def test_refresh_token_invalid_token(self):
api.create_dot_access_token(HttpRequest(), self.user, self.client)
with self.assertRaises(api.OAuth2Error) as error:
api.refresh_dot_access_token(
HttpRequest(), self.client.client_id, 'invalid_refresh_token',
)
self.assertIn('invalid_grant', error.exception.description)
def test_refresh_token_invalid_token(self):
api.create_dot_access_token(self.request, self.user, self.client)
with self.assertRaises(api.OAuth2Error) as error:
api.refresh_dot_access_token(
self.request, self.client.client_id, 'invalid_refresh_token',
)
self.assertIn('invalid_grant', error.exception.description)
def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
# Skip setting JWT cookies for most unit tests, since it raises errors when
# a login oauth client cannot be found in the database in ``_get_login_oauth_client``.
# This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355
# for a discussion of alternative solutions that did not work or were halted.
if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False):
return
# For security reasons, the JWT that is embedded inside the cookie expires
# much sooner than the cookie itself, per the following setting.
expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request, oauth_application.client_id, refresh_token, expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
request, user, oauth_application, expires_in=expires_in, scopes=['email', 'profile'],
)
jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def test_refresh_token_success(self):
old_token = api.create_dot_access_token(HttpRequest(), self.user,
self.client)
new_token = api.refresh_dot_access_token(HttpRequest(),
self.client.client_id,
old_token['refresh_token'])
self.assertDictContainsSubset(
{
u'token_type': u'Bearer',
u'expires_in': EXPECTED_DEFAULT_EXPIRES_IN,
u'scope': u'default',
},
new_token,
)
# verify new tokens are generated
self.assertNotEqual(old_token['access_token'],
new_token['access_token'])
self.assertNotEqual(old_token['refresh_token'],
new_token['refresh_token'])
# verify old token is replaced by the new token
with self.assertRaises(AccessToken.DoesNotExist):
self._assert_stored_token(old_token['access_token'], self.user,
self.client)
self._assert_stored_token(new_token['access_token'], self.user,
self.client)
def test_create_token_overrides(self):
expires_in = 4800
token = api.create_dot_access_token(
HttpRequest(), self.user, self.client, expires_in=expires_in, scopes=['profile'],
)
self.assertDictContainsSubset({u'scope': u'profile'}, token)
self.assertDictContainsSubset({u'expires_in': expires_in}, token)
def test_create_token_overrides(self):
expires_in = 4800
token = api.create_dot_access_token(self.request, self.user, self.client, expires_in=expires_in, scope=2)
self.assertDictContainsSubset({u'scope': u'profile'}, token)
with self.assertRaises(AssertionError): # TODO (ARCH-246) expiration override does not actually work
self.assertDictContainsSubset({u'expires_in': expires_in}, token)
self.assertDictContainsSubset({u'expires_in': EXPECTED_DEFAULT_EXPIRES_IN}, token)
def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
if _are_jwt_cookies_disabled():
return
# For security reasons, the JWT that is embedded inside the cookie expires
# much sooner than the cookie itself, per the following setting.
expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request, oauth_application.client_id, refresh_token, expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
request, user, oauth_application, expires_in=expires_in, scopes=['email', 'profile'],
)
jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def test_create_token_overrides(self):
expires_in = 4800
token = api.create_dot_access_token(HttpRequest(),
self.user,
self.client,
expires_in=expires_in,
scope=2)
self.assertDictContainsSubset({u'scope': u'profile'}, token)
self.assertDictContainsSubset({u'expires_in': expires_in}, token)
def test_refresh_token_invalid_client(self):
token = api.create_dot_access_token(HttpRequest(), self.user,
self.client)
with self.assertRaises(api.OAuth2Error) as error:
api.refresh_dot_access_token(
HttpRequest(),
'invalid_client_id',
token['refresh_token'],
)
self.assertIn('invalid_client', error.exception.description)
def _create_jwt(request, user, expires_in):
"""
Creates and returns a jwt for the given user with the given expires_in value.
"""
oauth_application = _get_login_oauth_client()
access_token = create_dot_access_token(
# Note: Scopes for JWT cookies do not require additional permissions
request, user, oauth_application, expires_in=expires_in, scopes=['user_id', 'email', 'profile'],
)
return create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
def _create_jwt(request, user, expires_in):
"""
Creates and returns a jwt for the given user with the given expires_in value.
"""
oauth_application = _get_login_oauth_client()
access_token = create_dot_access_token(
# Note: Scopes for JWT cookies do not require additional permissions
request, user, oauth_application, expires_in=expires_in, scopes=['user_id', 'email', 'profile'],
)
return create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
def _create_and_set_jwt_cookies(response,
request,
cookie_settings,
user=None,
refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
# Skip setting JWT cookies for most unit tests, since it raises errors when
# a login oauth client cannot be found in the database in ``_get_login_oauth_client``.
# This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355
# for a discussion of alternative solutions that did not work or were halted.
if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False):
