def api(request):
try:
access = Access.objects.get(user=request.user)
except Access.DoesNotExist:
access = None
roles = request.amo_user.groups.all()
if roles:
messages.error(request, _('Users with roles cannot use the API.'))
elif not request.amo_user.read_dev_agreement:
messages.error(request, _('You must accept the terms of service.'))
elif request.method == 'POST':
if 'delete' in request.POST:
if access:
access.delete()
messages.success(request, _('API key deleted.'))
else:
if not access:
key = 'mkt:%s:%s' % (request.amo_user.pk,
request.amo_user.email)
access = Access.objects.create(key=key, user=request.user,
secret=generate())
else:
access.update(secret=generate())
messages.success(request, _('New API key generated.'))
return redirect(reverse('mkt.developers.apps.api'))
return jingo.render(request, 'developers/api.html',
{'consumer': access, 'profile': profile,
'roles': roles})
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
assert not auth.is_authenticated(req)
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.OAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(auth.is_authenticated(req).status_code, 401)
def test_bad_access_token(self):
url = get_absolute_url(('api_dispatch_list', {'resource_name': 'app'}))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.OAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(auth.is_authenticated(req).status_code, 401)
def test_bad_access_request(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
url = urlparse.urljoin(settings.SITE_URL,
reverse('mkt.developers.oauth_access_request'))
url, auth_header = self._oauth_request_info(
url, client_key=t.key, client_secret=t.secret,
resource_owner_key=generate(), resource_owner_secret=generate(),
verifier=generate(), callback_uri=self.access.redirect_uri)
res = self.client.get(url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 401)
assert not Token.objects.filter(token_type=ACCESS_TOKEN).exists()
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
req.API = True
RestOAuthMiddleware().process_request(req)
assert not auth.authenticate(Request(req))
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
req.API = True
req.user = AnonymousUser()
RestOAuthMiddleware().process_request(req)
ok_(not auth.authenticate(Request(req)))
ok_(not req.user.is_authenticated())
def login_user(self):
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user)
self.client = RestOAuthClient(self.access)
self.anon = RestOAuthClient(None)
def test_owner_still_non_reviewer_access(self):
user = Webapp.objects.get(pk=337141).authors.all()[0]
access = Access.objects.create(
key='test_oauth_key_owner', secret=generate(), user=user)
client = RestOAuthClient(access)
res = client.get(self.url)
eq_(res.status_code, 403)
def api(request):
roles = request.amo_user.groups.filter(name='Admins').exists()
f = APIConsumerForm()
if roles:
messages.error(request,
_('Users with the admin role cannot use the API.'))
elif request.method == 'POST':
if 'delete' in request.POST:
try:
consumer = Access.objects.get(pk=request.POST.get('consumer'))
consumer.delete()
except Access.DoesNotExist:
messages.error(request, _('No such API key.'))
else:
key = 'mkt:%s:%s:%s' % (
request.amo_user.pk, request.amo_user.email,
Access.objects.filter(user=request.user).count())
access = Access.objects.create(key=key,
user=request.user,
secret=generate())
f = APIConsumerForm(request.POST, instance=access)
if f.is_valid():
f.save()
messages.success(request, _('New API key generated.'))
else:
access.delete()
consumers = list(Access.objects.filter(user=request.user))
return jingo.render(request, 'developers/api.html', {
'consumers': consumers,
'roles': roles,
'form': f
})
def setUp(self, api_name="apps"):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key="foo", secret=generate(), user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
def test_owner_still_non_reviewer_access(self):
user = Webapp.objects.get(pk=337141).authors.all()[0].user
access = Access.objects.create(
key='test_oauth_key_owner', secret=generate(), user=user)
client = RestOAuthClient(access)
res = client.get(self.url)
eq_(res.status_code, 403)
def api(request):
roles = request.amo_user.groups.filter(name='Admins').exists()
f = APIConsumerForm()
if roles:
messages.error(request,
_('Users with the admin role cannot use the API.'))
elif request.method == 'POST':
if 'delete' in request.POST:
try:
consumer = Access.objects.get(pk=request.POST.get('consumer'))
consumer.delete()
except Access.DoesNotExist:
messages.error(request, _('No such API key.'))
else:
key = 'mkt:%s:%s:%s' % (
request.amo_user.pk,
request.amo_user.email,
Access.objects.filter(user=request.user).count())
access = Access.objects.create(key=key,
user=request.user,
secret=generate())
f = APIConsumerForm(request.POST, instance=access)
if f.is_valid():
f.save()
messages.success(request, _('New API key generated.'))
