def assert_access_token_response(self, r, expected): self.assertEqual(r.status_code, 200) try: data = json.loads(r.content) except: self.fail("Unexpected response content") self.assertTrue('access_token' in data) access_token = data['access_token'] self.assertTrue('token_type' in data) token_type = data['token_type'] self.assertTrue('expires_in' in data) expires_in = data['expires_in'] try: token = Token.objects.get(code=access_token) self.assertEqual(token.expires_at, token.created_at + datetime.timedelta(seconds=expires_in)) self.assertEqual(token.token_type, token_type) self.assertEqual(token.grant_type, 'authorization_code') #self.assertEqual(token.user, expected.get('user')) self.assertEqual(normalize(uenc(token.redirect_uri)), normalize(uenc(expected.get('redirect_uri')))) self.assertEqual(normalize(uenc(token.scope)), normalize(uenc(expected.get('scope')))) self.assertEqual(token.state, expected.get('state')) except Token.DoesNotExist: self.fail("Invalid access_token")
def assert_access_token_response(self, r, expected): self.assertEqual(r.status_code, 200) try: data = json.loads(r.content) except: self.fail("Unexpected response content") self.assertTrue('access_token' in data) access_token = data['access_token'] self.assertTrue('token_type' in data) token_type = data['token_type'] self.assertTrue('expires_in' in data) expires_in = data['expires_in'] try: token = Token.objects.get(code=access_token) self.assertEqual( token.expires_at, token.created_at + datetime.timedelta(seconds=expires_in)) self.assertEqual(token.token_type, token_type) self.assertEqual(token.grant_type, 'authorization_code') #self.assertEqual(token.user, expected.get('user')) self.assertEqual(normalize(uenc(token.redirect_uri)), normalize(uenc(expected.get('redirect_uri')))) self.assertEqual(normalize(uenc(token.scope)), normalize(uenc(expected.get('scope')))) self.assertEqual(token.state, expected.get('state')) except Token.DoesNotExist: self.fail("Invalid access_token")
def normalize(url): return urltools.normalize(iri_to_uri(url))
def normalize(url): return urltools.normalize(uenc(url))
def test_code_authorization(self): # missing response_type r = self.client.get(self.client.get_url(self.client.auth_url)) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid response_type r = self.client.get(self.client.get_url(self.client.auth_url, response_type='invalid')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # unsupported response_type r = self.client.get(self.client.get_url(self.client.auth_url, response_type='token')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # missing client_id r = self.client.get(self.client.get_url(self.client.auth_url, response_type='code')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # fake client r = self.client.authorize_code('client-fake') self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # mixed up credentials/client_id's self.client.set_credentials('client1', 'secret') r = self.client.authorize_code('client3') self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid credentials self.client.set_credentials('client2', '') r = self.client.authorize_code('client2') self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid redirect_uri: not absolute URI self.client.set_credentials() params = {'redirect_uri': urlparse.urlparse(self.client1_redirect_uri).path} r = self.client.authorize_code('client1', urlparams=params) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # mismatching redirect uri self.client.set_credentials() params = {'redirect_uri': self.client1_redirect_uri[1:]} r = self.client.authorize_code('client1', urlparams=params) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # valid request: untrusted client params = {'redirect_uri': self.client1_redirect_uri, 'scope': self.client1_redirect_uri, 'extra_param': 'γιουνικοντ'} self.client.set_credentials('client1', 'secret') r = self.client.authorize_code('client1', urlparams=params) self.assertEqual(r.status_code, 302) self.assertTrue('Location' in r) self.assertHost(r['Location'], "testserver:80") self.assertPath(r['Location'], reverse('login')) self.client.set_credentials('client1', 'secret') self.client.login(username="******", password="******") r = self.client.authorize_code('client1', urlparams=params) self.assertEqual(r.status_code, 200) r = self.client.authorize_code('client1', urlparams=params, extraparams={'reject': 0}) self.assertCount(AuthorizationCode, 1) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) #self.assertEqual(code.state, '') self.assertEqual(code.state, None) self.assertEqual(normalize(iri_to_uri(code.redirect_uri)), normalize(iri_to_uri(self.client1_redirect_uri))) params['state'] = 'csrfstate' params['scope'] = 'resource1' r = self.client.authorize_code('client1', urlparams=params) redirect = self.get_redirect_url(r) self.assertParamEqual(redirect, "state", 'csrfstate') self.assertCount(AuthorizationCode, 2) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(normalize(iri_to_uri(code.redirect_uri)), normalize(iri_to_uri(self.client1_redirect_uri))) # valid request: trusted client params = {'redirect_uri': self.client3_redirect_uri, 'scope': self.client3_redirect_uri, 'extra_param': 'γιουνικοντ'} self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 3) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertNoParam(redirect, "state") self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, None) self.assertEqual(code.redirect_uri, self.client3_redirect_uri) # valid request: trusted client params['state'] = 'csrfstate' self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 4) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(code.redirect_uri, self.client3_redirect_uri) # redirect uri startswith the client's registered redirect url params['redirect_uri'] = '%sφωτογραφία.JPG' % self.client3_redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 400) # redirect uri descendant redirect_uri = '%s/' % self.client3_redirect_uri rest = settings.MAXIMUM_ALLOWED_REDIRECT_URI_LENGTH - len(redirect_uri) redirect_uri = '%s%s' % (redirect_uri, 'a'*rest) params['redirect_uri'] = redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 5) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, urlparse.urlparse(redirect_uri).path) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(code.redirect_uri, redirect_uri) # too long redirect uri params['redirect_uri'] = '%sa' % redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 400) # redirect uri descendant redirect_uri = '%s/φωτογραφία.JPG?α=γιουνικοντ' % \ self.client3_redirect_uri params['redirect_uri'] = redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 6) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, urlparse.urlparse(redirect_uri).path) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(smart_str(code.redirect_uri), smart_str(redirect_uri))
