def testRequestOverInsecureTransport(self): """ Test the rejection of a request to a protected resource with a valid token that was made over an insecure protocol. """ request = MockRequest('GET', 'protectedResource', isSecure=False) request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertTrue( isAuthorized(request, self.VALID_TOKEN_SCOPE, allowInsecureRequestDebug=True), msg= 'Expected isAuthorized to accept a request over an insecure protocol ' 'if "allowInsecureRequestDebug" is set to True.') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg= 'Expected isAuthorized to reject a request over an insecure protocol.' ) self.assertEqual( 400, request.responseCode, msg= 'The HTTP response code should be {code}, if a protected resource receives a ' 'request over an insecure channel.'.format(code=400))
def testNoAccessToken(self): """ Test the rejection of a request to a protected resource without a token. """ request = MockRequest('GET', 'protectedResource') self.assertFalse( isAuthorized(request, 'scope'), msg='Expected isAuthorized to reject a request without a token.') self.assertFailedProtectedResourceRequest(request, MissingTokenError(['scope']))
def render_GET(self, request): # This check is not necessary, because this method is already protected by the @oauth # decorator. It is included here to show of the two ways of protecting a resource. if not isAuthorized( request, 'VIEW_CLOCK', allowInsecureRequestDebug=True): return NOT_DONE_YET return '<html><body>{time}</body></html>'.format( time=time.ctime()).encode('utf-8')
def testWrongAccessToken(self): """ Test the rejection of a request to a protected resource with an invalid token. """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', b'Bearer an invalid token') self.assertFalse( isAuthorized(request, 'scope'), msg= 'Expected isAuthorized to reject a request with an invalid token.') self.assertFailedProtectedResourceRequest( request, InvalidTokenRequestError(['scope']))
def testMultipleAccessTokens(self): """ Test the rejection of a request to a protected resource with multiple tokens. """ request = MockRequest( 'GET', 'protectedResource?access_token=' + self.VALID_TOKEN + '&access_token=' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with two tokens.') self.assertFailedProtectedResourceRequest( request, MultipleTokensError(self.VALID_TOKEN_SCOPE)) request = MockRequest( 'GET', 'protectedResource?access_token=' + self.VALID_TOKEN) request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with two tokens.') self.assertFailedProtectedResourceRequest( request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
def render_GET(self, request): # pylint: disable=invalid-name,no-self-use """ Serve a clock page. This resource is protected. :param request: The request. :return: The result of the request. """ # This check is not necessary, because this method is already protected by the @oauth # decorator. It is included here to show of the two ways of protecting a resource. if not isAuthorized( request, 'VIEW_CLOCK', allowInsecureRequestDebug=True): return NOT_DONE_YET return '<html><body>{time}</body></html>'.format( time=time.ctime()).encode('utf-8')
def testInvalidScope(self): """ Test the rejection of a request to a protected resource with a valid token that does not grant access to the necessary scopes. """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, 'someOtherScope'), msg='Expected isAuthorized to reject a request with token ' 'that does not allow access to the given scope.') self.assertFailedProtectedResourceRequest( request, InsufficientScopeRequestError(['someOtherScope']))
def testWithAccessTokenInHeader(self): """ Test a request to a protected resource with a valid token in the Authorization header. See https://tools.ietf.org/html/rfc6750#section-2.1 """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertTrue( isAuthorized(request, self.VALID_TOKEN_SCOPE[0]), msg='Expected isAuthorized to accept a request with a valid token.' ) self.assertFalse( request.finished, msg='isAuthorized should not finish the request if it\'s valid.')
def testAccessTokenInBodyWrongContentType(self): """ Test the rejection of a request to a protected resource with a valid token but an invalid content type. """ request = MockRequest('POST', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/other') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request ' 'with a valid token in the request body with a content type ' 'that is not "application/x-www-form-urlencoded".') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testAccessTokenInBodyWrongMethod(self): """ Test the rejection of a request to a protected resource with a valid token in the request body but a request that was not made with the POST method. """ request = MockRequest('GET', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with a valid token ' 'in the request body that was not send with the POST method.') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testWithAccessTokenInBody(self): """ Test a request to a protected resource with a valid token in the request body. See https://tools.ietf.org/html/rfc6750#section-2.2 """ request = MockRequest('POST', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]), msg='Expected isAuthorized to accept a request ' 'with a valid token in the request body.') self.assertFalse( request.finished, msg='isAuthorized should not finish the request if it\'s valid.')
def testWithAccessTokenInQuery(self): """ Test a request to a protected resource with a valid token in the request query. See https://tools.ietf.org/html/rfc6750#section-2.3 """ request = MockRequest( 'GET', 'protectedResource?access_token=' + self.VALID_TOKEN) self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]), msg='Expected isAuthorized to accept a request ' 'with a valid token as a query parameter.') self.assertFalse( request.finished, msg='isAuthorized should not finish the request if it\'s valid.') self.assertIn( 'private', request.getResponseHeader('Cache-Control'), msg= 'The response to a request with the access token as a query parameter ' 'should contain a Cache-Control header with the "private" option.')