else:
access.delete()
consumers = list(Access.objects.filter(user=request.user))
return jingo.render(request, 'developers/api.html',
{'consumers': consumers, 'roles': roles, 'form': f})
def login_user(self):
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user)
self.client = RestOAuthClient(self.access)
self.anon = RestOAuthClient(None)
def setUp(self):
self.api_name = 'foo'
self.auth = authentication.OAuthAuthentication()
self.profile = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.today())
self.access = Access.objects.create(key='foo', secret=generate(),
user=self.profile.user)
def setUp(self):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key="oauthClientKeyForTests", secret=generate(), user=self.user)
self.client = RestOAuthClient(self.access)
self.anon = RestOAuthClient(None)
def api(request):
roles = request.amo_user.groups.filter(name="Admins").exists()
f = APIConsumerForm()
if roles:
messages.error(request, _("Users with the admin role cannot use the API."))
elif request.method == "POST":
if "delete" in request.POST:
try:
consumer = Access.objects.get(pk=request.POST.get("consumer"))
consumer.delete()
except Access.DoesNotExist:
messages.error(request, _("No such API key."))
else:
key = "mkt:%s:%s:%s" % (
request.amo_user.pk,
request.amo_user.email,
Access.objects.filter(user=request.user).count(),
)
access = Access.objects.create(key=key, user=request.user, secret=generate())
f = APIConsumerForm(request.POST, instance=access)
if f.is_valid():
f.save()
messages.success(request, _("New API key generated."))
else:
access.delete()
consumers = list(Access.objects.filter(user=request.user))
return jingo.render(
request, "developers/api.html", {"consumers": consumers, "profile": profile, "roles": roles, "form": f}
)
def setUp(self):
self.api_name = 'foo'
self.auth = authentication.OAuthAuthentication()
self.profile = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.today())
self.access = Access.objects.create(key='test_oauth_key',
secret=generate(),
user=self.profile.user)
def setUp(self, api_name='apps'):
self.profile = self.user = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.anon = OAuthClient(None, api_name=api_name)
def setUp(self):
self.api_name = "foo"
self.profile = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.today())
self.access = Access.objects.create(key="test_oauth_key", secret=generate(), user=self.profile.user)
self.auth = authentication.RestOAuthAuthentication()
self.middlewares = [RedirectPrefixedURIMiddleware, RestOAuthMiddleware]
unpin_this_thread()
def test_reviewer_get(self):
self.create_app()
editor = UserProfile.objects.get(email="*****@*****.**")
g = Group.objects.create(rules="Apps:Review,Reviews:Edit")
GroupUser.objects.create(group=g, user=editor)
ac = Access.objects.create(key="adminOauthKey", secret=generate(), user=editor.user)
client = RestOAuthClient(ac)
r = client.get(self.get_url)
eq_(r.status_code, 200)
def test_admin_get(self):
self.create_app()
admin = UserProfile.objects.get(email="*****@*****.**")
g = Group.objects.create(rules="*:*")
GroupUser.objects.create(group=g, user=admin)
ac = Access.objects.create(key="adminOauthKey", secret=generate(), user=admin.user)
client = RestOAuthClient(ac)
r = client.get(self.get_url)
eq_(r.status_code, 200)
def test_bad_token_request(self):
url = settings.SITE_URL + reverse("mkt.developers.oauth_token_request")
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key, client_secret=generate(), callback_uri=self.access.redirect_uri
)
res = self.client.get(url, HTTP_HOST="testserver", HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 401)
assert not Token.objects.filter(token_type=REQUEST_TOKEN).exists()
def setUp(self):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key='foo',
secret=generate(),
user=self.user)
self.client = OAuthClient(self.access)
def setUp(self):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user)
self.client = RestOAuthClient(self.access)
self.anon = RestOAuthClient(None)
def setUp(self, api_name='apps'):
self.profile = self.user = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.now())
self.app_name = 'Mkt Test App'
self.redirect_uri = 'https://example.com/redirect_target'
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user,
redirect_uri=self.redirect_uri,
app_name=self.app_name)
def test_admin_get(self):
self.create_app()
admin = UserProfile.objects.get(email='*****@*****.**')
g = Group.objects.create(rules='*:*')
GroupUser.objects.create(group=g, user=admin)
ac = Access.objects.create(key='adminOauthKey', secret=generate(),
