def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
"""Opposite of test_that_initialize_server_request_when_custom_content_type,
If content type is application/x-www-form-urlencoded, post data should be added to params,
and it affects signature
"""
self._request_token()
self._authorize_and_access_token_using_form()
data={"foo": "bar"}
content_type = "application/x-www-form-urlencoded"
querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, urllib.urlencode(data), content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def set_normal_authorization(request, r_dict):
auth_params = r_dict['headers']['Authorization']
# OAuth1 and basic http auth come in as string
r_dict['auth']['endpoint'] = get_endpoint(request)
if auth_params[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(request, oauth_request,
oauth_request['oauth_consumer_key'])
token = store.get_access_token(
request, oauth_request, consumer,
oauth_request.get_parameter('oauth_token'))
# Set consumer and token for authentication piece
r_dict['auth']['oauth_consumer'] = consumer
r_dict['auth']['oauth_token'] = token
r_dict['auth']['type'] = 'oauth'
else:
r_dict['auth']['type'] = 'http'
def test_that_initialize_server_request_when_custom_content_type(self):
"""Chceck if post data is not included in params when constent type
is not application/x-www-form-urlencoded. It would cause problems only when signature method is
HMAC-SHA1
"""
data = json.dumps({"data": {"foo": "bar"}})
content_type = "application/json"
querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, data, content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def test_that_initialize_server_request_when_custom_content_type(self):
"""Chceck if post data is not included in params when constent type
is not application/x-www-form-urlencoded. It would cause problems only when signature method is
HMAC-SHA1
"""
data = json.dumps({"data": {"foo": "bar"}})
content_type = "application/json"
querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, data, content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def is_authenticated(self, request, **kwargs):
from oauth_provider.store import store, InvalidTokenError
if self.is_valid_request(request):
oauth_request = oauth_provider.utils.get_oauth_request(request)
consumer = store.get_consumer(
request, oauth_request,
oauth_request.get_parameter('oauth_consumer_key'))
try:
token = store.get_access_token(
request, oauth_request, consumer,
oauth_request.get_parameter('oauth_token'))
except oauth_provider.store.InvalidTokenError:
return oauth_provider.utils.send_oauth_error(
oauth2.Error(
_('Invalid access token: %s') %
oauth_request.get_parameter('oauth_token')))
try:
self.validate_token(request, consumer, token)
except oauth2.Error, e:
return oauth_provider.utils.send_oauth_error(e)
if consumer and token:
if not self.check_active(token.user):
return False
request.user = token.user
return True
return oauth_provider.utils.send_oauth_error(
oauth2.Error(
_('You are not allowed to access this resource.')))
def authenticate_user(*args, **kwargs):
request = args[1]
try:
oauth_request = get_oauth_request(request)
consumer = store.get_consumer(request, oauth_request,
oauth_request['oauth_consumer_key'])
verify_oauth_request(request, oauth_request, consumer)
# Allow a trusted client to either give us a user via header, or do the
# 3-legged oauth
user = None
try:
trusted_client = TrustedOAuthClient.objects.get(consumer=consumer)
if trusted_client and trusted_client.is_trusted:
user = request.META["HTTP_X_OAUTH_USER"]
except Exception as e:
pass
if not user:
access_token = store.get_access_token(
request, oauth_request, consumer,
oauth_request[u'oauth_token'])
user = store.get_user_for_access_token(request, oauth_request,
access_token).username
request.META['SS_OAUTH_CONSUMER_NAME'] = consumer.name
request.META['SS_OAUTH_CONSUMER_PK'] = consumer.pk
request.META['SS_OAUTH_USER'] = user
return
except Exception as e:
response = HttpResponse("Error authorizing user: %s" % e)
response.status_code = 401
