def test_temporary_credential_signatures_errors(self): self.prepare_data() url = '/oauth/initiate' rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_signature', data['error_description']) rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': 'a' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_signature_method', data['error_description']) rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_signature_method': 'INVALID', 'oauth_callback': 'oob', 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': 'b', 'oauth_signature': 'c' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'unsupported_signature_method')
def test_plaintext_signature(self): self.prepare_data() server = self.create_server() url = '/oauth/token' # case 1: success self.prepare_temporary_credential(server) auth_header = ('OAuth oauth_consumer_key="client",' 'oauth_signature_method="PLAINTEXT",' 'oauth_token="abc",' 'oauth_verifier="abc-verifier",' 'oauth_signature="secret&abc-secret"') request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertIn('oauth_token', data) # case 2: invalid signature self.prepare_temporary_credential(server) request = self.factory.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_signature_method': 'PLAINTEXT', 'oauth_token': 'abc', 'oauth_verifier': 'abc-verifier', 'oauth_signature': 'invalid-signature' }) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_signature')
def test_hmac_sha1_signature(self): self.prepare_data() server = self.create_server() url = '/oauth/token' params = [ ('oauth_consumer_key', 'client'), ('oauth_token', 'abc'), ('oauth_verifier', 'abc-verifier'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_timestamp', str(int(time.time()))), ('oauth_nonce', 'hmac-sha1-nonce'), ] base_string = signature.construct_base_string( 'POST', 'http://testserver/oauth/token', params) sig = signature.hmac_sha1_signature(base_string, 'secret', 'abc-secret') params.append(('oauth_signature', sig)) auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params]) auth_header = 'OAuth ' + auth_param # case 1: success self.prepare_temporary_credential(server) request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertIn('oauth_token', data) # case 2: exists nonce self.prepare_temporary_credential(server) request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_nonce')
def test_hmac_sha1_signature(self): self.prepare_data() url = '/oauth/initiate' params = [ ('oauth_consumer_key', 'client'), ('oauth_callback', 'oob'), ('oauth_signature_method', 'HMAC-SHA1'), ('oauth_timestamp', str(int(time.time()))), ('oauth_nonce', 'hmac-sha1-nonce'), ] base_string = signature.construct_base_string( 'POST', 'http://localhost/oauth/initiate', params ) sig = signature.hmac_sha1_signature(base_string, 'secret', None) params.append(('oauth_signature', sig)) auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params]) auth_header = 'OAuth ' + auth_param headers = {'Authorization': auth_header} # case 1: success rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertIn('oauth_token', data) # case 2: exists nonce rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_nonce')
def test_invalid_signature(self): self.app.config.update({ 'OAUTH1_SUPPORTED_SIGNATURE_METHODS': ['INVALID'] }) self.prepare_data() url = '/oauth/initiate' rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'unsupported_signature_method') rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'INVALID', 'oauth_timestamp': str(int(time.time())), 'oauth_nonce': 'invalid-nonce', 'oauth_signature': 'secret&' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'unsupported_signature_method')
def test_invalid_token_and_verifiers(self): self.prepare_data() url = '/oauth/token' hook = self.server._hooks['create_temporary_credential'] # case 5 hook({ 'oauth_token': 'abc', 'oauth_token_secret': 'abc-secret' }, 'client', 'oob') rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'abc' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_verifier', data['error_description']) # case 6 hook({ 'oauth_token': 'abc', 'oauth_token_secret': 'abc-secret' }, 'client', 'oob') rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'abc', 'oauth_verifier': 'abc' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_request') self.assertIn('oauth_verifier', data['error_description'])
def test_rsa_sha1_signature(self): self.prepare_data() server = self.create_server() url = '/oauth/token' self.prepare_temporary_credential(server) params = [ ('oauth_consumer_key', 'client'), ('oauth_token', 'abc'), ('oauth_verifier', 'abc-verifier'), ('oauth_signature_method', 'RSA-SHA1'), ('oauth_timestamp', str(int(time.time()))), ('oauth_nonce', 'rsa-sha1-nonce'), ] base_string = signature.construct_base_string( 'POST', 'http://testserver/oauth/token', params) sig = signature.rsa_sha1_signature(base_string, read_file_path('rsa_private.pem')) params.append(('oauth_signature', sig)) auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params]) auth_header = 'OAuth ' + auth_param request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertIn('oauth_token', data) # case: invalid signature self.prepare_temporary_credential(server) auth_param = auth_param.replace('rsa-sha1-nonce', 'alt-sha1-nonce') auth_header = 'OAuth ' + auth_param request = self.factory.post(url, HTTP_AUTHORIZATION=auth_header) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_signature')