user=admin.user)
client = OAuthClient(ac, api_name='apps')
r = client.get(self.get_url)
eq_(r.status_code, 200)
def setUp(self):
self.api_name = 'foo'
self.profile = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.today())
self.access = Access.objects.create(key='test_oauth_key',
secret=generate(),
user=self.profile)
self.auth = authentication.RestOAuthAuthentication()
self.middlewares = [APIBaseMiddleware, RestOAuthMiddleware]
unpin_this_thread()
def setUp(self, api_name='apps'):
self.profile = self.user = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.now())
self.app_name = 'Mkt Test App'
self.redirect_uri = 'https://example.com/redirect_target'
self.access = Access.objects.create(key='oauthClientKeyForTests',
secret=generate(),
user=self.user,
redirect_uri=self.redirect_uri,
app_name=self.app_name)
def setUp(self):
self.api_name = 'foo'
self.profile = UserProfile.objects.get(pk=2519)
self.profile.update(read_dev_agreement=datetime.today())
self.access = Access.objects.create(key='test_oauth_key',
secret=generate(),
user=self.profile.user)
self.auth = authentication.RestOAuthAuthentication()
self.middlewares = [RedirectPrefixedURIMiddleware, RestOAuthMiddleware]
unpin_this_thread()
def test_reviewer_get(self):
self.create_app()
editor = UserProfile.objects.get(email='*****@*****.**')
g = Group.objects.create(rules='Apps:Review,Reviews:Edit')
GroupUser.objects.create(group=g, user=editor)
ac = Access.objects.create(key='adminOauthKey', secret=generate(),
user=editor.user)
client = OAuthClient(ac, api_name='apps')
r = client.get(self.get_url)
eq_(r.status_code, 200)
def test_bad_token_request(self):
url = settings.SITE_URL + reverse('mkt.developers.oauth_token_request')
url, auth_header = self._oauth_request_info(
url,
client_key=self.access.key,
client_secret=generate(),
callback_uri=self.access.redirect_uri)
res = self.client.get(url,
HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 401)
assert not Token.objects.filter(token_type=REQUEST_TOKEN).exists()
def api(request):
try:
access = Access.objects.get(user=request.user)
except Access.DoesNotExist:
access = None
roles = request.amo_user.groups.filter(name='Admins').exists()
if roles:
messages.error(request,
_('Users with the admin role cannot use the API.'))
elif not request.amo_user.read_dev_agreement:
messages.error(request, _('You must accept the terms of service.'))
elif request.method == 'POST':
if 'delete' in request.POST:
if access:
access.delete()
messages.success(request, _('API key deleted.'))
else:
if not access:
key = 'mkt:%s:%s' % (request.amo_user.pk,
request.amo_user.email)
access = Access.objects.create(key=key,
user=request.user,
secret=generate())
else:
access.update(secret=generate())
messages.success(request, _('New API key generated.'))
return redirect(reverse('mkt.developers.apps.api'))
return jingo.render(request, 'developers/api.html', {
'consumer': access,
'profile': profile,
'roles': roles
})
def setUp(self, api_name="apps"):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, "Apps:Review")
self.access = Access.objects.create(key="foo", secret=generate(), user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.url = list_url("search")
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name="test", type=amo.ADDON_WEBAPP)
self.webapp.save()
self.refresh()
def setUp(self, api_name="apps"):
self.user = User.objects.get(pk=2519)
self.user2 = User.objects.get(pk=999)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.app_name = "Mkt Test App"
self.redirect_uri = "https://example.com/redirect_target"
self.access = Access.objects.create(
key="oauthClientKeyForTests",
secret=generate(),
user=self.user,
redirect_uri=self.redirect_uri,
app_name=self.app_name,
)
def setUp(self):
super(TestApiReviewer, self).setUp()
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, "Apps:Review")
self.access = Access.objects.create(key="test_oauth_key", secret=generate(), user=self.user)
self.url = reverse("reviewers-search-api")
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name="test", type=amo.ADDON_WEBAPP)
self.webapp.update(status=amo.STATUS_PENDING)
self.refresh("webapp")
def setUp(self):
super(TestApiReviewer, self).setUp()
self.user = UserProfile.objects.get(pk=2519)
self.profile = self.user
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(
key='test_oauth_key', secret=generate(), user=self.user)
self.url = reverse('reviewers-search-api')
self.webapp = Webapp.objects.get(pk=337141)
self.webapp.update(status=amo.STATUS_PENDING)
self.refresh('webapp')