return response
def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
"""Opposite of test_that_initialize_server_request_when_custom_content_type,
If content type is application/x-www-form-urlencoded, post data should be added to params,
and it affects signature
"""
self._request_token()
self._authorize_and_access_token_using_form()
data = {"foo": "bar"}
content_type = "application/x-www-form-urlencoded"
querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, urllib.urlencode(data), content_type)
# this is basically a "remake" of the relevant parts of
# OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def authenticate_user(*args, **kwargs):
request = args[1]
try:
oauth_request = get_oauth_request(request)
consumer = store.get_consumer(request, oauth_request,
oauth_request['oauth_consumer_key'])
verify_oauth_request(request, oauth_request, consumer)
# Allow a trusted client to either give us a user via header, or do the
# 3-legged oauth
user = None
try:
trusted_client = TrustedOAuthClient.objects.get(consumer=consumer)
if trusted_client and trusted_client.is_trusted:
user = request.META["HTTP_XOAUTH_USER"]
except Exception as e:
pass
if not user:
access_token = store.get_access_token(request, oauth_request, consumer, oauth_request[u'oauth_token'])
user = store.get_user_for_access_token(request, oauth_request, access_token).username
request.META['SS_OAUTH_CONSUMER_NAME'] = consumer.name
request.META['SS_OAUTH_CONSUMER_PK'] = consumer.pk
request.META['SS_OAUTH_USER'] = user
return
except Exception as e:
response = HttpResponse("Error authorizing application")
response.status_code = 401
return response
def is_authenticated(self, request, **kwargs):
if is_valid_request(request, ['oauth_consumer_key']):
# Just checking if you're allowed to be there
oauth_request = get_oauth_request(request)
try:
consumer = store.get_consumer(
request, oauth_request,
oauth_request.get_parameter('oauth_consumer_key'))
try:
if oauth_request.get_parameter('oauth_token'):
try:
token = store.get_access_token(
request, oauth_request, consumer,
oauth_request.get_parameter('oauth_token'))
if not verify_oauth_request(
request, oauth_request, consumer,
token=token):
return False
if consumer and token:
request.user = token.user
except InvalidTokenError:
return False
except:
pass
return True
except InvalidConsumerError:
return False
return False
def set_normal_authorization(request, r_dict):
auth_params = r_dict['headers']['Authorization']
# OAuth1 and basic http auth come in as string
r_dict['auth']['endpoint'] = get_endpoint(request)
if auth_params[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(
request, oauth_request, oauth_request['oauth_consumer_key'])
token = store.get_access_token(
request, oauth_request, consumer, oauth_request.get_parameter('oauth_token'))
# Set consumer and token for authentication piece
r_dict['auth']['oauth_consumer'] = consumer
r_dict['auth']['oauth_token'] = token
r_dict['auth']['type'] = 'oauth'
else:
r_dict['auth']['type'] = 'http'
def is_authenticated(self, request, **kwargs):
from oauth_provider.store import store
if self.is_valid_request(request):
oauth_request = oauth_provider.utils.get_oauth_request(request)
consumer = store.get_consumer(request, oauth_request, oauth_request.get_parameter('oauth_consumer_key'))
try:
token = store.get_access_token(request, oauth_request, consumer, oauth_request.get_parameter('oauth_token'))
except oauth_provider.store.InvalidTokenError:
return oauth_provider.utils.send_oauth_error(oauth2.Error(_('Invalid access token: %s') % oauth_request.get_parameter('oauth_token')))
try:
self.validate_token(request, consumer, token)
except oauth2.Error as e:
return oauth_provider.utils.send_oauth_error(e)
if consumer and token:
if not self.check_active(token.user):
return False
request.user = token.user
return True
return oauth_provider.utils.send_oauth_error(oauth2.Error(_('You are not allowed to access this resource.')))
return oauth_provider.utils.send_oauth_error(oauth2.Error(_('Invalid request parameters.')))