def test_invalid_token_request_parameters(self): self.prepare_data() url = '/oauth/token' # case 1 rv = self.client.post(url) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_consumer_key', data['error_description']) # case 2 rv = self.client.post(url, data={'oauth_consumer_key': 'a'}) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_client') # case 3 rv = self.client.post(url, data={'oauth_consumer_key': 'client'}) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_token', data['error_description']) # case 4 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'a' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_token')
def test_plaintext_signature(self): self.prepare_data() url = '/oauth/token' # case 1: success self.prepare_temporary_credential() auth_header = ('OAuth oauth_consumer_key="client",' 'oauth_signature_method="PLAINTEXT",' 'oauth_token="abc",' 'oauth_verifier="abc-verifier",' 'oauth_signature="secret&abc-secret"') headers = {'Authorization': auth_header} rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertIn('oauth_token', data) # case 2: invalid signature self.prepare_temporary_credential() rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_signature_method': 'PLAINTEXT', 'oauth_token': 'abc', 'oauth_verifier': 'abc-verifier', 'oauth_signature': 'invalid-signature' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_signature')
def test_invalid_token_request_parameters(self): self.prepare_data() server = self.create_server() url = '/oauth/token' # case 1 request = self.factory.post(url) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_consumer_key', data['error_description']) # case 2 request = self.factory.post(url, data={'oauth_consumer_key': 'a'}) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_client') # case 3 request = self.factory.post(url, data={'oauth_consumer_key': 'client'}) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_token', data['error_description']) # case 4 request = self.factory.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'a' }) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_token')
def test_rsa_sha1_signature(self): self.prepare_data() url = '/oauth/initiate' params = [ ('oauth_consumer_key', 'client'), ('oauth_callback', 'oob'), ('oauth_signature_method', 'RSA-SHA1'), ('oauth_timestamp', str(int(time.time()))), ('oauth_nonce', 'rsa-sha1-nonce'), ] base_string = signature.construct_base_string( 'POST', 'http://localhost/oauth/initiate', params ) sig = signature.rsa_sha1_signature( base_string, read_file_path('rsa_private.pem')) params.append(('oauth_signature', sig)) auth_param = ','.join(['{}="{}"'.format(k, v) for k, v in params]) auth_header = 'OAuth ' + auth_param headers = {'Authorization': auth_header} rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertIn('oauth_token', data) # case: invalid signature auth_param = auth_param.replace('rsa-sha1-nonce', 'alt-sha1-nonce') auth_header = 'OAuth ' + auth_param headers = {'Authorization': auth_header} rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_signature')
def test_plaintext_signature(self): self.prepare_data() url = '/oauth/initiate' # case 1: use payload rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) data = decode_response(rv.data) self.assertIn('oauth_token', data) # case 2: use header auth_header = ( 'OAuth oauth_consumer_key="client",' 'oauth_signature_method="PLAINTEXT",' 'oauth_callback="oob",' 'oauth_signature="secret&"' ) headers = {'Authorization': auth_header} rv = self.client.post(url, headers=headers) data = decode_response(rv.data) self.assertIn('oauth_token', data) # case 3: invalid signature rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'invalid-signature' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_signature')
def test_validate_timestamp_and_nonce(self): self.prepare_data() url = '/oauth/initiate' # case 5 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_timestamp', data['error_description']) # case 6 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_timestamp': str(int(time.time())) }) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_nonce', data['error_description']) # case 7 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_timestamp': '123' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_request') self.assertIn('oauth_timestamp', data['error_description']) # case 8 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_timestamp': 'sss' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_request') self.assertIn('oauth_timestamp', data['error_description']) # case 9 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_timestamp': '-1', 'oauth_signature_method': 'PLAINTEXT' }) self.assertEqual(data['error'], 'invalid_request') self.assertIn('oauth_timestamp', data['error_description'])
