def test_get_scopes(self):
token = ApiToken(scopes=1)
assert token.get_scopes() == ['project:read']
token = ApiToken(scopes=4, scope_list=['project:read'])
assert token.get_scopes() == ['project:read']
token = ApiToken(scope_list=['project:read'])
assert token.get_scopes() == ['project:read']
def test_is_expired(self):
token = ApiToken(expires_at=None)
assert not token.is_expired()
token = ApiToken(expires_at=timezone.now() + timedelta(days=1))
assert not token.is_expired()
token = ApiToken(expires_at=timezone.now() - timedelta(days=1))
assert token.is_expired()
def test_by_api_token(self):
token = ApiToken()
for n in range(100):
assert not ratelimits.for_organization_member_invite(
Organization(id=randint(0, 100000)),
"{}@example.com".format(randint(0, 1000000)),
auth=token,
)
assert ratelimits.for_organization_member_invite(
Organization(id=1), "*****@*****.**")
def test_by_api_token(self):
token = ApiToken(id=1)
for n in range(5):
assert not ratelimits.for_organization_member_invite(
Organization(id=randint(0, 100000)),
f"{randint(0, 1000000)}@example.com",
auth=token,
config=RELAXED_CONFIG,
)
assert ratelimits.for_organization_member_invite(
Organization(id=1),
"*****@*****.**",
auth=token,
config=RELAXED_CONFIG)
def approve(self, request, application, **params):
try:
with transaction.atomic():
ApiAuthorization.objects.create(
application=application,
user=request.user,
scopes=(
reduce(or_, (
getattr(ApiAuthorization.scopes, k)
for k in params['scopes']
))
if params['scopes']
else 0
),
)
except IntegrityError:
if params['scopes']:
auth_scopes = F('scopes')
for s in params['scopes']:
auth_scopes = auth_scopes.bitor(
getattr(ApiAuthorization.scopes, s)
)
ApiAuthorization.objects.filter(
application=application,
user=request.user,
).update(
scopes=auth_scopes,
)
if params['response_type'] == 'code':
grant = ApiGrant(
user=request.user,
application=application,
redirect_uri=params['redirect_uri'],
)
if params['scopes']:
for s in params['scopes']:
setattr(grant.scopes, s, True)
grant.save()
return self.redirect_response(
params['response_type'],
params['redirect_uri'],
{
'code': grant.code,
'state': params['state'],
},
)
elif params['response_type'] == 'token':
token = ApiToken(
application=application,
user=request.user,
refresh_token=None,
)
for s in params['scopes']:
setattr(token.scopes, s, True)
token.save()
return self.redirect_response(
params['response_type'],
params['redirect_uri'],
{
'access_token': token.token,
'expires_in': (timezone.now() - token.expires_at).total_seconds(),
'expires_at': token.expires_at.strftime('%Y-%m-%dT%H:%M:%S.%fZ'),
'token_type': 'bearer',
'scope': ' '.join(k for k, v in token.scopes.iteritems() if v), # NOQA
'state': params['state'],
},
)
def post(self, request):
grant_type = request.POST.get("grant_type")
if grant_type == "authorization_code":
client_id = request.POST.get("client_id")
redirect_uri = request.POST.get("redirect_uri")
code = request.POST.get("code")
if not client_id:
return self.error(request, "invalid_client",
"missing client_id")
try:
application = ApiApplication.objects.get(
client_id=client_id, status=ApiApplicationStatus.active)
except ApiApplication.DoesNotExist:
return self.error(request, "invalid_client",
"invalid client_id")
try:
grant = ApiGrant.objects.get(application=application,
code=code)
except ApiGrant.DoesNotExist:
return self.error(request, "invalid_grant", "invalid grant")
if grant.is_expired():
return self.error(request, "invalid_grant", "grant expired")
if not redirect_uri:
redirect_uri = application.get_default_redirect_uri()
elif grant.redirect_uri != redirect_uri:
return self.error(request, "invalid_grant",
"invalid redirect_uri")
token = ApiToken.from_grant(grant)
elif grant_type == "refresh_token":
refresh_token = request.POST.get("refresh_token")
scope = request.POST.get("scope")
client_id = request.POST.get("client_id")
if not refresh_token:
return self.error(request, "invalid_request")
# TODO(dcramer): support scope
if scope:
return self.error(request, "invalid_request")
if not client_id:
return self.error(request, "invalid_client",
"missing client_id")
try:
application = ApiApplication.objects.get(
client_id=client_id, status=ApiApplicationStatus.active)
except ApiApplication.DoesNotExist:
return self.error(request, "invalid_client",
"invalid client_id")
try:
token = ApiToken.objects.get(application=application,
refresh_token=refresh_token)
except ApiToken.DoesNotExist:
return self.error(request, "invalid_grant", "invalid token")
token.refresh()
else:
return self.error(request, "unsupported_grant_type")
return HttpResponse(
json.dumps({
"access_token":
token.token,
"refresh_token":
token.refresh_token,
"expires_in":
int((token.expires_at - timezone.now()).total_seconds())
if token.expires_at else None,
"expires_at":
token.expires_at,
"token_type":
"bearer",
"scope":
" ".join(token.get_scopes()), # NOQA
"user": {
"id": six.text_type(token.user.id),
# we might need these to become scope based
"name": token.user.name,
"email": token.user.email,