def assertPath(self, url, path): self.assertEqual(normalize(url.path), normalize(path))
def test_code_authorization(self): # missing response_type r = self.client.get(self.client.get_url(self.client.auth_url)) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid response_type r = self.client.get( self.client.get_url(self.client.auth_url, response_type='invalid')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # unsupported response_type r = self.client.get( self.client.get_url(self.client.auth_url, response_type='token')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # missing client_id r = self.client.get( self.client.get_url(self.client.auth_url, response_type='code')) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # fake client r = self.client.authorize_code('client-fake', secure=True) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # mixed up credentials/client_id's self.client.set_credentials('client1', 'secret') r = self.client.authorize_code('client3', secure=True) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid credentials self.client.set_credentials('client2', '') r = self.client.authorize_code('client2', secure=True) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # invalid redirect_uri: not absolute URI self.client.set_credentials() params = { 'redirect_uri': urlparse.urlparse(self.client1_redirect_uri).path } r = self.client.authorize_code('client1', secure=True, urlparams=params) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # mismatching redirect uri self.client.set_credentials() params = {'redirect_uri': self.client1_redirect_uri[1:]} r = self.client.authorize_code('client1', sercure=True, urlparams=params) self.assertEqual(r.status_code, 400) self.assertCount(AuthorizationCode, 0) # valid request: untrusted client params = { 'redirect_uri': self.client1_redirect_uri, 'scope': self.client1_redirect_uri, 'extra_param': 'γιουνικοντ' } self.client.set_credentials('client1', 'secret') r = self.client.authorize_code('client1', secure=True, urlparams=params) self.assertEqual(r.status_code, 302) self.assertTrue('Location' in r) self.assertHost(r['Location'], "testserver") self.assertPath(r['Location'], reverse('login')) self.client.set_credentials('client1', 'secret') self.client.login(username="******", password="******") r = self.client.authorize_code('client1', secure=True, urlparams=params) self.assertEqual(r.status_code, 200) r = self.client.authorize_code('client1', secure=True, urlparams=params, extraparams={'reject': 0}) self.assertCount(AuthorizationCode, 1) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) #self.assertEqual(code.state, '') self.assertEqual(code.state, None) self.assertEqual(normalize(iri_to_uri(code.redirect_uri)), normalize(iri_to_uri(self.client1_redirect_uri))) params['state'] = 'csrfstate' params['scope'] = 'resource1' r = self.client.authorize_code('client1', secure=True, urlparams=params) redirect = self.get_redirect_url(r) self.assertParamEqual(redirect, "state", 'csrfstate') self.assertCount(AuthorizationCode, 2) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(normalize(iri_to_uri(code.redirect_uri)), normalize(iri_to_uri(self.client1_redirect_uri))) # valid request: trusted client params = { 'redirect_uri': self.client3_redirect_uri, 'scope': self.client3_redirect_uri, 'extra_param': 'γιουνικοντ' } self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 3) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertNoParam(redirect, "state") self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, None) self.assertEqual(code.redirect_uri, self.client3_redirect_uri) # valid request: trusted client params['state'] = 'csrfstate' self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 4) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, "/handle_code") code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(code.redirect_uri, self.client3_redirect_uri) # redirect uri startswith the client's registered redirect url params['redirect_uri'] = '%sφωτογραφία.JPG' % self.client3_redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 400) # redirect uri descendant redirect_uri = '%s/' % self.client3_redirect_uri rest = settings.MAXIMUM_ALLOWED_REDIRECT_URI_LENGTH - len(redirect_uri) redirect_uri = '%s%s' % (redirect_uri, 'a' * rest) params['redirect_uri'] = redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 5) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, urlparse.urlparse(redirect_uri).path) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(code.redirect_uri, redirect_uri) # too long redirect uri params['redirect_uri'] = '%sa' % redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 400) # redirect uri descendant redirect_uri = '%s/φωτογραφία.JPG?α=γιουνικοντ' % \ self.client3_redirect_uri params['redirect_uri'] = redirect_uri self.client.set_credentials('client3', 'secret') r = self.client.authorize_code('client3', secure=True, urlparams=params) self.assertEqual(r.status_code, 302) self.assertCount(AuthorizationCode, 6) # redirect is valid redirect = self.get_redirect_url(r) self.assertParam(redirect, "code") self.assertParamEqual(redirect, "state", 'csrfstate') self.assertNoParam(redirect, "extra_param") self.assertHost(redirect, "server3.com") self.assertPath(redirect, urlparse.urlparse(redirect_uri).path) code = AuthorizationCode.objects.get(code=redirect.params['code'][0]) self.assertEqual(code.state, 'csrfstate') self.assertEqual(smart_str(code.redirect_uri), smart_str(redirect_uri))