def test_invalid_authorization(self): self.prepare_data() url = '/oauth/authorize' # case 1 rv = self.client.post(url, data={'user_id': '1'}) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_token', data['error_description']) # case 2 rv = self.client.post(url, data={'user_id': '1', 'oauth_token': 'a'}) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_token')
def test_authorize_granted(self): self.prepare_data() server = self.create_server() user = User.objects.get(username='******') initiate_url = '/oauth/initiate' authorize_url = '/oauth/authorize' # case 1 request = self.factory.post(initiate_url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) resp = server.create_temporary_credentials_response(request) data = decode_response(resp.content) self.assertIn('oauth_token', data) request = self.factory.post(authorize_url, data={ 'oauth_token': data['oauth_token'] }) resp = server.create_authorization_response(request, user) self.assertEqual(resp.status_code, 302) self.assertIn('oauth_verifier', resp['Location']) self.assertIn('https://a.b', resp['Location']) # case 2 request = self.factory.post(initiate_url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'https://i.test', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) resp = server.create_temporary_credentials_response(request) data = decode_response(resp.content) self.assertIn('oauth_token', data) request = self.factory.post(authorize_url, data={ 'oauth_token': data['oauth_token'] }) resp = server.create_authorization_response(request, user) self.assertEqual(resp.status_code, 302) self.assertIn('oauth_verifier', resp['Location']) self.assertIn('https://i.test', resp['Location'])
def test_authorize_granted(self): self.prepare_data() initiate_url = '/oauth/initiate' authorize_url = '/oauth/authorize' rv = self.client.post(initiate_url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) data = decode_response(rv.data) self.assertIn('oauth_token', data) rv = self.client.post(authorize_url, data={ 'user_id': '1', 'oauth_token': data['oauth_token'] }) self.assertEqual(rv.status_code, 302) self.assertIn('oauth_verifier', rv.headers['Location']) self.assertIn('https://a.b', rv.headers['Location']) rv = self.client.post(initiate_url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'https://i.test', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) data = decode_response(rv.data) self.assertIn('oauth_token', data) rv = self.client.post(authorize_url, data={ 'user_id': '1', 'oauth_token': data['oauth_token'] }) self.assertEqual(rv.status_code, 302) self.assertIn('oauth_verifier', rv.headers['Location']) self.assertIn('https://i.test', rv.headers['Location'])
def test_duplicated_oauth_parameters(self): self.prepare_data() url = '/oauth/token?oauth_consumer_key=client' rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'abc', 'oauth_verifier': 'abc' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'duplicated_oauth_protocol_parameter')
def test_invalid_initiate(self): server = self.create_server() url = '/oauth/initiate' request = self.factory.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'oob', 'oauth_signature_method': 'PLAINTEXT', 'oauth_signature': 'secret&' }) resp = server.create_temporary_credentials_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'invalid_client')
def test_duplicated_oauth_parameters(self): self.prepare_data() server = self.create_server() url = '/oauth/token?oauth_consumer_key=client' request = self.factory.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_token': 'abc', 'oauth_verifier': 'abc' }) resp = server.create_token_response(request) data = decode_response(resp.content) self.assertEqual(data['error'], 'duplicated_oauth_protocol_parameter')
def test_temporary_credential_parameters_errors(self): self.prepare_data() url = '/oauth/initiate' rv = self.client.get(url) data = decode_response(rv.data) self.assertEqual(data['error'], 'method_not_allowed') # case 1 rv = self.client.post(url) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_consumer_key', data['error_description']) # case 2 rv = self.client.post(url, data={'oauth_consumer_key': 'client'}) data = decode_response(rv.data) self.assertEqual(data['error'], 'missing_required_parameter') self.assertIn('oauth_callback', data['error_description']) # case 3 rv = self.client.post(url, data={ 'oauth_consumer_key': 'client', 'oauth_callback': 'invalid_url' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_request') self.assertIn('oauth_callback', data['error_description']) # case 4 rv = self.client.post(url, data={ 'oauth_consumer_key': 'invalid-client', 'oauth_callback': 'oob' }) data = decode_response(rv.data) self.assertEqual(data['error'], 'invalid_client')