def test_bearer_token_valid(self, request):
user = M.User.by_username('test-admin')
consumer_token = M.OAuthConsumerToken(
name='foo',
description='foo app',
)
request_token = M.OAuthRequestToken(
consumer_token_id=consumer_token._id,
user_id=user._id,
callback='manual',
validation_pin=h.nonce(20),
is_bearer=True,
)
access_token = M.OAuthAccessToken(
consumer_token_id=consumer_token._id,
request_token_id=request_token._id,
user_id=user._id,
is_bearer=True,
)
ThreadLocalODMSession.flush_all()
request.headers = {}
request.params = {'access_token': access_token.api_key}
request.scheme = 'https'
r = self.api_post('/rest/p/test/wiki', access_token='foo')
assert_equal(r.status_int, 200)
def token(self, username):
if self._use_token:
return self._use_token
# only create token once, else ming gets dupe key error
if username not in self._token_cache:
user = M.User.query.get(username=username)
consumer_token = M.OAuthConsumerToken(
name='test-%s' % str(user._id),
description='test-app-%s' % str(user._id),
user_id=user._id)
request_token = M.OAuthRequestToken(
consumer_token_id=consumer_token._id,
user_id=user._id,
callback='manual',
validation_pin=h.nonce(20))
token = M.OAuthAccessToken(consumer_token_id=consumer_token._id,
request_token_id=request_token._id,
user_id=user._id,
is_bearer=True)
ming.orm.session(consumer_token).flush()
ming.orm.session(request_token).flush()
ming.orm.session(token).flush()
self._token_cache[username] = token
return self._token_cache[username]
def test_bearer_token_valid_via_headers(self, request):
user = M.User.by_username('test-admin')
consumer_token = M.OAuthConsumerToken(
name='foo',
description='foo app',
)
request_token = M.OAuthRequestToken(
consumer_token_id=consumer_token._id,
user_id=user._id,
callback='manual',
validation_pin=h.nonce(20),
is_bearer=True,
)
access_token = M.OAuthAccessToken(
consumer_token_id=consumer_token._id,
request_token_id=request_token._id,
user_id=user._id,
is_bearer=True,
)
ThreadLocalODMSession.flush_all()
token = access_token.api_key
request.headers = {'Authorization': 'Bearer {}'.format(token)}
request.scheme = 'https'
r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200)
# reverse proxy situation
request.scheme = 'http'
request.environ['paste.testing'] = False
request.environ['HTTP_X_FORWARDED_PROTOx'] = 'https'
r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200)
def test_request_token_valid(self, Request, Server):
M.OAuthConsumerToken.consumer = mock.Mock()
user = M.User.by_username('test-user')
consumer_token = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key'
}
r = self.app.post('/rest/oauth/request_token', params={'key': 'value'})
Request.from_request.assert_called_once_with(
'POST',
'http://localhost/rest/oauth/request_token',
headers={
'Host':
'localhost:80',
'Content-Type':
'application/x-www-form-urlencoded; charset="utf-8"'
},
parameters={'key': 'value'},
query_string='')
Server().verify_request.assert_called_once_with(
req, consumer_token.consumer, None)
request_token = M.OAuthRequestToken.query.get(
consumer_token_id=consumer_token._id)
assert_is_not_none(request_token)
assert_equal(r.body, request_token.to_string())
def test_interactive(self, Request, Server):
M.OAuthConsumerToken.consumer = mock.Mock()
user = M.User.by_username('test-admin')
consumer_token = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
ThreadLocalORMSession.flush_all()
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key',
'oauth_callback': 'http://my.domain.com/callback',
}
r = self.app.post('/rest/oauth/request_token', params={})
rtok = parse_qs(r.body)['oauth_token'][0]
r = self.app.post('/rest/oauth/authorize',
params={'oauth_token': rtok})
r = r.forms[0].submit('yes')
assert r.location.startswith('http://my.domain.com/callback')
pin = parse_qs(urlparse(r.location).query)['oauth_verifier'][0]
#pin = r.html.find(text=re.compile('^PIN: ')).split()[1]
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key',
'oauth_token': rtok,
'oauth_verifier': pin,
}
r = self.app.get('/rest/oauth/access_token')
atok = parse_qs(r.body)
assert_equal(len(atok['oauth_token']), 1)
assert_equal(len(atok['oauth_token_secret']), 1)
def register(self,
application_name=None,
application_description=None,
**kw):
M.OAuthConsumerToken(name=application_name,
description=application_description)
flash('OAuth Application registered')
redirect('.')
def test_access_token_no_request(self, Request):
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key',
'oauth_token': 'api_key',
'oauth_verifier': 'good',
}
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
ThreadLocalORMSession.flush_all()
self.app.get('/rest/oauth/access_token', status=403)
def test_request_token_invalid(self, Request, Server):
Server().verify_request.side_effect = ValueError
M.OAuthConsumerToken.consumer = mock.Mock()
user = M.User.by_username('test-user')
consumer_token = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key'
}
r = self.app.post('/rest/oauth/request_token',
params={'key': 'value'},
status=403)
def test_authorize_ok(self):
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='oob',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
r = self.app.post('/rest/oauth/authorize',
params={'oauth_token': 'api_key'})
assert_in('ctok_desc', r.body)
assert_in('api_key', r.body)
def test_do_authorize_oob(self):
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='oob',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
r = self.app.get('/rest/oauth/do_authorize',
params={
'yes': '1',
'oauth_token': 'api_key'
})
assert_is_not_none(r.html.find(text=re.compile('^PIN: ')))
def test_do_authorize_no(self):
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='oob',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
r = self.app.get('/rest/oauth/do_authorize',
params={
'no': '1',
'oauth_token': 'api_key'
})
assert_is_none(M.OAuthRequestToken.query.get(api_key='api_key'))
def test_access_token_bad_pin(self, Request):
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key',
'oauth_token': 'api_key',
'oauth_verifier': 'bad',
}
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='http://my.domain.com/callback?myparam=foo',
user_id=user._id,
validation_pin='good',
)
ThreadLocalORMSession.flush_all()
self.app.get('/rest/oauth/access_token', status=403)
def test_do_authorize_cb(self):
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='http://my.domain.com/callback',
user_id=user._id,
)
ThreadLocalORMSession.flush_all()
r = self.app.get('/rest/oauth/do_authorize',
params={
'yes': '1',
'oauth_token': 'api_key'
})
assert r.location.startswith(
'http://my.domain.com/callback?oauth_token=api_key&oauth_verifier='
)
def test_access_token_ok(self, Request, Server):
req = Request.from_request.return_value = {
'oauth_consumer_key': 'api_key',
'oauth_token': 'api_key',
'oauth_verifier': 'good',
}
user = M.User.by_username('test-admin')
ctok = M.OAuthConsumerToken(
api_key='api_key',
user_id=user._id,
description='ctok_desc',
)
rtok = M.OAuthRequestToken(
api_key='api_key',
consumer_token_id=ctok._id,
callback='http://my.domain.com/callback?myparam=foo',
user_id=user._id,
validation_pin='good',
)
ThreadLocalORMSession.flush_all()
r = self.app.get('/rest/oauth/access_token')
atok = parse_qs(r.body)
assert_equal(len(atok['oauth_token']), 1)
assert_equal(len(atok['oauth_token_secret']), 1)
