor_details1.contact.individual_names_given,
actor_details.contact.individual_names_given)
def test_ui_server(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
# TEST: Authentication
self._do_test_authentication()
# TEST: Service gateway
self._do_test_service_gateway(actor_id)
self.idm_client.delete_actor_identity(actor_id)
def test_ui_oauth2(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
client_obj = ActorIdentity(
name="UI Client",
details=OAuthClientIdentityDetails(default_scopes="scioncc"))
client_actor_id = self.idm_client.create_actor_identity(client_obj)
client_id = "ui"
self.idm_client.set_actor_credentials(client_actor_id,
"client:" + client_id,
"client_secret")
session = requests.session()
# TEST: OAuth2 authorize
log.info("------------ Get token #1")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access with token")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
#self.assertIn(actor_id, resp_json["result"][0])
log.info("------------ Access with bad token")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer FOOBAR"})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Get session using token
log.info("------------ Get session using token")
resp = session.get(self.ui_base_url + "/auth/session",
headers={
"Authorization":
"Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Get new access token
log.info("------------ Refresh token")
auth_params = {
"client_id": client_id,
"grant_type": "refresh_token",
"refresh_token": access_token["refresh_token"]
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token1 = resp.json()
with patch('ion.process.ui.server.ui_instance.session_timeout', 2):
log.info("Patched server.session_timeout to %s",
self.ui_server_proc.session_timeout)
session = requests.session()
log.info("------------ Get token #2 (with short expiration)")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access before expired")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(2)
# TEST: Service access fails after expiration
log.info("------------ Access after token expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, status=401)
with patch('ion.process.ui.server.ui_instance.session_timeout', 2), \
patch('ion.process.ui.server.ui_instance.extend_session_timeout', True), \
patch('ion.process.ui.server.ui_instance.max_session_validity', 3):
session = requests.session()
log.info("------------ Get token #3 (with short expiration)")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
gevent.sleep(1)
# TEST: Service access extends expiration
log.info(
"------------ Access before expired should extend expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.1)
# TEST: Service access will fail unless was extended
log.info("------------ Access before expired after extension")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.5)
# TEST: Service access fails after max validity
log.info("------------ Access after token expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Remember user from within session
session = requests.session()
log.info("------------ Get token #4")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Get session without token tests remember user
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Logout
log.info("------------ Logout")
resp = session.get(self.ui_base_url + "/auth/logout",
headers={
"Authorization":
"Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"], "OK")
# TEST: Get session without token after logout
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
# TEST: Service access after logout
log.info("------------ Access with token after logout")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, 401)
with patch('ion.process.ui.server.ui_instance.remember_user', False):
session = requests.session()
log.info("------------ Get token #5")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Get session without token fails if remember user is False
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
def define_user(self,
user_id='',
first_name='',
last_name='',
username='',
password='',
email='',
attributes=None):
if user_id:
raise NotImplementedError("Update not supported: user_id=%s" %
user_id)
if not email:
raise BadRequest('Email is required')
username = username or email
user = self._get_user_by_email(email)
if user:
raise BadRequest("Email already taken")
if not username or not is_valid_identifier(username,
valid_chars=EMAIL_VALID):
raise BadRequest("Argument username invalid: %s" % username)
if attributes and type(attributes) is not dict:
raise BadRequest("Argument attributes invalid type")
if not first_name:
first_name = username
attributes = attributes or {}
full_name = ("%s %s" %
(first_name, last_name)) if last_name else first_name
IdentityUtils.check_password_policy(password)
contact = ContactInformation(individual_names_given=first_name,
individual_name_family=last_name,
email=email)
user_profile = UserIdentityDetails(contact=contact, profile=attributes)
actor_obj = ActorIdentity(name=full_name, details=user_profile)
# Support fast setting of credentials without expensive compute of bcrypt hash, for quick preload
pwd_salt, pwd_hash = None, None
if attributes and "scion_init_pwdsalt" in attributes and "scion_init_pwdhash" in attributes:
pwd_salt, pwd_hash = attributes.pop(
"scion_init_pwdsalt"), attributes.pop("scion_init_pwdhash")
user_exists = self.idm_client.is_user_existing(username)
if user_exists:
raise BadRequest("Username already taken")
actor_id = self.idm_client.create_actor_identity(actor_obj)
if pwd_salt and pwd_hash:
# Add to credentials
actor_obj1 = self.rr.read(actor_id)
cred_obj = None
for cred in actor_obj1.credentials:
if cred.username == username:
cred_obj = cred
break
if not cred_obj:
cred_obj = Credentials()
cred_obj.username = username
actor_obj1.credentials.append(cred_obj)
actor_obj1.alt_ids.append("UNAME:" + username)
cred_obj.identity_provider = "SciON"
cred_obj.authentication_service = "SciON IdM"
cred_obj.password_salt = pwd_salt
cred_obj.password_hash = pwd_hash
self.rr.update(actor_obj1)
else:
self.idm_client.set_actor_credentials(actor_id, username, password)
return actor_id