def testInvalidScope(self):
""" Test the rejection of a valid request with an invalid scope. """
invalidScope = 'invalidScope'
request = self.generateValidTokenRequest(arguments={
'grant_type': 'refresh_token',
'refresh_token': self._VALID_REFRESH_TOKEN,
'scope': invalidScope
}, authentication=self._VALID_CLIENT)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(request, result, InvalidScopeError(invalidScope),
msg='Expected the token resource to reject a refresh_token '
'request with an invalid scope.')
invalidScope = self._VALID_SCOPE[0]
request = self.generateValidTokenRequest(arguments={
'grant_type': 'refresh_token',
'refresh_token': self._VALID_REFRESH_TOKEN,
'scope': invalidScope
}, authentication=self._VALID_CLIENT)
self._TOKEN_FACTORY.expectTokenRequest(
None, self._TOKEN_RESOURCE.authTokenLifeTime, self._VALID_CLIENT,
[invalidScope], validScope=False)
result = self._TOKEN_RESOURCE.render_POST(request)
self._TOKEN_FACTORY.assertAllTokensRequested()
self.assertFailedTokenRequest(
request, result, InvalidScopeError(invalidScope),
msg='Expected the token resource to reject a refresh_token request with '
'a scope that is rejected by the token factory.')
def onAuthenticate(self, request, client, responseType, scope,
redirectUri, state, dataKey):
if self.raiseErrorInOnAuthenticate:
self.raiseErrorInOnAuthenticate = False
raise RuntimeError(self.ERROR_MESSAGE)
if self.UNKNOWN_SCOPE in scope:
raise InvalidScopeError(scope, state=state)
if self.UNKNOWN_SCOPE_RETURN in scope:
return InvalidScopeError(scope, state=state)
if self.UNKNOWN_SCOPE_RAISING_OAUTH2_ERROR in scope:
raise InvalidTokenError(self.ERROR_MESSAGE)
if self.TEMPORARY_UNAVAILABLE_SCOPE in scope:
raise TemporarilyUnavailableError(state=state)
return request, client, responseType, scope, redirectUri, state, dataKey
def testGrantAccessInvalidScope(self):
"""
Test that grandAccess rejects a call with a scope that is not in the original scope.
"""
dataKey = 'dataKeyInvalidScope' + self._RESPONSE_TYPE
redirectUri = self._VALID_CLIENT.redirectUris[0]
request = MockRequest('GET', 'some/path')
state = b'state\xFF\xFF'
data = {
'response_type':
self._RESPONSE_GRANT_TYPE_MAPPING[self._RESPONSE_TYPE],
'redirect_uri':
redirectUri,
'client_id':
self._VALID_CLIENT.id,
'scope': ['All'],
'state':
state
}
self._PERSISTENT_STORAGE.put(dataKey, data)
scope = ['Other']
result = self._AUTH_RESOURCE.grantAccess(request,
dataKey,
scope=scope)
self.assertFailedRequest(
request,
result,
InvalidScopeError(scope, state),
redirectUri=redirectUri,
msg='Expected grantAccess to reject an invalid scope.')
def testInvalidScope(self):
""" Test the rejection of a request with an invalid scope parameters. """
username = b'someUserName'
password = b'somePassword'
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'password',
'username': username,
'password': password,
'scope': ' '.join(self._VALID_SCOPE),
},
authentication=self._VALID_CLIENT)
self._TOKEN_FACTORY.expectTokenRequest(
'token',
self._TOKEN_RESOURCE.authTokenLifeTime,
self._VALID_CLIENT,
self._VALID_SCOPE,
validScope=False)
self._PASSWORD_MANAGER.expectAuthenticateRequest(username, password)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertTrue(
self._PASSWORD_MANAGER.allPasswordsChecked(),
msg=
'Expected the token resource to check if the given user name and '
'password combination is valid before creating an auth token.')
self._TOKEN_FACTORY.assertAllTokensRequested()
self.assertFailedTokenRequest(
request,
result,
InvalidScopeError(self._VALID_SCOPE),
msg='Expected the resource token to reject a '
'password request with invalid scope parameters.')
