Example #1
0
class UserInfoTestCase(BaseTestCase):
    def setUp(self):
        super(UserInfoTestCase, self).setUp()
        self.path = reverse('oauth2:user_info')
        self.set_user(self.user)

    def set_user(self, user):
        super(UserInfoTestCase, self).set_user(user)
        self.access_token = AccessTokenFactory(user=self.user,
                                               client=self.auth_client)

    def set_access_token_scope(self, scope):
        self.access_token.scope = provider.scope.to_int(*scope.split())
        self.access_token.save()  # pylint: disable=no-member

    def get_with_authorization(self, path, access_token=None, payload=None):
        kwargs = {}
        if access_token:
            kwargs['HTTP_AUTHORIZATION'] = 'Bearer %s' % access_token

        return self.client.get(path, payload, **kwargs)

    def get_userinfo(self, token=None, scope=None, claims=None):
        payload = _add_values({}, 'userinfo', scope, claims)
        response = self.get_with_authorization(self.path, token, payload)
        values = json.loads(response.content)
        return response, values
Example #2
0
class UserInfoTestCase(BaseTestCase):
    def setUp(self):
        super(UserInfoTestCase, self).setUp()
        self.path = reverse('oauth2:user_info')
        self.set_user(self.user)

    def set_user(self, user):
        super(UserInfoTestCase, self).set_user(user)
        self.access_token = AccessTokenFactory(user=self.user, client=self.auth_client)

    def set_access_token_scope(self, scope):
        self.access_token.scope = provider.scope.to_int(*scope.split())
        self.access_token.save()  # pylint: disable=no-member

    def get_with_authorization(self, path, access_token=None, payload=None):
        kwargs = {}
        if access_token:
            kwargs['HTTP_AUTHORIZATION'] = 'Bearer %s' % access_token

        return self.client.get(path, payload, **kwargs)

    def get_userinfo(self, token=None, scope=None, claims=None):
        payload = _add_values({}, 'userinfo', scope, claims)
        response = self.get_with_authorization(self.path, token, payload)
        values = json.loads(response.content)
        return response, values
Example #3
0
    def test_not_authorized(self):
        """
        Unauthorized users should get an empty list.
        """
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # If debug mode is enabled, the view should always return data.
        with override_settings(DEBUG=True):
            response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
            self.assertEqual(response.status_code, 200)

        # Data should be returned if the user is authorized.
        response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        url = "{}?course_id={}".format(reverse(self.view), self.course_id)
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        data = response.data['results']
        self.assertEqual(len(data), 1)
        self.assertEqual(data[0]['name'], self.course.display_name)

        # The view should return an empty list if the user cannot access any courses.
        url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id))
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        self.assertDictContainsSubset({'count': 0, u'results': []}, response.data)
Example #4
0
    def test_not_authorized(self):
        """
        Unauthorized users should get an empty list.
        """
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(
            user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # Data should be returned if the user is authorized.
        response = self.http_get(reverse(self.view),
                                 HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        url = "{}?course_id={}".format(reverse(self.view), self.course_id)
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        data = response.data['results']
        self.assertEqual(len(data), 1)
        self.assertEqual(data[0]['name'], self.course.display_name)

        # The view should return an empty list if the user cannot access any courses.
        url = "{}?course_id={}".format(reverse(self.view),
                                       unicode(self.empty_course.id))
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        self.assertDictContainsSubset({
            'count': 0,
            u'results': []
        }, response.data)
Example #5
0
 def test_oauth(self):
     """ Verify the endpoint supports authentication via OAuth 2.0. """
     access_token = AccessTokenFactory(user=self.user,
                                       client=ClientFactory()).token
     headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}
     self.client.logout()
     response = self.client.get(self.path, **headers)
     self.assertEqual(response.status_code, 200)
Example #6
0
    def test_oauth(self):
        """Verify that the endpoint supports OAuth 2.0."""
        access_token = AccessTokenFactory(user=self.user,
                                          client=ClientFactory()).token  # pylint: disable=no-member
        self.headers['HTTP_AUTHORIZATION'] = 'Bearer ' + access_token

