def test_improperly_scoped_token_can_not_create_or_email( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken( owner=user, name='Unauthorized Token', ) token.save() scope = ApiOAuth2ScopeFactory() scope.name = 'unauthorized scope' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}, expect_errors=True) assert res.status_code == 403 assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 assert mock_mail.call_count == 0
def test_admin_scoped_token_can_create_and_send_email( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken( owner=user, name='Admin Token', ) scope = ApiOAuth2ScopeFactory() scope.name = 'osf.admin' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 assert res.json['data']['attributes']['username'] == email_unconfirmed assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1 assert mock_mail.call_count == 1
def test_properly_scoped_token_can_create_without_username_but_not_send_email( self, mock_auth, mock_mail, app, user, data, url_base): token = ApiOAuth2PersonalToken(owner=user, name='Authorized Token', scopes='osf.users.create') mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = user, mock_cas_resp data['data']['attributes'] = {'full_name': 'No Email'} assert OSFUser.objects.filter(fullname='No Email').count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 username = res.json['data']['attributes']['username'] try: UUID(username) except ValueError: raise AssertionError('Username is not a valid UUID') assert OSFUser.objects.filter(fullname='No Email').count() == 1 assert mock_mail.call_count == 0
def test_non_admin_scoped_token_does_not_have_admin(self, mock_auth): token = ApiOAuth2PersonalToken( owner=self.user, name='Admin Token', scopes=' '.join([key for key in public_scopes if key != 'osf.admin']) ) mock_cas_resp = CasResponse( authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] } ) mock_auth.return_value = self.user, mock_cas_resp res = self.app.get( self.url, headers={ 'Authorization': 'Bearer {}'.format(token.token_id) } ) assert_equal(res.status_code, 200) assert_not_in('admin', res.json['meta'].keys())
def test_admin_scoped_token_has_admin(self, mock_auth): token = ApiOAuth2PersonalToken( owner=self.user, name='Admin Token', ) token.save() scope = ApiOAuth2ScopeFactory() scope.name = 'osf.admin' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = self.user, mock_cas_resp res = self.app.get( self.url, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert_equal(res.status_code, 200) assert_equal(res.json['meta'][ADMIN], True)
def test_properly_scoped_token_does_not_send_email_without_kwarg( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken(owner=user, name='Authorized Token', scopes='osf.users.create') mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( url_base, data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 assert res.json['data']['attributes']['username'] == email_unconfirmed assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1 assert mock_mail.call_count == 0
def create(self, validated_data): validate_requested_scopes(validated_data) instance = ApiOAuth2PersonalToken(**validated_data) try: instance.save() except ValidationError as e: detail = format_validation_error(e) raise exceptions.ValidationError(detail=detail) return instance
def create(self, validated_data): scopes = validate_requested_scopes(validated_data.pop('scopes', None)) if not scopes: raise exceptions.ValidationError( 'Cannot create a token without scopes.') instance = ApiOAuth2PersonalToken(**validated_data) try: instance.save() except ValidationError as e: detail = format_validation_error(e) raise exceptions.ValidationError(detail=detail) for scope in scopes: instance.scopes.add(scope) return instance
def personal_access_token_detail(auth, **kwargs): """Show detail for a single personal access token""" _id = kwargs.get('_id') # The ID must be an active and existing record, and the logged-in user must have permission to view it. try: record = ApiOAuth2PersonalToken.find_one(Q('_id', 'eq', _id)) except NoResultsFound: raise HTTPError(http.NOT_FOUND) if record.owner != auth.user: raise HTTPError(http.FORBIDDEN) if record.is_active is False: raise HTTPError(http.GONE) token_detail_url = api_v2_url('tokens/{}/'.format(_id)) # Send request to this URL return {'token_list_url': '', 'token_detail_url': token_detail_url, 'scope_options': get_available_scopes()}
def personal_access_token_detail(auth, **kwargs): """Show detail for a single personal access token""" _id = kwargs.get('_id') # The ID must be an active and existing record, and the logged-in user must have permission to view it. try: record = ApiOAuth2PersonalToken.find_one(Q('_id', 'eq', _id)) except NoResultsFound: raise HTTPError(http.NOT_FOUND) if record.owner != auth.user: raise HTTPError(http.FORBIDDEN) if record.is_active is False: raise HTTPError(http.GONE) token_detail_url = api_v2_url( 'tokens/{}/'.format(_id)) # Send request to this URL return { 'token_list_url': '', 'token_detail_url': token_detail_url, 'scope_options': get_available_scopes() }
def get_queryset(self): query = self.get_query_from_request() return ApiOAuth2PersonalToken.find(query)
def create(self, validated_data): validate_requested_scopes(validated_data) instance = ApiOAuth2PersonalToken(**validated_data) instance.save() return instance