def setUp(self): self.faketime = 525942870 self.client = Client() # create a Consumer (and associated stuff) try: u = User.objects.get(username='******') except User.DoesNotExist: u = User(username='******') u.save() try: c = Consumer.objects.get(name='Test Consumer') except Consumer.DoesNotExist: c = Consumer(name='Test Consumer') c.description = 'Consumer to do some tests with' c.status = ACCEPTED c.user = u c.xauth_allowed = False c.generate_random_codes() c.save() self.consumer = c i = ConsumerInfo(consumer=c) i.admin_contact = '*****@*****.**' i.permissions = ['courses'] i.timestamp = self.faketime - 10 # make sure the ConsumerInfo was there "before" the Token was created i.save() self.consumerinfo = i # create an access token so we can jump in to requests try: t = Token.objects.get(token_type=Token.ACCESS, consumer=c, user=u) except Token.DoesNotExist: t = Token(token_type=Token.ACCESS, consumer=c, user=u, timestamp=self.faketime) t.is_approved = True t.generate_random_codes() t.verifier = VERIFIER t.save() self.token = t
class OauthTestIssue24(BaseOAuthTestCase): """ See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should """ def setUp(self): super(OauthTestIssue24, self).setUp() #setting the access key/secret to made-up strings self.access_token = Token( key="key", secret="secret", consumer=self.consumer, user=self.jane, token_type=2, scope=self.scope ) self.access_token.save() def __make_querystring_with_HMAC_SHA1(self, http_method, path, data, content_type): """ Utility method for creating a request which is signed using HMAC_SHA1 method """ consumer = oauth.Consumer(key=self.CONSUMER_KEY, secret=self.CONSUMER_SECRET) token = oauth.Token(key=self.access_token.key, secret=self.access_token.secret) url = "http://testserver:80" + path #if data is json, we want it in the body, else as parameters (i.e. queryparams on get) parameters=None body = "" if content_type=="application/json": body = data else: parameters = data request = oauth.Request.from_consumer_and_token( consumer=consumer, token=token, http_method=http_method, http_url=url, parameters=parameters, body=body ) # Sign the request. signature_method = oauth.SignatureMethod_HMAC_SHA1() request.sign_request(signature_method, consumer, token) return request.to_url() def test_that_initialize_server_request_when_custom_content_type(self): """Chceck if post data is not included in params when constent type is not application/x-www-form-urlencoded. It would cause problems only when signature method is HMAC-SHA1 """ data = json.dumps({"data": {"foo": "bar"}}) content_type = "application/json" querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type) #we're just using the request, don't bother faking sending it rf = RequestFactory() request = rf.post(querystring, data, content_type) #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework oauth_request = utils.get_oauth_request(request) consumer_key = oauth_request.get_parameter('oauth_consumer_key') consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key) token_param = oauth_request.get_parameter('oauth_token') token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param) oauth_server, oauth_request = utils.initialize_server_request(request) #check that this does not throw an oauth.Error oauth_server.verify_request(oauth_request, consumer, token) def test_post_using_in_authorization_header_and_PLAINTEXT(self): self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), } header = self._get_http_authorization_header(parameters) response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header) self.assertEqual(response.status_code, 200) def test_post_using_auth_in_post_body_and_PLAINTEXT(self): """Check if auth works when authorization data is in post body when content type is pplication/x-www-form-urlencoded """ self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), "additional_data": "whoop" # additional data } response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True), content_type="application/x-www-form-urlencoded") self.assertEqual(response.status_code, 200) def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self): self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), } header = self._get_http_authorization_header(parameters) response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json") self.assertEqual(response.status_code, 200) def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self): """Opposite of test_that_initialize_server_request_when_custom_content_type, If content type is application/x-www-form-urlencoded, post data should be added to params, and it affects signature """ self._request_token() self._authorize_and_access_token_using_form() data={"foo": "bar"} content_type = "application/x-www-form-urlencoded" querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type) #we're just using the request, don't bother faking sending it rf = RequestFactory() request = rf.post(querystring, urllib.urlencode(data), content_type) #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework oauth_request = utils.get_oauth_request(request) consumer_key = oauth_request.get_parameter('oauth_consumer_key') consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key) token_param = oauth_request.get_parameter('oauth_token') token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param) oauth_server, oauth_request = utils.initialize_server_request(request) #check that this does not throw an oauth.Error oauth_server.verify_request(oauth_request, consumer, token)
class OauthTestIssue24(BaseOAuthTestCase): """ See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should """ def setUp(self): super(OauthTestIssue24, self).setUp() #setting the access key/secret to made-up strings self.access_token = Token( key="key", secret="secret", consumer=self.consumer, user=self.jane, token_type=2, scope=self.scope ) self.access_token.save() def test_that_initialize_server_request_when_custom_content_type(self): """Chceck if post data is not included in params when constent type is not application/x-www-form-urlencoded. It would cause problems only when signature method is HMAC-SHA1 """ data = json.dumps({"data": {"foo": "bar"}}) content_type = "application/json" querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type) #we're just using the request, don't bother faking sending it rf = RequestFactory() request = rf.post(querystring, data, content_type) #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework oauth_request = utils.get_oauth_request(request) consumer_key = oauth_request.get_parameter('oauth_consumer_key') consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key) token_param = oauth_request.get_parameter('oauth_token') token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param) oauth_server, oauth_request = utils.initialize_server_request(request) #check that this does not throw an oauth.Error oauth_server.verify_request(oauth_request, consumer, token) def test_post_using_in_authorization_header_and_PLAINTEXT(self): self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), } header = self._get_http_authorization_header(parameters) response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header) self.assertEqual(response.status_code, 200) def test_post_using_auth_in_post_body_and_PLAINTEXT(self): """Check if auth works when authorization data is in post body when content type is pplication/x-www-form-urlencoded """ self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), "additional_data": "whoop" # additional data } response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True), content_type="application/x-www-form-urlencoded") self.assertEqual(response.status_code, 200) def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self): self._request_token() self._authorize_and_access_token_using_form() parameters = { 'oauth_consumer_key': self.CONSUMER_KEY, 'oauth_signature_method': "PLAINTEXT", 'oauth_version': "1.0", 'oauth_token': self.ACCESS_TOKEN_KEY, 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': str(int(time.time()))+"nonce", 'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET), } header = self._get_http_authorization_header(parameters) response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json") self.assertEqual(response.status_code, 200) def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self): """Opposite of test_that_initialize_server_request_when_custom_content_type, If content type is application/x-www-form-urlencoded, post data should be added to params, and it affects signature """ self._request_token() self._authorize_and_access_token_using_form() data = {"foo": "bar"} content_type = "application/x-www-form-urlencoded" querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type) #we're just using the request, don't bother faking sending it rf = RequestFactory() request = rf.post(querystring, urllib.urlencode(data), content_type) # this is basically a "remake" of the relevant parts of # OAuthAuthentication in django-rest-framework oauth_request = utils.get_oauth_request(request) consumer_key = oauth_request.get_parameter('oauth_consumer_key') consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key) token_param = oauth_request.get_parameter('oauth_token') token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param) oauth_server, oauth_request = utils.initialize_server_request(request) #check that this does not throw an oauth.Error oauth_server.verify_request(oauth_request, consumer, token)