def test_valid_response_request(self, mock_post):
"""This test ensures that the authorize request against the oauth
endpoint succeeds with expected values.
"""
self._mock_response(mock_post, valid=True)
random_state = six.text_type(uuid.uuid4())
# Simple GET with various parameters
response = self.get_json(path='/openid/authorize_return',
expect_errors=True,
state=random_state,
**self.valid_params)
# Try to pull the code out of the response
location = response.headers.get('Location')
location_url = urlparse.urlparse(location)
parameters = urlparse.parse_qs(location_url[4])
with base.HybridSessionManager():
token = auth_api.authorization_code_get(parameters['code'])
redirect_uri = self.valid_params['sb_redirect_uri']
# Validate the redirect response
self.assertValidRedirect(response=response,
expected_status_code=302,
redirect_uri=redirect_uri,
state=token.state,
code=token.code)
def test_valid_response_request(self, mock_post):
"""This test ensures that the authorize request against the oauth
endpoint succeeds with expected values.
"""
self._mock_response(mock_post, valid=True)
random_state = six.text_type(uuid.uuid4())
# Simple GET with various parameters
response = self.get_json(path='/openid/authorize_return',
expect_errors=True,
state=random_state,
**self.valid_params)
# Try to pull the code out of the response
location = response.headers.get('Location')
location_url = urlparse.urlparse(location)
parameters = urlparse.parse_qs(location_url[4])
with base.HybridSessionManager():
token = auth_api.authorization_code_get(parameters['code'])
redirect_uri = self.valid_params['sb_redirect_uri']
# Validate the redirect response
self.assertValidRedirect(response=response,
expected_status_code=302,
redirect_uri=redirect_uri,
state=token.state,
code=token.code)
def test_delete_code(self):
created_code = auth_codes.authorization_code_save(self.code_01)
self.assertIsNotNone(created_code,
"Could not create an Authorization code")
auth_codes.authorization_code_delete(created_code.code)
fetched_code = auth_codes.authorization_code_get(created_code.code)
self.assertIsNone(fetched_code)
def test_delete_code(self):
created_code = auth_codes.authorization_code_save(self.code_01)
self.assertIsNotNone(created_code,
"Could not create an Authorization code")
auth_codes.authorization_code_delete(created_code.code)
fetched_code = auth_codes.authorization_code_get(created_code.code)
self.assertIsNone(fetched_code)
def _resolve_user_id(self, request):
# Try authorization code
code = request._params.get("code")
if code:
code_info = auth_api.authorization_code_get(code)
return code_info.user_id
# Try refresh token
refresh_token = request._params.get("refresh_token")
refresh_token_entry = \
refresh_token_api.refresh_token_get_by_token(refresh_token)
if refresh_token_entry:
return refresh_token_entry.user_id
return None
def validate_code(self, client_id, code, client, request, *args, **kwargs):
"""Validate the code belongs to the client. It must exist, and it
must be recent.
"""
db_code = auth_api.authorization_code_get(code)
if not db_code:
return False
# Calculate the expiration date.
expires_on = db_code.created_at + datetime.timedelta(
seconds=db_code.expires_in)
# Generate a UTC now() with timezone attached so we can run a
# comparison against the timezone-sensitive result that comes from
# the database.
now = datetime.datetime.now(tz=pytz.utc)
return expires_on > now
def _access_token_by_code(self):
auth_code = request.params.get("code")
code_info = auth_api.authorization_code_get(auth_code)
headers, body, code = SERVER.create_token_response(
uri=request.url,
http_method=request.method,
body=request.body,
headers=request.headers)
response.headers = dict(
(str(k), str(v)) for k, v in six.iteritems(headers))
response.status_code = code
json_body = json.loads(body)
# Update a body with user_id only if a response is 2xx
if code / 100 == 2:
json_body.update({'id_token': code_info.user_id})
response.json = json_body
return response
def _access_token_by_code(self):
auth_code = request.params.get("code")
code_info = auth_api.authorization_code_get(auth_code)
headers, body, code = SERVER.create_token_response(
uri=request.url,
http_method=request.method,
body=request.body,
headers=request.headers)
response.headers = dict((str(k), str(v))
for k, v in six.iteritems(headers))
response.status_code = code
json_body = json.loads(body)
# Update a body with user_id only if a response is 2xx
if code / 100 == 2:
json_body.update({
'id_token': code_info.user_id
})
response.json = json_body
return response
def test_valid_access_request(self):
"""This test ensures that the access token request may execute
properly with a valid token.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, response.status_code)
# Assert that the token came back in the response
token = response.json
self.assertIsNotNone(token['access_token'])
self.assertIsNotNone(token['expires_in'])
self.assertIsNotNone(token['id_token'])
self.assertIsNotNone(token['refresh_token'])
self.assertIsNotNone(token['token_type'])
self.assertEqual('Bearer', token['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(token['access_token'])
self.assertIsNotNone(access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, access_token.user_id)
self.assertEqual(token['id_token'], access_token.user_id)
self.assertEqual(token['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(token['expires_in'], access_token.expires_in)
self.assertEqual(token['access_token'], access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
refresh_token = \
refresh_tokens.refresh_token_get_by_token(
token['refresh_token'])
self.assertIsNotNone(refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
refresh_token.expires_in)
self.assertEqual(token['refresh_token'], refresh_token.refresh_token)
# Assert that the authorization code is no longer in the database.
with base.HybridSessionManager():
none_code = \
auth_api.authorization_code_get(authorization_code.code)
self.assertIsNone(none_code)
def test_valid_access_request(self):
"""This test ensures that the access token request may execute
properly with a valid token.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, response.status_code)
# Assert that the token came back in the response
token = response.json
self.assertIsNotNone(token['access_token'])
self.assertIsNotNone(token['expires_in'])
self.assertIsNotNone(token['id_token'])
self.assertIsNotNone(token['refresh_token'])
self.assertIsNotNone(token['token_type'])
self.assertEqual('Bearer', token['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(token['access_token'])
self.assertIsNotNone(access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, access_token.user_id)
self.assertEqual(token['id_token'], access_token.user_id)
self.assertEqual(token['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(token['expires_in'], access_token.expires_in)
self.assertEqual(token['access_token'], access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
refresh_token = \
refresh_tokens.refresh_token_get_by_token(
token['refresh_token'])
self.assertIsNotNone(refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
refresh_token.expires_in)
self.assertEqual(token['refresh_token'], refresh_token.refresh_token)
# Assert that the authorization code is no longer in the database.
with base.HybridSessionManager():
none_code = \
auth_api.authorization_code_get(authorization_code.code)
self.assertIsNone(none_code)
