def get_token_scopes(access_token): """ The referenced function accepts a token string as argument and should return a dict containing a scope field that is either a space-separated list of scopes belonging to the supplied token. :param access_token: :return: a dict containing a scope field that is either a space-separated list of scopes belonging to the supplied token. """ token = Token.find(access_token) if not token: logger.debug("Access token %r not found", access_token) raise auth_services.NotAuthorizedException(detail="Invalid token") logger.debug("Found a token: %r", token) # only if the token has been issued to a user # the user has to be automatically logged in logger.debug("The token user: %r", token.user) if token.user: auth_services.login_user(token.user) # store the current client g.oauth2client = token.client # if the client is a Registry, store it on the current session from lifemonitor.api.models import WorkflowRegistry registry = WorkflowRegistry.find_by_client_id(token.client.client_id) logger.debug("Token issued to a WorkflowRegistry: %r", registry is not None) if registry: auth_services.login_registry(registry) return {"scope": token.scope}
def test_unauthorized_user_with_expired_registry_token( app_client, user1, authorized_func, client_credentials_registry): helpers.enable_auto_login(user1['user']) user = user1['user'] logger.debug(f"The user: {user}") services.login_user(user) registry = client_credentials_registry services.login_registry(registry) assert registry.name in user.oauth_identity, "Missing user identity" identity = user.oauth_identity[registry.name] # extract the identity token token = identity.token # ensure the token doesn't have a refresh token token.pop('refresh_token', False) # make the token expired token['expires_at'] = token['created_at'] user_info = identity.user_info logger.debug(user_info) # calling the decorator with such a token # will result in a redirection response = authorized_func() logger.debug(response) assert isinstance(response, Response) assert response.status_code == 307, "Unexpected status code" # the redirection to the original endpoint is marked with param 'redirection' # and if the token is still expired an error will be reported with app_client.application.test_request_context('/?redirection=true'): services.login_user(user) services.login_registry(registry) with pytest.raises(services.NotAuthorizedException) as e: authorized_func() utils.assert_error_message( messages.unauthorized_user_with_expired_registry_token.format( registry.name, registry.name), e)
def test_unauthorized_user_without_identity(app_client, client_credentials_registry, authorized_func): user = models.User() services.login_user(user) registry = client_credentials_registry services.login_registry(registry) with pytest.raises(services.NotAuthorizedException) as e: authorized_func() utils.assert_error_message( messages.unauthorized_user_without_registry_identity.format( registry.name), e)
def test_identity(app_client, user1, client_credentials_registry): login_registry(client_credentials_registry) user = user1['user'] logger.debug(user) logger.debug(user.oauth_identity) assert user.current_identity is not None, "Current identity should not be empty" identity = user.current_identity[client_credentials_registry.name] assert identity,\ f"Current identity should contain an identity issued by the provider {client_credentials_registry.name}" assert user.current_identity[client_credentials_registry.name].provider == client_credentials_registry.server_credentials, \ "Unexpected identity provider" serialization = serializers.UserSchema().dump(user) logger.debug(serialization) assert "identities" in serialization, \ "Unable to find the property 'identity' on the serialized user" assert serialization['identities'][client_credentials_registry.name]['provider']['name'] == client_credentials_registry.name,\ "Invalid provider"