def test_bearer_token_valid_via_headers(self, request): user = M.User.by_username('test-admin') consumer_token = M.OAuthConsumerToken( name='foo', description='foo app', ) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) access_token = M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True, ) ThreadLocalODMSession.flush_all() token = access_token.api_key request.headers = {'Authorization': 'Bearer {}'.format(token)} request.scheme = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200) # reverse proxy situation request.scheme = 'http' request.environ['paste.testing'] = False request.environ['HTTP_X_FORWARDED_PROTOx'] = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200)
def test_bearer_token_valid(self, request): user = M.User.by_username('test-admin') consumer_token = M.OAuthConsumerToken( name='foo', description='foo app', ) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) access_token = M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True, ) ThreadLocalODMSession.flush_all() request.headers = {} request.params = {'access_token': access_token.api_key} request.scheme = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo') assert_equal(r.status_int, 200)
def token(self, username): if self._use_token: return self._use_token # only create token once, else ming gets dupe key error if username not in self._token_cache: user = M.User.query.get(username=username) consumer_token = M.OAuthConsumerToken( name='test-%s' % str(user._id), description='test-app-%s' % str(user._id), user_id=user._id) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20)) token = M.OAuthAccessToken(consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True) ming.orm.session(consumer_token).flush() ming.orm.session(request_token).flush() ming.orm.session(token).flush() self._token_cache[username] = token return self._token_cache[username]
def request_token(self, **kw): req = oauth.Request.from_request( request.method, request.url.split('?')[0], headers=request.headers, parameters=dict(request.params), query_string=request.query_string ) consumer_token = M.OAuthConsumerToken.query.get( api_key=req['oauth_consumer_key']) if consumer_token is None: log.error('Invalid consumer token') raise exc.HTTPUnauthorized consumer = consumer_token.consumer try: self.server.verify_request(req, consumer, None) except oauth.Error as e: log.error('Invalid signature %s %s', type(e), e) raise exc.HTTPUnauthorized req_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, callback=req.get('oauth_callback', 'oob') ) session(req_token).flush() log.info('Saving new request token with key: %s', req_token.api_key) return req_token.to_string()
def generate_access_token(self, _id): """ Manually generate an OAuth access token for the given consumer. NB: Manually generated access tokens are bearer tokens, which are less secure (since they rely only on the token, which is transmitted with each request, unlike the access token secret). """ consumer_token = M.OAuthConsumerToken.query.get(_id=bson.ObjectId(_id)) if consumer_token is None: flash('Invalid app ID', 'error') redirect('.') if consumer_token.user_id != c.user._id: flash('Invalid app ID', 'error') redirect('.') request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=c.user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=c.user._id, user_id=request_token.user_id, is_bearer=True, ) redirect('.')
def test_authorize_ok(self): user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='oob', user_id=user._id, ) ThreadLocalORMSession.flush_all() r = self.app.post('/rest/oauth/authorize', params={'oauth_token': 'api_key'}) assert_in('ctok_desc', r.body) assert_in('api_key', r.body)
def test_do_authorize_oob(self): user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='oob', user_id=user._id, ) ThreadLocalORMSession.flush_all() r = self.app.get('/rest/oauth/do_authorize', params={ 'yes': '1', 'oauth_token': 'api_key' }) assert_is_not_none(r.html.find(text=re.compile('^PIN: ')))
def test_do_authorize_no(self): user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='oob', user_id=user._id, ) ThreadLocalORMSession.flush_all() r = self.app.get('/rest/oauth/do_authorize', params={ 'no': '1', 'oauth_token': 'api_key' }) assert_is_none(M.OAuthRequestToken.query.get(api_key='api_key'))
def test_access_token_bad_pin(self, Request): req = Request.from_request.return_value = { 'oauth_consumer_key': 'api_key', 'oauth_token': 'api_key', 'oauth_verifier': 'bad', } user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='http://my.domain.com/callback?myparam=foo', user_id=user._id, validation_pin='good', ) ThreadLocalORMSession.flush_all() self.app.get('/rest/oauth/access_token', status=403)
def test_do_authorize_cb(self): user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='http://my.domain.com/callback', user_id=user._id, ) ThreadLocalORMSession.flush_all() r = self.app.get('/rest/oauth/do_authorize', params={ 'yes': '1', 'oauth_token': 'api_key' }) assert r.location.startswith( 'http://my.domain.com/callback?oauth_token=api_key&oauth_verifier=' )
def test_access_token_ok(self, Request, Server): req = Request.from_request.return_value = { 'oauth_consumer_key': 'api_key', 'oauth_token': 'api_key', 'oauth_verifier': 'good', } user = M.User.by_username('test-admin') ctok = M.OAuthConsumerToken( api_key='api_key', user_id=user._id, description='ctok_desc', ) rtok = M.OAuthRequestToken( api_key='api_key', consumer_token_id=ctok._id, callback='http://my.domain.com/callback?myparam=foo', user_id=user._id, validation_pin='good', ) ThreadLocalORMSession.flush_all() r = self.app.get('/rest/oauth/access_token') atok = parse_qs(r.body) assert_equal(len(atok['oauth_token']), 1) assert_equal(len(atok['oauth_token_secret']), 1)