def test_improperly_scoped_token_can_not_create_or_email( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken( owner=user, name='Unauthorized Token', ) token.save() scope = ApiOAuth2ScopeFactory() scope.name = 'unauthorized scope' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}, expect_errors=True) assert res.status_code == 403 assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 assert mock_mail.call_count == 0
def test_admin_scoped_token_can_create_and_send_email( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken( owner=user, name='Admin Token', ) scope = ApiOAuth2ScopeFactory() scope.name = 'osf.admin' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 assert res.json['data']['attributes']['username'] == email_unconfirmed assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1 assert mock_mail.call_count == 1
def test_admin_scoped_token_has_admin(self, mock_auth): token = ApiOAuth2PersonalToken( owner=self.user, name='Admin Token', ) token.save() scope = ApiOAuth2ScopeFactory() scope.name = 'osf.admin' scope.save() token.scopes.add(scope) mock_cas_resp = CasResponse(authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s.name for s in token.scopes.all()] }) mock_auth.return_value = self.user, mock_cas_resp res = self.app.get( self.url, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert_equal(res.status_code, 200) assert_equal(res.json['meta'][ADMIN], True)
def test_non_admin_scoped_token_does_not_have_admin(self, mock_auth): token = ApiOAuth2PersonalToken( owner=self.user, name='Admin Token', scopes=' '.join([key for key in public_scopes if key != 'osf.admin']) ) mock_cas_resp = CasResponse( authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] } ) mock_auth.return_value = self.user, mock_cas_resp res = self.app.get( self.url, headers={ 'Authorization': 'Bearer {}'.format(token.token_id) } ) assert_equal(res.status_code, 200) assert_not_in('admin', res.json['meta'].keys())
def test_admin_scoped_token_can_create_and_send_email( self, mock_auth, mock_mail): token = ApiOAuth2PersonalToken(owner=self.user, name='Admin Token', scopes='osf.admin') mock_cas_resp = CasResponse(authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = self.user, mock_cas_resp assert_equal( User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0) res = self.app.post_json_api( '{}?send_email=true'.format(self.base_url), self.data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert_equal(res.status_code, 201) assert_equal(res.json['data']['attributes']['username'], self.unconfirmed_email) assert_equal( User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 1) assert_equal(mock_mail.call_count, 1)
def test_improperly_scoped_token_can_not_create_or_email( self, mock_auth, mock_mail): token = ApiOAuth2PersonalToken(owner=self.user, name='Unauthorized Token', scopes='osf.full_write') mock_cas_resp = CasResponse(authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = self.user, mock_cas_resp assert_equal( User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0) res = self.app.post_json_api( '{}?send_email=true'.format(self.base_url), self.data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}, expect_errors=True) assert_equal(res.status_code, 403) assert_equal( User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0) assert_equal(mock_mail.call_count, 0)
def test_properly_scoped_token_can_create_without_username_but_not_send_email( self, mock_auth, mock_mail): token = ApiOAuth2PersonalToken(owner=self.user, name='Authorized Token', scopes='osf.users.create') mock_cas_resp = CasResponse(authenticated=True, user=self.user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = self.user, mock_cas_resp self.data['data']['attributes'] = {'full_name': 'No Email'} assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 0) res = self.app.post_json_api( '{}?send_email=true'.format(self.base_url), self.data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert_equal(res.status_code, 201) assert_equal(res.json['data']['attributes']['username'], None) assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 1) assert_equal(mock_mail.call_count, 0)
def test_properly_scoped_token_can_create_without_username_but_not_send_email( self, mock_auth, mock_mail, app, user, data, url_base): token = ApiOAuth2PersonalToken(owner=user, name='Authorized Token', scopes='osf.users.create') mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = user, mock_cas_resp data['data']['attributes'] = {'full_name': 'No Email'} assert OSFUser.objects.filter(fullname='No Email').count() == 0 res = app.post_json_api( '{}?send_email=true'.format(url_base), data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 username = res.json['data']['attributes']['username'] try: UUID(username) except ValueError: raise AssertionError('Username is not a valid UUID') assert OSFUser.objects.filter(fullname='No Email').count() == 1 assert mock_mail.call_count == 0
def test_properly_scoped_token_does_not_send_email_without_kwarg( self, mock_auth, mock_mail, app, user, email_unconfirmed, data, url_base): token = ApiOAuth2PersonalToken(owner=user, name='Authorized Token', scopes='osf.users.create') mock_cas_resp = CasResponse(authenticated=True, user=user._id, attributes={ 'accessToken': token.token_id, 'accessTokenScope': [s for s in token.scopes.split(' ')] }) mock_auth.return_value = user, mock_cas_resp assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0 res = app.post_json_api( url_base, data, headers={'Authorization': 'Bearer {}'.format(token.token_id)}) assert res.status_code == 201 assert res.json['data']['attributes']['username'] == email_unconfirmed assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1 assert mock_mail.call_count == 0