def inner(request, *args, **kwargs):
auth = None
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META.get('HTTP_AUTHORIZATION')
elif 'Authorization' in request.META:
auth = request.META.get('Authorization')
elif request.user:
auth = request.user
if auth:
if isinstance(auth, basestring):
if auth[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(
request, oauth_request, oauth_request['oauth_consumer_key'])
token = store.get_access_token(
request, oauth_request, consumer, oauth_request.get_parameter('oauth_token'))
request.META['lrs-user'] = token.user
else:
auth = auth.split()
if len(auth) == 2:
if auth[0].lower() == 'basic':
uname, passwd = base64.b64decode(
auth[1]).split(':')
if uname and passwd:
user = authenticate(
username=uname, password=passwd)
if not user:
request.META[
'lrs-user'] = (False, "Unauthorized: Authorization failed, please verify your username and password")
request.META['lrs-user'] = (True, user)
else:
request.META[
'lrs-user'] = (False, "Unauthorized: The format of the HTTP Basic Authorization Header value is incorrect")
else:
request.META[
'lrs-user'] = (False, "Unauthorized: HTTP Basic Authorization Header must start with Basic")
else:
request.META[
'lrs-user'] = (False, "Unauthorized: The format of the HTTP Basic Authorization Header value is incorrect")
else:
request.META['lrs-user'] = (True, '')
else:
request.META[
'lrs-user'] = (False, "Unauthorized: Authorization must be supplied")
return func(request, *args, **kwargs)
def inner(request, *args, **kwargs):
auth = None
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META.get('HTTP_AUTHORIZATION')
elif 'Authorization' in request.META:
auth = request.META.get('Authorization')
elif request.user:
auth = request.user
if auth:
if isinstance(auth, basestring):
if auth[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(
request, oauth_request, oauth_request['oauth_consumer_key'])
token = store.get_access_token(
request, oauth_request, consumer, oauth_request.get_parameter('oauth_token'))
request.META['lrs-user'] = token.user
else:
auth = auth.split()
if len(auth) == 2:
if auth[0].lower() == 'basic':
uname, passwd = base64.b64decode(
auth[1]).split(':')
if uname and passwd:
user = authenticate(
username=uname, password=passwd)
if not user:
request.META[
'lrs-user'] = (False, "Unauthorized: Authorization failed, please verify your username and password")
request.META['lrs-user'] = (True, user)
else:
request.META[
'lrs-user'] = (False, "Unauthorized: The format of the HTTP Basic Authorization Header value is incorrect")
else:
request.META[
'lrs-user'] = (False, "Unauthorized: HTTP Basic Authorization Header must start with Basic")
else:
request.META[
'lrs-user'] = (False, "Unauthorized: The format of the HTTP Basic Authorization Header value is incorrect")
else:
request.META['lrs-user'] = (True, '')
else:
request.META[
'lrs-user'] = (False, "Unauthorized: Authorization must be supplied")
return func(request, *args, **kwargs)
def set_authorization(r_dict, request):
auth_params = r_dict['headers']['Authorization']
# OAuth1 and basic http auth come in as string
r_dict['auth']['endpoint'] = get_endpoint(request)
if auth_params[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(request, oauth_request,
oauth_request['oauth_consumer_key'])
token = store.get_access_token(
request, oauth_request, consumer,
oauth_request.get_parameter('oauth_token'))
# Set consumer and token for authentication piece
r_dict['auth']['oauth_consumer'] = consumer
r_dict['auth']['oauth_token'] = token
r_dict['auth']['type'] = 'oauth'
elif auth_params[:7] == 'Bearer ':
try:
access_token = AccessToken.objects.get(token=auth_params[7:])
except AccessToken.DoesNotExist:
raise OauthUnauthorized("Access Token does not exist")
else:
if access_token.get_expire_delta() <= 0:
raise OauthUnauthorized('Access Token has expired')
r_dict['auth']['oauth_token'] = access_token
r_dict['auth']['type'] = 'oauth2'
else:
r_dict['auth']['type'] = 'http'
def set_authorization(r_dict, request):
auth_params = r_dict['headers']['Authorization']
# OAuth1 and basic http auth come in as string
r_dict['auth']['endpoint'] = get_endpoint(request)
if auth_params[:6] == 'OAuth ':
oauth_request = get_oauth_request(request)
# Returns HttpBadRequest if missing any params
missing = require_params(oauth_request)
if missing:
raise missing
check = CheckOauth()
e_type, error = check.check_access_token(request)
if e_type and error:
if e_type == 'auth':
raise OauthUnauthorized(error)
else:
raise OauthBadRequest(error)
# Consumer and token should be clean by now
consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key'])
token = store.get_access_token(request, oauth_request, consumer, oauth_request.get_parameter('oauth_token'))
# Set consumer and token for authentication piece
r_dict['auth']['oauth_consumer'] = consumer
r_dict['auth']['oauth_token'] = token
r_dict['auth']['type'] = 'oauth'
elif auth_params[:7] == 'Bearer ':
try:
access_token = AccessToken.objects.get(token=auth_params[7:])
except AccessToken.DoesNotExist:
raise OauthUnauthorized("Access Token does not exist")
else:
if access_token.get_expire_delta() <= 0:
raise OauthUnauthorized('Access Token has expired')
r_dict['auth']['oauth_token'] = access_token
r_dict['auth']['type'] = 'oauth2'
else:
r_dict['auth']['type'] = 'http'
def authenticate(self, request):
"""
Returns two-tuple of (user, token) if authentication succeeds,
or None otherwise.
