Example #1
0
    def test_csrf_token_generation(self):
        h = SimpleAuthHandler()
        token = h._generate_csrf_token()
        token2 = h._generate_csrf_token()
        self.assertNotEqual(token, token2)

        decoded = base64.urlsafe_b64decode(token)
        tok, ts = decoded.rsplit(h.OAUTH2_CSRF_DELIMITER, 1)
        # > 10 so that I won't have to modify this test if the length changes
        # in the future
        self.assertTrue(len(tok) > 10)
        # token generation can't really take more than 1 sec here
        self.assertFalse(long(time.time()) - long(ts) > 1)
Example #2
0
  def test_csrf_token_generation(self):
    h = SimpleAuthHandler()
    token = h._generate_csrf_token()
    token2 = h._generate_csrf_token()
    self.assertNotEqual(token, token2)

    decoded = base64.urlsafe_b64decode(token)
    tok, ts = decoded.rsplit(h.OAUTH2_CSRF_DELIMITER, 1)
    # > 10 so that I won't have to modify this test if the length changes
    # in the future
    self.assertTrue(len(tok) > 10)
    # token generation can't really take more than 1 sec here
    self.assertFalse(long(time.time()) - long(ts) > 1)
Example #3
0
    def test_csrf_oauth2_tokens_dont_match(self):
        self.expectErrors()

        token1 = SimpleAuthHandler()._generate_csrf_token()
        token2 = SimpleAuthHandler()._generate_csrf_token()

        DummyAuthHandler.OAUTH2_CSRF_STATE = True
        DummyAuthHandler.SESSION_MOCK = {
            DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: token1
        }

        resp = self.app.get_response('/auth/dummy_oauth2/callback?'
                                     'code=auth-code&state=%s' % token2)

        self.assertEqual(resp.status_int, 500)
        self.assertRegexpMatches(resp.body, 'InvalidCSRFTokenError')
Example #4
0
    def test_csrf_oauth2_callback_success(self):
        # need a real token here to have a valid timestamp
        csrf_token = SimpleAuthHandler()._generate_csrf_token()
        DummyAuthHandler.OAUTH2_CSRF_STATE = True
        DummyAuthHandler.SESSION_MOCK = {
            DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: csrf_token
        }

        fetch_resp = json.dumps({
            "access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
            "expires_in": 3600,
            "token_type": "Bearer"
        })
        self.set_urlfetch_response('https://dummy/oauth2_token',
                                   content=fetch_resp)

        resp = self.app.get_response('/auth/dummy_oauth2/callback?'
                                     'code=auth-code&state=%s' % csrf_token)

        self.assertEqual(resp.status_int, 302)
        self.assertEqual(resp.headers['Location'],
                         'http://localhost/logged_in?provider=dummy_oauth2')

        # token should be removed after during the authorization step
        session = json.loads(resp.headers['SessionMock'])
        self.assertFalse(DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM in session)
Example #5
0
    def test_csrf_oauth2_tokens_dont_match(self):
        self.expectErrors()

        token1 = SimpleAuthHandler()._generate_csrf_token()
        token2 = SimpleAuthHandler()._generate_csrf_token()

        DummyAuthHandler.OAUTH2_CSRF_STATE = True
        DummyAuthHandler.SESSION_MOCK = {
            DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: token1
        }

        state = json.dumps({DummyAuthHandler.OAUTH2_CSRF_STATE_PARAM: token2})
        query = urlencode({'code': 'auth-code', 'state': state})
        resp = self.app.get_response('/auth/dummy_oauth2/callback?' + query)

        self.assertEqual(resp.status_int, 500)
        self.assertRegexpMatches(resp.body, 'InvalidCSRFTokenError')
Example #6
0
  def test_csrf_validation(self):
    self.expectErrors()
    h = SimpleAuthHandler()

    token = h._generate_csrf_token()
    token2 = h._generate_csrf_token()
    self.assertTrue(h._validate_csrf_token(token, token))
    self.assertFalse(h._validate_csrf_token(token, token2))
    self.assertFalse(h._validate_csrf_token('', token))
    self.assertFalse(h._validate_csrf_token(token, ''))
    self.assertFalse(h._validate_csrf_token('', ''))
    self.assertFalse(h._validate_csrf_token('invalid b64', 'invalid b64'))

    # no timestamp
    token = base64.urlsafe_b64encode('random')
    self.assertFalse(h._validate_csrf_token(token, token))
    token = base64.urlsafe_b64encode('random%s' % h.OAUTH2_CSRF_DELIMITER)
    self.assertFalse(h._validate_csrf_token(token, token))

    # no token key
    token = '%s%d' % (h.OAUTH2_CSRF_DELIMITER, long(time.time()))
    encoded = base64.urlsafe_b64encode(token)
    self.assertFalse(h._validate_csrf_token(encoded, encoded))

    # token timeout
    timeout = long(time.time()) - h.OAUTH2_CSRF_TOKEN_TIMEOUT - 1
    token = h._generate_csrf_token(_time=timeout)
    self.assertFalse(h._validate_csrf_token(token, token))
Example #7
0
    def test_csrf_validation(self):
        self.expectErrors()
        h = SimpleAuthHandler()

        token = h._generate_csrf_token()
        token2 = h._generate_csrf_token()
        self.assertTrue(h._validate_csrf_token(token, token))
        self.assertFalse(h._validate_csrf_token(token, token2))
        self.assertFalse(h._validate_csrf_token('', token))
        self.assertFalse(h._validate_csrf_token(token, ''))
        self.assertFalse(h._validate_csrf_token('', ''))
        self.assertFalse(h._validate_csrf_token('invalid b64', 'invalid b64'))

        # no timestamp
        token = base64.urlsafe_b64encode('random')
        self.assertFalse(h._validate_csrf_token(token, token))
        token = base64.urlsafe_b64encode('random%s' % h.OAUTH2_CSRF_DELIMITER)
        self.assertFalse(h._validate_csrf_token(token, token))

        # no token key
        token = '%s%d' % (h.OAUTH2_CSRF_DELIMITER, long(time.time()))
        encoded = base64.urlsafe_b64encode(token)
        self.assertFalse(h._validate_csrf_token(encoded, encoded))

        # token timeout
        timeout = long(time.time()) - h.OAUTH2_CSRF_TOKEN_TIMEOUT - 1
        token = h._generate_csrf_token(_time=timeout)
        self.assertFalse(h._validate_csrf_token(token, token))
Example #8
0
 def _simple_auth(self, *args, **kwargs):
   if self.logged_in:
     self.redirect(self.safe_return_to() or DEFAULT_REDIRECT)
     return
   self.session["return_to"] = self.safe_return_to()
   return SimpleAuthHandler._simple_auth(self, *args, **kwargs)