def assert_access_token_response(self, r, expected):
self.assertEqual(r.status_code, 200)
try:
data = json.loads(r.content)
except:
self.fail("Unexpected response content")
self.assertTrue('access_token' in data)
access_token = data['access_token']
self.assertTrue('token_type' in data)
token_type = data['token_type']
self.assertTrue('expires_in' in data)
expires_in = data['expires_in']
try:
token = Token.objects.get(code=access_token)
self.assertEqual(token.expires_at,
token.created_at +
datetime.timedelta(seconds=expires_in))
self.assertEqual(token.token_type, token_type)
self.assertEqual(token.grant_type, 'authorization_code')
#self.assertEqual(token.user, expected.get('user'))
self.assertEqual(normalize(uenc(token.redirect_uri)),
normalize(uenc(expected.get('redirect_uri'))))
self.assertEqual(normalize(uenc(token.scope)),
normalize(uenc(expected.get('scope'))))
self.assertEqual(token.state, expected.get('state'))
except Token.DoesNotExist:
self.fail("Invalid access_token")
def assert_access_token_response(self, r, expected):
self.assertEqual(r.status_code, 200)
try:
data = json.loads(r.content)
except:
self.fail("Unexpected response content")
self.assertTrue('access_token' in data)
access_token = data['access_token']
self.assertTrue('token_type' in data)
token_type = data['token_type']
self.assertTrue('expires_in' in data)
expires_in = data['expires_in']
try:
token = Token.objects.get(code=access_token)
self.assertEqual(
token.expires_at,
token.created_at + datetime.timedelta(seconds=expires_in))
self.assertEqual(token.token_type, token_type)
self.assertEqual(token.grant_type, 'authorization_code')
#self.assertEqual(token.user, expected.get('user'))
self.assertEqual(normalize(uenc(token.redirect_uri)),
normalize(uenc(expected.get('redirect_uri'))))
self.assertEqual(normalize(uenc(token.scope)),
normalize(uenc(expected.get('scope'))))
self.assertEqual(token.state, expected.get('state'))
except Token.DoesNotExist:
self.fail("Invalid access_token")
def normalize(url):
return urltools.normalize(iri_to_uri(url))
def normalize(url):
return urltools.normalize(uenc(url))
def test_code_authorization(self):
# missing response_type
r = self.client.get(self.client.get_url(self.client.auth_url))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid response_type
r = self.client.get(self.client.get_url(self.client.auth_url,
response_type='invalid'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# unsupported response_type
r = self.client.get(self.client.get_url(self.client.auth_url,
response_type='token'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# missing client_id
r = self.client.get(self.client.get_url(self.client.auth_url,
response_type='code'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# fake client
r = self.client.authorize_code('client-fake')
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# mixed up credentials/client_id's
self.client.set_credentials('client1', 'secret')
r = self.client.authorize_code('client3')
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid credentials
self.client.set_credentials('client2', '')
r = self.client.authorize_code('client2')
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid redirect_uri: not absolute URI
self.client.set_credentials()
params = {'redirect_uri':
urlparse.urlparse(self.client1_redirect_uri).path}
r = self.client.authorize_code('client1', urlparams=params)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# mismatching redirect uri
self.client.set_credentials()
params = {'redirect_uri': self.client1_redirect_uri[1:]}
r = self.client.authorize_code('client1', urlparams=params)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# valid request: untrusted client
params = {'redirect_uri': self.client1_redirect_uri,
'scope': self.client1_redirect_uri,
'extra_param': 'γιουνικοντ'}
self.client.set_credentials('client1', 'secret')
r = self.client.authorize_code('client1', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertTrue('Location' in r)
self.assertHost(r['Location'], "testserver:80")
self.assertPath(r['Location'], reverse('login'))
self.client.set_credentials('client1', 'secret')
self.client.login(username="******", password="******")
r = self.client.authorize_code('client1', urlparams=params)
self.assertEqual(r.status_code, 200)
r = self.client.authorize_code('client1', urlparams=params,
extraparams={'reject': 0})
self.assertCount(AuthorizationCode, 1)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
#self.assertEqual(code.state, '')
self.assertEqual(code.state, None)
self.assertEqual(normalize(iri_to_uri(code.redirect_uri)),
normalize(iri_to_uri(self.client1_redirect_uri)))
params['state'] = 'csrfstate'
params['scope'] = 'resource1'
r = self.client.authorize_code('client1', urlparams=params)
redirect = self.get_redirect_url(r)
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertCount(AuthorizationCode, 2)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(normalize(iri_to_uri(code.redirect_uri)),
normalize(iri_to_uri(self.client1_redirect_uri)))
# valid request: trusted client
params = {'redirect_uri': self.client3_redirect_uri,
'scope': self.client3_redirect_uri,
'extra_param': 'γιουνικοντ'}
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 3)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertNoParam(redirect, "state")
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, None)
self.assertEqual(code.redirect_uri, self.client3_redirect_uri)
# valid request: trusted client
params['state'] = 'csrfstate'
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 4)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(code.redirect_uri, self.client3_redirect_uri)
# redirect uri startswith the client's registered redirect url
params['redirect_uri'] = '%sφωτογραφία.JPG' % self.client3_redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 400)
# redirect uri descendant
redirect_uri = '%s/' % self.client3_redirect_uri
rest = settings.MAXIMUM_ALLOWED_REDIRECT_URI_LENGTH - len(redirect_uri)
redirect_uri = '%s%s' % (redirect_uri, 'a'*rest)