},
}),
content_type="application/json",
)
def post(self, request):
grant_type = request.POST.get('grant_type')
if grant_type == 'authorization_code':
client_id = request.POST.get('client_id')
client_secret = request.POST.get('client_secret')
redirect_uri = request.POST.get('redirect_uri')
code = request.POST.get('code')
if not client_id:
return self.error('invalid_client')
if not client_secret:
return self.error('invalid_client')
try:
application = ApiApplication.objects.get(
client_id=client_id,
status=ApiApplicationStatus.active,
)
except ApiApplication.DoesNotExist:
return self.error('invalid_client')
if not constant_time_compare(client_secret, application.client_secret):
return self.error('invalid_client')
try:
grant = ApiGrant.objects.get(application=application, code=code)
except ApiGrant.DoesNotExist:
return self.error('invalid_grant')
if grant.is_expired():
return self.error('invalid_grant')
if not redirect_uri:
redirect_uri = application.get_default_redirect_uri()
elif grant.redirect_uri != redirect_uri:
return self.error('invalid_grant')
token = ApiToken.from_grant(grant)
elif grant_type == 'refresh_token':
refresh_token = request.POST.get('refresh_token')
scope = request.POST.get('scope')
client_id = request.POST.get('client_id')
client_secret = request.POST.get('client_secret')
if not refresh_token:
return self.error('invalid_request')
# TODO(dcramer): support scope
if scope:
return self.error('invalid_request')
if not client_id:
return self.error('invalid_client')
if not client_secret:
return self.error('invalid_client')
try:
application = ApiApplication.objects.get(
client_id=client_id,
status=ApiApplicationStatus.active,
)
except ApiApplication.DoesNotExist:
return self.error('invalid_client')
if not constant_time_compare(client_secret, application.client_secret):
return self.error('invalid_client')
try:
token = ApiToken.objects.get(
application=application,
refresh_token=refresh_token,
)
except ApiToken.DoesNotExist:
return self.error('invalid_grant')
token.refresh()
else:
return self.error('unsupported_grant_type')
return HttpResponse(
json.dumps(
{
'access_token': token.token,
'refresh_token': token.refresh_token,
'expires_in': (timezone.now() - token.expires_at).total_seconds(),
'expires_at': token.expires_at,
'token_type': 'bearer',
'scope': ' '.join(token.get_scopes()), # NOQA
'user': {
'id': six.text_type(token.user.id),
# we might need these to become scope based
'name': token.user.name,
'email': token.user.email,
},
}
),
content_type='application/json'
)
def post(self, request):
grant_type = request.POST.get('grant_type')
if grant_type == 'authorization_code':
client_id = request.POST.get('client_id')
client_secret = request.POST.get('client_secret')
redirect_uri = request.POST.get('redirect_uri')
code = request.POST.get('code')
if not client_id:
return self.error('invalid_client')
if not client_secret:
return self.error('invalid_client')
try:
application = ApiApplication.objects.get(
client_id=client_id,
status=ApiApplicationStatus.active,
)
except ApiApplication.DoesNotExist:
return self.error('invalid_client')
if not constant_time_compare(client_secret, application.client_secret):
return self.error('invalid_client')
try:
grant = ApiGrant.objects.get(application=application, code=code)
except ApiGrant.DoesNotExist:
return self.error('invalid_grant')
if grant.is_expired():
return self.error('invalid_grant')
if not redirect_uri:
redirect_uri = application.get_default_redirect_uri()
elif grant.redirect_uri != redirect_uri:
return self.error('invalid_grant')
token = ApiToken.from_grant(grant)
elif grant_type == 'refresh_token':
refresh_token = request.POST.get('refresh_token')
scope = request.POST.get('scope')
client_id = request.POST.get('client_id')
client_secret = request.POST.get('client_secret')
if not refresh_token:
return self.error('invalid_request')
# TODO(dcramer): support scope
if scope:
return self.error('invalid_request')
if not client_id:
return self.error('invalid_client')
if not client_secret:
return self.error('invalid_client')
try:
application = ApiApplication.objects.get(
client_id=client_id,
status=ApiApplicationStatus.active,
)
except ApiApplication.DoesNotExist:
return self.error('invalid_client')
if not constant_time_compare(client_secret, application.client_secret):
return self.error('invalid_client')
try:
token = ApiToken.objects.get(
application=application,
refresh_token=refresh_token,
)
except ApiToken.DoesNotExist:
return self.error('invalid_grant')
token.refresh()
else:
return self.error('unsupported_grant_type')
return HttpResponse(json.dumps({
'access_token': token.token,
'refresh_token': token.refresh_token,
'expires_in': (timezone.now() - token.expires_at).total_seconds(),
'expires_at': token.expires_at,
'token_type': 'bearer',
'scope': ' '.join(token.get_scopes()), # NOQA
'user': {
'id': six.text_type(token.user.id),
# we might need these to become scope based
'name': token.user.name,
'email': token.user.email,
},
}), content_type='application/json')