def test_csrf_token_generation(self):
h = SimpleAuthHandler()
token = h._generate_csrf_token()
token2 = h._generate_csrf_token()
self.assertNotEqual(token, token2)
decoded = base64.urlsafe_b64decode(token)
tok, ts = decoded.rsplit(h.OAUTH2_CSRF_DELIMITER, 1)
# > 10 so that I won't have to modify this test if the length changes
# in the future
self.assertTrue(len(tok) > 10)
# token generation can't really take more than 1 sec here
self.assertFalse(long(time.time()) - long(ts) > 1)
def test_csrf_token_generation(self):
h = SimpleAuthHandler()
token = h._generate_csrf_token()
token2 = h._generate_csrf_token()
self.assertNotEqual(token, token2)
decoded = base64.urlsafe_b64decode(token)
tok, ts = decoded.rsplit(h.OAUTH2_CSRF_DELIMITER, 1)
# > 10 so that I won't have to modify this test if the length changes
# in the future
self.assertTrue(len(tok) > 10)
# token generation can't really take more than 1 sec here
self.assertFalse(long(time.time()) - long(ts) > 1)
def test_csrf_oauth2_tokens_dont_match(self):
self.expectErrors()
token1 = SimpleAuthHandler()._generate_csrf_token()
token2 = SimpleAuthHandler()._generate_csrf_token()
DummyAuthHandler.OAUTH2_CSRF_STATE = True
DummyAuthHandler.SESSION_MOCK = {
DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: token1
}
resp = self.app.get_response('/auth/dummy_oauth2/callback?'
'code=auth-code&state=%s' % token2)
self.assertEqual(resp.status_int, 500)
self.assertRegexpMatches(resp.body, 'InvalidCSRFTokenError')
def test_csrf_oauth2_callback_success(self):
# need a real token here to have a valid timestamp
csrf_token = SimpleAuthHandler()._generate_csrf_token()
DummyAuthHandler.OAUTH2_CSRF_STATE = True
DummyAuthHandler.SESSION_MOCK = {
DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: csrf_token
}
fetch_resp = json.dumps({
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3600,
"token_type": "Bearer"
})
self.set_urlfetch_response('https://dummy/oauth2_token',
content=fetch_resp)
resp = self.app.get_response('/auth/dummy_oauth2/callback?'
'code=auth-code&state=%s' % csrf_token)
self.assertEqual(resp.status_int, 302)
self.assertEqual(resp.headers['Location'],
'http://localhost/logged_in?provider=dummy_oauth2')
# token should be removed after during the authorization step
session = json.loads(resp.headers['SessionMock'])
self.assertFalse(DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM in session)
def test_csrf_oauth2_tokens_dont_match(self):
self.expectErrors()
token1 = SimpleAuthHandler()._generate_csrf_token()
token2 = SimpleAuthHandler()._generate_csrf_token()
DummyAuthHandler.OAUTH2_CSRF_STATE = True
DummyAuthHandler.SESSION_MOCK = {
DummyAuthHandler.OAUTH2_CSRF_SESSION_PARAM: token1
}
state = json.dumps({DummyAuthHandler.OAUTH2_CSRF_STATE_PARAM: token2})
query = urlencode({'code': 'auth-code', 'state': state})
resp = self.app.get_response('/auth/dummy_oauth2/callback?' + query)
self.assertEqual(resp.status_int, 500)
self.assertRegexpMatches(resp.body, 'InvalidCSRFTokenError')
def test_csrf_validation(self):
self.expectErrors()
h = SimpleAuthHandler()
token = h._generate_csrf_token()
token2 = h._generate_csrf_token()
self.assertTrue(h._validate_csrf_token(token, token))
self.assertFalse(h._validate_csrf_token(token, token2))
self.assertFalse(h._validate_csrf_token('', token))
self.assertFalse(h._validate_csrf_token(token, ''))
self.assertFalse(h._validate_csrf_token('', ''))
self.assertFalse(h._validate_csrf_token('invalid b64', 'invalid b64'))
# no timestamp
token = base64.urlsafe_b64encode('random')
self.assertFalse(h._validate_csrf_token(token, token))
token = base64.urlsafe_b64encode('random%s' % h.OAUTH2_CSRF_DELIMITER)
self.assertFalse(h._validate_csrf_token(token, token))
# no token key
token = '%s%d' % (h.OAUTH2_CSRF_DELIMITER, long(time.time()))
encoded = base64.urlsafe_b64encode(token)
self.assertFalse(h._validate_csrf_token(encoded, encoded))
# token timeout
timeout = long(time.time()) - h.OAUTH2_CSRF_TOKEN_TIMEOUT - 1
token = h._generate_csrf_token(_time=timeout)
self.assertFalse(h._validate_csrf_token(token, token))
def test_csrf_validation(self):
self.expectErrors()
h = SimpleAuthHandler()
token = h._generate_csrf_token()
token2 = h._generate_csrf_token()
self.assertTrue(h._validate_csrf_token(token, token))
self.assertFalse(h._validate_csrf_token(token, token2))
self.assertFalse(h._validate_csrf_token('', token))
self.assertFalse(h._validate_csrf_token(token, ''))
self.assertFalse(h._validate_csrf_token('', ''))
self.assertFalse(h._validate_csrf_token('invalid b64', 'invalid b64'))
# no timestamp
token = base64.urlsafe_b64encode('random')
self.assertFalse(h._validate_csrf_token(token, token))
token = base64.urlsafe_b64encode('random%s' % h.OAUTH2_CSRF_DELIMITER)
self.assertFalse(h._validate_csrf_token(token, token))
# no token key
token = '%s%d' % (h.OAUTH2_CSRF_DELIMITER, long(time.time()))
encoded = base64.urlsafe_b64encode(token)
self.assertFalse(h._validate_csrf_token(encoded, encoded))
# token timeout
timeout = long(time.time()) - h.OAUTH2_CSRF_TOKEN_TIMEOUT - 1
token = h._generate_csrf_token(_time=timeout)
self.assertFalse(h._validate_csrf_token(token, token))
def _simple_auth(self, *args, **kwargs):
if self.logged_in:
self.redirect(self.safe_return_to() or DEFAULT_REDIRECT)
return
self.session["return_to"] = self.safe_return_to()
return SimpleAuthHandler._simple_auth(self, *args, **kwargs)