        self.client.logout()

        self._verify_response(200)
Example #7
0
    def test_not_authorized(self):
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # Access should be granted if the proper access token is supplied.
        response = self.http_get_for_course(HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        # Access should be denied if the user is not course staff.
        response = self.http_get_for_course(course_id=unicode(self.empty_course.id), HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 404)
Example #8
0
    def test_not_authorized(self):
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # Access should be granted if the proper access token is supplied.
        response = self.http_get_for_course(HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        # Access should be denied if the user is not course staff.
        response = self.http_get_for_course(course_id=unicode(self.empty_course.id), HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 404)
Example #9
0
class UserInfoTestCase(BaseTestCase):
    def setUp(self):
        super(UserInfoTestCase, self).setUp()
        self.path = reverse('oauth2:user_info')
        self.set_user(self.user)

    def set_user(self, user):
        super(UserInfoTestCase, self).set_user(user)
        self.access_token = AccessTokenFactory(user=self.user, client=self.auth_client)

    def set_access_token_scope(self, scope):
        self.access_token.scope = provider.scope.to_int(*scope.split())
        self.access_token.save()

    def get_with_authorization(self, path, access_token=None, data=None):
        data = data if data else {}

        kwargs = {}
        if access_token:
            kwargs['HTTP_AUTHORIZATION'] = 'Bearer %s' % access_token

        return self.client.get(path, data, **kwargs)

    def get_userinfo(self, token=None, scope=None, claims=None):
        data = {}

        if scope:
            data.update({'scope': scope})

        if claims:
            data.update({
                'claims': json.dumps({
                    'userinfo': claims
                })
            })

        response = self.get_with_authorization(self.path, token, data)
        values = json.loads(response.content)
        return response, values
Example #10
0
class UserInfoTestCase(BaseTestCase):
    def setUp(self):
        super(UserInfoTestCase, self).setUp()
        self.path = reverse('oauth2:user_info')
        self.set_user(self.user)

    def set_user(self, user):
        super(UserInfoTestCase, self).set_user(user)
        self.access_token = AccessTokenFactory(user=self.user,
                                               client=self.auth_client)

    def set_access_token_scope(self, scope):
        self.access_token.scope = provider.scope.to_int(*scope.split())
        self.access_token.save()

    def get_with_authorization(self, path, access_token=None, data=None):
        data = data if data else {}

        kwargs = {}
        if access_token:
            kwargs['HTTP_AUTHORIZATION'] = 'Bearer %s' % access_token

        return self.client.get(path, data, **kwargs)

    def get_userinfo(self, token=None, scope=None, claims=None):
        data = {}

        if scope:
            data.update({'scope': scope})

        if claims:
            data.update({'claims': json.dumps({'userinfo': claims})})

        response = self.get_with_authorization(self.path, token, data)
        values = json.loads(response.content)
        return response, values
Example #11
0
    def test_oauth(self):
        """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """
        user = UserFactory(is_staff=False)
        oauth_client = ClientFactory.create()
        access_token = AccessTokenFactory.create(user=user, client=oauth_client).token
        headers = {"HTTP_AUTHORIZATION": "Bearer " + access_token}

        # Non-staff users should not have access to the API
        response = self.client.get(self.path, **headers)
        self.assertEqual(response.status_code, 403)

        # Staff users should have access to the API
        user.is_staff = True
        user.save()  # pylint: disable=no-member
        response = self.client.get(self.path, **headers)
        self.assertEqual(response.status_code, 200)
Example #12
0
    def test_oauth(self):
        """ Verify the endpoint supports OAuth, and only allows authorization for staff users. """
        user = UserFactory(is_staff=False)
        oauth_client = ClientFactory.create()
        access_token = AccessTokenFactory.create(user=user,
                                                 client=oauth_client).token
        headers = {'HTTP_AUTHORIZATION': 'Bearer ' + access_token}