"""
try:
oauth_request = oauth_provider.utils.get_oauth_request(request)
except oauth.Error as err:
raise exceptions.AuthenticationFailed(err.message)
if not oauth_request:
return None
oauth_params = oauth_provider.consts.OAUTH_PARAMETERS_NAMES
found = any(param for param in oauth_params if param in oauth_request)
missing = list(param for param in oauth_params
if param not in oauth_request)
if not found:
# OAuth authentication was not attempted.
return None
if missing:
# OAuth was attempted but missing parameters.
msg = 'Missing parameters: %s' % (', '.join(missing))
raise exceptions.AuthenticationFailed(msg)
if not self.check_nonce(request, oauth_request):
msg = 'Nonce check failed'
raise exceptions.AuthenticationFailed(msg)
try:
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(
request, oauth_request, consumer_key)
except oauth_provider.store.InvalidConsumerError:
msg = 'Invalid consumer token: %s' % oauth_request.get_parameter(
'oauth_consumer_key')
raise exceptions.AuthenticationFailed(msg)
if consumer.status != oauth_provider.consts.ACCEPTED:
msg = 'Invalid consumer key status: %s' % consumer.get_status_display(
)
raise exceptions.AuthenticationFailed(msg)
try:
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(
request, oauth_request, consumer, token_param)
except oauth_provider.store.InvalidTokenError:
msg = 'Invalid access token: %s' % oauth_request.get_parameter(
'oauth_token')
raise exceptions.AuthenticationFailed(msg)
try:
self.validate_token(request, consumer, token)
except oauth.Error as err:
raise exceptions.AuthenticationFailed(err.message)
user = token.user
if not user.is_active:
msg = 'User inactive or deleted: %s' % user.username
raise exceptions.AuthenticationFailed(msg)
return (token.user, token)
def authenticate(self, request):
"""
Returns two-tuple of (user, token) if authentication succeeds,
or None otherwise.
"""
try:
oauth_request = oauth_provider.utils.get_oauth_request(request)
except oauth.Error as err:
raise exceptions.AuthenticationFailed(err.message)
if not oauth_request:
return None
oauth_params = oauth_provider.consts.OAUTH_PARAMETERS_NAMES
found = any(param for param in oauth_params if param in oauth_request)
missing = list(param for param in oauth_params if param not in oauth_request)
if not found:
# OAuth authentication was not attempted.
return None
if missing:
# OAuth was attempted but missing parameters.
msg = 'Missing parameters: %s' % (', '.join(missing))
raise exceptions.AuthenticationFailed(msg)
if not self.check_nonce(request, oauth_request):
msg = 'Nonce check failed'
raise exceptions.AuthenticationFailed(msg)
try:
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
except oauth_provider.store.InvalidConsumerError:
msg = 'Invalid consumer token: %s' % oauth_request.get_parameter('oauth_consumer_key')
raise exceptions.AuthenticationFailed(msg)
if consumer.status != oauth_provider.consts.ACCEPTED:
msg = 'Invalid consumer key status: %s' % consumer.get_status_display()
raise exceptions.AuthenticationFailed(msg)
try:
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
except oauth_provider.store.InvalidTokenError:
msg = 'Invalid access token: %s' % oauth_request.get_parameter('oauth_token')
raise exceptions.AuthenticationFailed(msg)
try:
self.validate_token(request, consumer, token)
except oauth.Error as err:
raise exceptions.AuthenticationFailed(err.message)
user = token.user
if not user.is_active:
msg = 'User inactive or deleted: %s' % user.username
raise exceptions.AuthenticationFailed(msg)
return (token.user, token)