def onAuthenticate(self, request, client, responseType, scope, redirectUri, state, dataKey):
if self.raiseErrorInOnAuthenticate:
self.raiseErrorInOnAuthenticate = False
raise RuntimeError('Expected the auth resource to catch this error')
if self.UNKNOWN_SCOPE in scope:
return InvalidScopeError(scope, state=state)
return request, client, responseType, scope, redirectUri, state, dataKey
def testMalformedScope(self):
""" Test the rejection of a valid request with a malformed scope. """
malformedScope = b'malformedScope\xFF\xFF'
request = self.generateValidTokenRequest(arguments={
'grant_type': 'refresh_token',
'refresh_token': self._VALID_REFRESH_TOKEN,
'scope': malformedScope
}, authentication=self._VALID_CLIENT)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request, result, InvalidScopeError(ensureByteString(malformedScope)),
msg='Expected the token resource to reject a '
'refresh_token request with an malformed scope.')
def testAuthorizedClientWithMalformedScope(self):
""" Test the rejection of a request with a malformed scope parameters. """
malformedScope = b'malformedScope\xFF\xFF'
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'client_credentials',
'scope': malformedScope,
},
authentication=self._VALID_CLIENT)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
InvalidScopeError(malformedScope),
msg='Expected the resource token to reject a '
'client_credentials request with a malformed scope parameters.')
def testWithMalformedScope(self):
""" Test the rejection of a request with a malformed scope. """
state = b'state\xFF\xFF'
scope = b'malformedScope\xFF\xFF'
redirectUri = self._VALID_CLIENT.redirectUris[0]
request = self.createAuthRequest(arguments={
'response_type': self._RESPONSE_TYPE,
'client_id': self._VALID_CLIENT.id,
'redirect_uri': redirectUri,
'scope': scope,
'state': state
})
result = self._AUTH_RESOURCE.render_GET(request)
self.assertFailedRequest(
request, result, InvalidScopeError(scope, state=state), redirectUri=redirectUri,
msg='Expected the auth resource to reject a request with a malformed scope.')
def testInvalidScope(self):
""" Test the rejection of a valid request with an invalid scope. """
invalidScope = 'invalidScope'
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'refresh_token',
'refresh_token': self._VALID_REFRESH_TOKEN,
'scope': invalidScope
},
authentication=self._VALID_CLIENT)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
InvalidScopeError(invalidScope),
msg='Expected the token resource to reject a refresh_token '
'request with an invalid scope.')
def testSendsErrorInOnAuthenticate(self):
""" Test tat any AuthorizationErrors returned by onAuthenticate are handled. """
state = b'state\xFF\xFF'
scope = self._AUTH_RESOURCE.UNKNOWN_SCOPE
redirectUri = self._VALID_CLIENT.redirectUris[0]
request = self.createAuthRequest(arguments={
'response_type': 'code',
'client_id': self._VALID_CLIENT.id,
'redirect_uri': redirectUri,
'scope': scope,
'state': state
})
result = self._AUTH_RESOURCE.render_GET(request)
self.assertFailedRequest(
request, result, InvalidScopeError(scope, state=state), redirectUri=redirectUri,
msg='Expected the auth resource to send the error '
'returned from the onAuthenticate method.')
def testMalformedScope(self):
""" Test the rejection of a request with a malformed scope. """
malformedScope = b'malformedScope\xFF\xFF'
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'password',
'scope': malformedScope,
'username': b'someUser',
'password': b'somePassword',
},
authentication=self._VALID_CLIENT)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
InvalidScopeError(malformedScope),
msg=
'Expected the resource token to reject a password request with a malformed scope.'
)
def testAuthorizationInvalidScope(self):
""" Test that a authorization request with an invalid scope is rejected. """
scope = self._VALID_SCOPE + ['INVALID']
state = b'state'
request = OAuth2Abstract.AuthResourceTest.createAuthRequest(arguments={
'response_type': 'code',
'client_id': self._VALID_CLIENT.id,
'redirect_uri': self._VALID_CLIENT.redirectUris[0],
'scope': ' '.join(scope),
'state': state
})
self._makeExampleRequest(request)
expectedError = InvalidScopeError(scope, state)
self.assertEqual(302, request.responseCode,
msg='Expected the auth resource to redirect the request.')