return
# For Ironwood, we don't set JWK settings by default. Make sure we don't fail trying
# to use empty settings. This means by default, micro-frontends won't work, but Ironwood
# has none. Also, OAuth scopes won't work, but that is still a new and specialized feature.
# Installations that need them can create JWKs and add them to the settings.
private_signing_jwk = settings.JWT_AUTH['JWT_PRIVATE_SIGNING_JWK']
if private_signing_jwk == "None" or not private_signing_jwk:
return
# For security reasons, the JWT that is embedded inside the cookie expires
# much sooner than the cookie itself, per the following setting.
expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request,
oauth_application.client_id,
refresh_token,
expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
request,
user,
oauth_application,
expires_in=expires_in,
scopes=['email', 'profile'],
)
jwt = create_jwt_from_token(access_token,
DOTAdapter(),
use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def test_create_token_success(self):
token = api.create_dot_access_token(HttpRequest(), self.user, self.client)
self.assertTrue(token['access_token'])
self.assertTrue(token['refresh_token'])
self.assertDictContainsSubset(
{
u'token_type': u'Bearer',
u'expires_in': EXPECTED_DEFAULT_EXPIRES_IN,
u'scope': u'',
},
token,
)
self._assert_stored_token(token['access_token'], self.user, self.client)
def test_create_token_success(self):
token = api.create_dot_access_token(self.request, self.user, self.client)
self.assertTrue(token['access_token'])
self.assertTrue(token['refresh_token'])
self.assertDictContainsSubset(
{
u'token_type': u'Bearer',
u'expires_in': EXPECTED_DEFAULT_EXPIRES_IN,
u'scope': u'default',
},
token,
)
self._assert_stored_token(token['access_token'], self.user, self.client)
def test_create_token_success(self):
token = api.create_dot_access_token(HttpRequest(), self.user,
self.client)
assert token['access_token']
assert token['refresh_token']
self.assertDictContainsSubset(
{
'token_type': 'Bearer',
'expires_in': EXPECTED_DEFAULT_EXPIRES_IN,
'scope': '',
},
token,
)
self._assert_stored_token(token['access_token'], self.user,
self.client)
def _create_and_set_jwt_cookies(response,
request,
cookie_settings,
user=None,
refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
# Skip setting JWT cookies for most unit tests, since it raises errors when
# a login oauth client cannot be found in the database in ``_get_login_oauth_client``.
# This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355
# for a discussion of alternative solutions that did not work or were halted.
if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False):
return
# For security reasons, the JWT that is embedded inside the cookie expires
# much sooner than the cookie itself, per the following setting.
expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request,
oauth_application.client_id,
refresh_token,
expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
# Note: Scopes for JWT cookies do not require additional permissions
request,
user,
oauth_application,
expires_in=expires_in,
scopes=['user_id', 'email', 'profile'],
)
jwt = create_jwt_from_token(access_token,
DOTAdapter(),
use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def _create_and_set_jwt_cookies(response,
request,
user=None,
refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
if not JWT_COOKIES_FLAG.is_enabled():
return
# JWT cookies expire at the same time as other login-related cookies
# so that cookie-based login determination remains consistent.
cookie_settings = standard_cookie_settings(request)
# For security reasons, the JWT that is embedded inside the cookie expires
# much sooner than the cookie itself, per the following setting.
expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request,
oauth_application.client_id,
refresh_token,
expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
request,
user,
oauth_application,
expires_in=expires_in,
)
jwt = create_jwt_from_token(access_token,
DOTAdapter(),
use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def test_refresh_token_success(self):
old_token = api.create_dot_access_token(HttpRequest(), self.user, self.client)
new_token = api.refresh_dot_access_token(HttpRequest(), self.client.client_id, old_token['refresh_token'])
self.assertDictContainsSubset(
{
u'token_type': u'Bearer',
u'expires_in': EXPECTED_DEFAULT_EXPIRES_IN,
u'scope': u'',
},
new_token,
)
# verify new tokens are generated
self.assertNotEqual(old_token['access_token'], new_token['access_token'])
self.assertNotEqual(old_token['refresh_token'], new_token['refresh_token'])
# verify old token is replaced by the new token
with self.assertRaises(AccessToken.DoesNotExist):
self._assert_stored_token(old_token['access_token'], self.user, self.client)
self._assert_stored_token(new_token['access_token'], self.user, self.client)
def _create_and_set_jwt_cookies(response,
request,
user=None,
refresh_token=None):
""" Sets a cookie containing a JWT on the response. """
if not JWT_COOKIES_FLAG.is_enabled():
return
# TODO (ARCH-246) Need to fix configuration of token expiration settings.
cookie_settings = standard_cookie_settings(request)
_set_jwt_expiration(cookie_settings)
expires_in = cookie_settings['max_age']
oauth_application = _get_login_oauth_client()
if refresh_token:
access_token = refresh_dot_access_token(
request,
oauth_application.client_id,
refresh_token,
expires_in=expires_in,
)
else:
access_token = create_dot_access_token(
request,
user,
oauth_application,
expires_in=expires_in,
)
jwt = create_jwt_from_token(access_token,
DOTAdapter(),
use_asymmetric_key=True)
jwt_header_and_payload, jwt_signature = _parse_jwt(jwt)
_set_jwt_cookies(
response,
cookie_settings,
jwt_header_and_payload,
jwt_signature,
access_token['refresh_token'],
)
def create_access_token(self, request, user, scope, client):
"""
Create and return a new access token.
"""
scopes = dop_scope.to_names(scope)
return create_dot_access_token(request, user, client, scopes=scopes)
def test_create_token_another_user(self):
another_user = UserFactory()
token = api.create_dot_access_token(HttpRequest(), another_user,
self.client)
self._assert_stored_token(token['access_token'], another_user,
self.client)
def create_access_token(self, request, user, scope, client):
"""
Create and return a new access token.
"""
scopes = dop_scope.to_names(scope)
return create_dot_access_token(request, user, client, scopes=scopes)
def create_access_token(self, request, user, scopes, client):
"""
Create and return a new access token.
"""
return create_dot_access_token(request, user, client, scopes=scopes)
def test_create_token_another_user(self):
another_user = UserFactory()
token = api.create_dot_access_token(HttpRequest(), another_user, self.client)
self._assert_stored_token(token['access_token'], another_user, self.client)