def setUp(self, api_name='apps'):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(key='foo', secret=generate(),
user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.list_url = ('api_dispatch_list', {'resource_name': 'search'})
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name='test',
type=amo.ADDON_WEBAPP)
self.webapp.save()
self.refresh()
def test_admin_get(self):
app = self.create_app()
data = self.base_data()
self.client.put(self.get_url, data=json.dumps(data))
admin = UserProfile.objects.get(email="*****@*****.**")
g = Group.objects.create(rules="*:*")
GroupUser.objects.create(group=g, user=admin)
ac = Access.objects.create(key="adminOauthKey", secret=generate(), user=admin)
client = RestOAuthClient(ac)
r = client.get(self.get_url)
eq_(r.status_code, 200)
res = client.get(reverse("app-privacy-policy-detail", args=[app.pk]))
eq_(r.status_code, 200)
eq_(res.json["privacy_policy"], data["privacy_policy"])
def setUp(self):
super(TestApiReviewer, self).setUp()
self.user = UserProfile.objects.get(pk=2519)
self.profile = self.user
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(key='test_oauth_key',
secret=generate(),
user=self.user)
self.url = reverse('reviewers-search-api')
self.webapp = Webapp.objects.get(pk=337141)
self.webapp.update(status=amo.STATUS_PENDING)
self.refresh('webapp')
def setUp(self, api_name='apps'):
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(key='foo',
secret=generate(),
user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.list_url = ('api_dispatch_list', {'resource_name': 'search'})
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name='test',
type=amo.ADDON_WEBAPP)
self.webapp.save()
self.refresh()
def test_reviewer_get(self):
app = self.create_app()
data = self.base_data()
self.client.put(self.get_url, data=json.dumps(data))
editor = UserProfile.objects.get(email='*****@*****.**')
g = Group.objects.create(rules='Apps:Review,Reviews:Edit')
GroupUser.objects.create(group=g, user=editor)
ac = Access.objects.create(key='adminOauthKey', secret=generate(),
user=editor.user)
client = RestOAuthClient(ac)
r = client.get(self.get_url)
eq_(r.status_code, 200)
res = client.get(reverse('app-privacy-policy-detail',
args=[app.pk]))
eq_(r.status_code, 200)
eq_(res.json['privacy_policy'], data['privacy_policy'])
def setUp(self, api_name='reviewers'):
super(TestApiReviewer, self).setUp(api_name=api_name)
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(
key='test_oauth_key', secret=generate(), user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.url = list_url('search')
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name='test',
type=amo.ADDON_WEBAPP)
self.webapp.update(status=amo.STATUS_PENDING)
self.refresh('webapp')
def setUp(self, api_name='reviewers'):
super(TestApiReviewer, self).setUp(api_name=api_name)
self.user = User.objects.get(pk=2519)
self.profile = self.user.get_profile()
self.profile.update(read_dev_agreement=datetime.now())
self.grant_permission(self.profile, 'Apps:Review')
self.access = Access.objects.create(
key='test_oauth_key', secret=generate(), user=self.user)
self.client = OAuthClient(self.access, api_name=api_name)
self.url = list_url('search')
self.webapp = Webapp.objects.get(pk=337141)
self.category = Category.objects.create(name='test',
type=amo.ADDON_WEBAPP)
self.webapp.update(status=amo.STATUS_PENDING)
self.refresh('webapp')
def test_admin_get(self):
app = self.create_app()
data = self.base_data()
self.client.put(self.get_url, data=json.dumps(data))
admin = UserProfile.objects.get(email='*****@*****.**')
g = Group.objects.create(rules='*:*')
GroupUser.objects.create(group=g, user=admin)
ac = Access.objects.create(key='adminOauthKey', secret=generate(),
user=admin.user)
client = RestOAuthClient(ac)
r = client.get(self.get_url)
eq_(r.status_code, 200)
res = client.get(reverse('app-privacy-policy-detail',
args=[app.pk]))
eq_(r.status_code, 200)
eq_(res.json['privacy_policy'], data['privacy_policy'])
def test_owner_still_non_reviewer_access(self):
user = Webapp.objects.get(pk=337141).authors.all()[0].user
access = Access.objects.create(key="test_oauth_key_owner", secret=generate(), user=user)
client = OAuthClient(access, api_name="reviewers")
res = client.get(self.url)
eq_(res.status_code, 401)
def setup_client(self, user):
access = Access.objects.create(key='test_oauth_key_owner',
secret=generate(),
user=user)
return RestOAuthClient(access)
def setup_client(self, user):
access = Access.objects.create(key='test_oauth_key_owner',
secret=generate(), user=user)
return RestOAuthClient(access)