params['redirect_uri'] = redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 5)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, urlparse.urlparse(redirect_uri).path)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(code.redirect_uri, redirect_uri)
# too long redirect uri
params['redirect_uri'] = '%sa' % redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 400)
# redirect uri descendant
redirect_uri = '%s/φωτογραφία.JPG?α=γιουνικοντ' % \
self.client3_redirect_uri
params['redirect_uri'] = redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 6)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, urlparse.urlparse(redirect_uri).path)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(smart_str(code.redirect_uri),
smart_str(redirect_uri))
def normalize(url):
return urltools.normalize(iri_to_uri(url))
def normalize(url):
return urltools.normalize(uenc(url))
def assertPath(self, url, path):
self.assertEqual(normalize(url.path), normalize(path))
def test_code_authorization(self):
# missing response_type
r = self.client.get(self.client.get_url(self.client.auth_url))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid response_type
r = self.client.get(
self.client.get_url(self.client.auth_url, response_type='invalid'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# unsupported response_type
r = self.client.get(
self.client.get_url(self.client.auth_url, response_type='token'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# missing client_id
r = self.client.get(
self.client.get_url(self.client.auth_url, response_type='code'))
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# fake client
r = self.client.authorize_code('client-fake', secure=True)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# mixed up credentials/client_id's
self.client.set_credentials('client1', 'secret')
r = self.client.authorize_code('client3', secure=True)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid credentials
self.client.set_credentials('client2', '')
r = self.client.authorize_code('client2', secure=True)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# invalid redirect_uri: not absolute URI
self.client.set_credentials()
params = {
'redirect_uri': urlparse.urlparse(self.client1_redirect_uri).path
}
r = self.client.authorize_code('client1',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# mismatching redirect uri
self.client.set_credentials()
params = {'redirect_uri': self.client1_redirect_uri[1:]}
r = self.client.authorize_code('client1',
sercure=True,
urlparams=params)
self.assertEqual(r.status_code, 400)
self.assertCount(AuthorizationCode, 0)
# valid request: untrusted client
params = {
'redirect_uri': self.client1_redirect_uri,
'scope': self.client1_redirect_uri,
'extra_param': 'γιουνικοντ'
}
self.client.set_credentials('client1', 'secret')
r = self.client.authorize_code('client1',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertTrue('Location' in r)
self.assertHost(r['Location'], "testserver")
self.assertPath(r['Location'], reverse('login'))
self.client.set_credentials('client1', 'secret')
self.client.login(username="******", password="******")
r = self.client.authorize_code('client1',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 200)
r = self.client.authorize_code('client1',
secure=True,
urlparams=params,
extraparams={'reject': 0})
self.assertCount(AuthorizationCode, 1)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
#self.assertEqual(code.state, '')
self.assertEqual(code.state, None)
self.assertEqual(normalize(iri_to_uri(code.redirect_uri)),
normalize(iri_to_uri(self.client1_redirect_uri)))
params['state'] = 'csrfstate'
params['scope'] = 'resource1'
r = self.client.authorize_code('client1',
secure=True,
urlparams=params)
redirect = self.get_redirect_url(r)
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertCount(AuthorizationCode, 2)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(normalize(iri_to_uri(code.redirect_uri)),
normalize(iri_to_uri(self.client1_redirect_uri)))
# valid request: trusted client
params = {
'redirect_uri': self.client3_redirect_uri,
'scope': self.client3_redirect_uri,
'extra_param': 'γιουνικοντ'
}
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 3)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertNoParam(redirect, "state")
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, None)
self.assertEqual(code.redirect_uri, self.client3_redirect_uri)
# valid request: trusted client
params['state'] = 'csrfstate'
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 4)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, "/handle_code")
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(code.redirect_uri, self.client3_redirect_uri)
# redirect uri startswith the client's registered redirect url
params['redirect_uri'] = '%sφωτογραφία.JPG' % self.client3_redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 400)
# redirect uri descendant
redirect_uri = '%s/' % self.client3_redirect_uri
rest = settings.MAXIMUM_ALLOWED_REDIRECT_URI_LENGTH - len(redirect_uri)
redirect_uri = '%s%s' % (redirect_uri, 'a' * rest)
params['redirect_uri'] = redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 5)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, urlparse.urlparse(redirect_uri).path)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(code.redirect_uri, redirect_uri)
# too long redirect uri
params['redirect_uri'] = '%sa' % redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 400)
# redirect uri descendant
redirect_uri = '%s/φωτογραφία.JPG?α=γιουνικοντ' % \
self.client3_redirect_uri
params['redirect_uri'] = redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3',
secure=True,
urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 6)
# redirect is valid
redirect = self.get_redirect_url(r)
self.assertParam(redirect, "code")
self.assertParamEqual(redirect, "state", 'csrfstate')
self.assertNoParam(redirect, "extra_param")
self.assertHost(redirect, "server3.com")
self.assertPath(redirect, urlparse.urlparse(redirect_uri).path)
code = AuthorizationCode.objects.get(code=redirect.params['code'][0])
self.assertEqual(code.state, 'csrfstate')
self.assertEqual(smart_str(code.redirect_uri), smart_str(redirect_uri))
def assertPath(self, url, path):
self.assertEqual(normalize(url.path), normalize(path))