redirectUrl = request.getResponseHeader(b'location')
self.assertIsNotNone(redirectUrl, msg='Expected the auth resource to redirect the request.')
parameter = OAuth2Abstract.AuthResourceTest.getParameterFromRedirectUrl(redirectUrl, False)
self.assertIn('error', parameter, msg='Missing error parameter in response.')
self.assertEqual(expectedError.name, parameter['error'],
msg='Result contained a different error than expected.')
self.assertIn('error_description', parameter,
msg='Missing error_description parameter in response.')
if not isinstance(expectedError.description, (bytes, str)):
self.assertEqual(
expectedError.description.encode('utf-8'), parameter['error_description'],
msg='Result contained a different error description than expected.')
else:
self.assertEqual(
expectedError.description, parameter['error_description'],
msg='Result contained a different error description than expected.')
if expectedError.errorUri is not None:
self.assertIn('error_uri', parameter,
msg='Missing error_uri parameter in response.')
self.assertEqual(expectedError.errorUri, parameter['error_uri'],
msg='Result contained an unexpected error_uri.')
self.assertIn('state', parameter, msg='Missing state parameter in response.')
self.assertEqual(
expectedError.state if isinstance(expectedError.state, str)
else expectedError.state.decode('utf-8', errors='replace'), parameter['state'],
msg='Result contained an unexpected state.')
def testSendsErrorReturnedByOnAuthenticate(self):
"""
Test that any AuthorizationErrors returned by onAuthenticate
are handled with a deprecation warning.
"""
state = b'state\xFF\xFF'
scope = self._AUTH_RESOURCE.UNKNOWN_SCOPE_RETURN
redirectUri = self._VALID_CLIENT.redirectUris[0]
request = self.createAuthRequest(
arguments={
'response_type': 'code',
'client_id': self._VALID_CLIENT.id,
'redirect_uri': redirectUri,
'scope': scope,
'state': state
})
with warnings.catch_warnings(record=True) as caughtWarnings:
warnings.simplefilter('always')
result = self._AUTH_RESOURCE.render_GET(request)
self.assertEqual(
1,
len(caughtWarnings),
msg='Expected the OAuth2 resource to generate a warning, if '
'onAuthenticate returns an OAuth2Error instead of raising it')
self.assertTrue(
issubclass(caughtWarnings[0].category, DeprecationWarning),
msg=
'Expected the token resource to generate a DeprecationWarning')
self.assertIn(
'Returning an error from onAuthenticate is deprecated',
str(caughtWarnings[0].message),
msg=
'Expected the token resource to generate a DeprecationWarning explaining that '
'returning an error from onAuthenticate is deprecated.')
self.assertFailedRequest(
request,
result,
InvalidScopeError(scope, state=state),
redirectUri=redirectUri,
msg='Expected the auth resource to send the error '
'returned from the onAuthenticate method.')
def onAuthenticate(self, request, client, responseType, scope, redirectUri,
state, dataKey):
for scopeItem in scope:
if scopeItem not in self._VALID_SCOPES:
raise InvalidScopeError(scope, state)
return """<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Authorization</title>
</head>
<body>
<form action="/oauth2" method="post">
<p>Allow {client} access to {scope}?</p>
<input type="hidden" name="data_key" value="{dataKey}">
<input type="submit" name="confirm" value="yes">
<input type="submit" name="confirm" value="no">
</form>
</body>
</html>""".format(client=client.id, scope=', '.join(scope),
dataKey=dataKey).encode('utf-8')
def testAuthorizedClientInvalidScope(self):
""" Test the rejection of a request with an invalid scope parameters. """
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'client_credentials',
'scope': ' '.join(self._VALID_SCOPE),
},
authentication=self._VALID_CLIENT)
self._TOKEN_FACTORY.expectTokenRequest(
'token',
self._TOKEN_RESOURCE.authTokenLifeTime,
self._VALID_CLIENT,
self._VALID_SCOPE,
validScope=False)
result = self._TOKEN_RESOURCE.render_POST(request)
self._TOKEN_FACTORY.assertAllTokensRequested()
self.assertFailedTokenRequest(
request,
result,
InvalidScopeError(self._VALID_SCOPE),
msg='Expected the resource token to reject a '
'client_credentials request with invalid scope parameters.')