        # Non-staff users should not have access to the API
        response = self.client.get(self.path, **headers)
        self.assertEqual(response.status_code, 403)

        # Staff users should have access to the API
        user.is_staff = True
        user.save()  # pylint: disable=no-member
        response = self.client.get(self.path, **headers)
        self.assertEqual(response.status_code, 200)
Example #13
0
    def test_not_authorized(self):
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # If debug mode is enabled, the view should always return data.
        with override_settings(DEBUG=True):
            response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
                                     HTTP_AUTHORIZATION=auth_header)
            self.assertEqual(response.status_code, 200)

        # Access should be granted if the proper access token is supplied.
        response = self.http_get(reverse(self.view, kwargs={'course_id': self.course_id}),
                                 HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        # Access should be denied if the user is not course staff.
        response = self.http_get(reverse(self.view, kwargs={'course_id': unicode(self.empty_course.id)}),
                                 HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 403)
Example #14
0
    def test_not_authorized(self):
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(
            user=user, client=self.oauth_client).token
        auth_header = 'Bearer ' + access_token

        # If debug mode is enabled, the view should always return data.
        with override_settings(DEBUG=True):
            response = self.http_get(reverse(
                self.view, kwargs={'course_id': self.course_id}),
                                     HTTP_AUTHORIZATION=auth_header)
            self.assertEqual(response.status_code, 200)

        # Access should be granted if the proper access token is supplied.
        response = self.http_get(reverse(self.view,
                                         kwargs={'course_id': self.course_id}),
                                 HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        # Access should be denied if the user is not course staff.
        response = self.http_get(reverse(
            self.view, kwargs={'course_id': unicode(self.empty_course.id)}),
                                 HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 403)
Example #15
0
    def test_not_authorized(self):
        """
        Unauthorized users should get an empty list.
        """
        user = StaffFactory(course_key=self.course.id)
        access_token = AccessTokenFactory.create(user=user, client=self.oauth_client).token
        auth_header = "Bearer " + access_token

        # Data should be returned if the user is authorized.
        response = self.http_get(reverse(self.view), HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)

        url = "{}?course_id={}".format(reverse(self.view), self.course_id)
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        data = response.data["results"]
        self.assertEqual(len(data), 1)
        self.assertEqual(data[0]["name"], self.course.display_name)

        # The view should return an empty list if the user cannot access any courses.
        url = "{}?course_id={}".format(reverse(self.view), unicode(self.empty_course.id))
        response = self.http_get(url, HTTP_AUTHORIZATION=auth_header)
        self.assertEqual(response.status_code, 200)
        self.assertDictContainsSubset({"count": 0, u"results": []}, response.data)
Example #16
0
 def setUp(self):
     super(BaseTestCase, self).setUp()
     self.nonce = unicode(uuid.uuid4())
     self.access_token = AccessTokenFactory(user=self.user,
                                            client=self.auth_client)
Example #17
0
 def create_user_and_access_token(self):
     self.user = GlobalStaffFactory.create()
     self.oauth_client = ClientFactory.create()
     self.access_token = AccessTokenFactory.create(
         user=self.user, client=self.oauth_client).token
Example #18
0
 def create_user_and_access_token(self):
     self.create_user()
     self.oauth_client = ClientFactory.create()
     self.access_token = AccessTokenFactory.create(user=self.user, client=self.oauth_client).token
Example #19
0
 def set_user(self, user):
     super(UserInfoTestCase, self).set_user(user)
     self.access_token = AccessTokenFactory(user=self.user, client=self.auth_client)
Example #20
0
 def set_user(self, user):
     super(UserInfoTestCase, self).set_user(user)
     self.access_token = AccessTokenFactory(user=self.user,
                                            client=self.auth_client)