def test_bad_access_token(self):
url = get_absolute_url(('api_dispatch_list', {'resource_name': 'app'}))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.OAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(auth.is_authenticated(req).status_code, 401)
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
assert not auth.is_authenticated(req)
def test_bad_access_token(self):
url = absolutify(reverse('app-list'))
Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key,
client_secret=self.access.secret, resource_owner_key=generate(),
resource_owner_secret=generate())
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
req.API = True
req.user = AnonymousUser()
RestOAuthMiddleware().process_request(req)
ok_(not auth.authenticate(Request(req)))
ok_(not req.user.is_authenticated())
def test_get_authorize_page(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
self.client.login(username="******", password="******")
res = self.client.get("/oauth/authorize/", data={"oauth_token": t.key})
eq_(res.status_code, 200)
page = pq(res.content)
eq_(page("input[name=oauth_token]").attr("value"), t.key)
def access_request(request):
try:
oauth_req = server._create_request(request.build_absolute_uri(),
request.method, request.body,
get_request_headers(request))
valid, oauth_req = server.validate_access_token_request(oauth_req)
except ValueError:
valid = False
if valid:
req_t = Token.objects.get(
token_type=REQUEST_TOKEN,
key=oauth_req.resource_owner_key)
t = Token.generate_new(
token_type=ACCESS_TOKEN,
creds=req_t.creds,
user=req_t.user)
# Clean up as we go.
req_t.delete()
return HttpResponse(
urlencode({'oauth_token': t.key,
'oauth_token_secret': t.secret}),
content_type='application/x-www-form-urlencoded')
else:
log.error('Invalid OAuth request for acquiring access token')
return HttpResponse(status=401)
def test_deny_authorize_page(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
self.client.login(username='******', password='******')
url = reverse('mkt.developers.oauth_authorize')
res = self.client.post(url, data={'oauth_token': t.key, 'deny': ''})
eq_(res.status_code, 200)
eq_(Token.objects.filter(pk=t.pk).count(), 0)
def test_get_authorize_page(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
self.client.login(username='******', password='******')
res = self.client.get('/oauth/authorize/', data={'oauth_token': t.key})
eq_(res.status_code, 200)
page = pq(res.content)
eq_(page('input[name=oauth_token]').attr('value'), t.key)
def access_request(request):
oa = OAuthServer()
try:
valid, oauth_request = oa.verify_access_token_request(
request.build_absolute_uri(),
request.method,
request.body,
{'Authorization': request.META.get('HTTP_AUTHORIZATION'),
'Content-Type': request.META.get('CONTENT_TYPE')
})
except ValueError:
valid = False
if valid:
req_t = Token.objects.get(
token_type=REQUEST_TOKEN,
key=oauth_request.resource_owner_key)
t = Token.generate_new(
token_type=ACCESS_TOKEN,
creds=req_t.creds,
user=req_t.user)
# Clean up as we go.
req_t.delete()
return HttpResponse(
urlencode({'oauth_token': t.key,
'oauth_token_secret': t.secret}),
content_type='application/x-www-form-urlencoded')
else:
log.error('Invalid OAuth request for acquiring access token')
return HttpResponse(status=401)
def test_post_authorize_page(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
full_redirect = self.redirect_uri + "?oauth_token=%s&oauth_verifier=%s" % (t.key, t.verifier)
self.client.login(username="******", password="******")
url = reverse("mkt.developers.oauth_authorize")
res = self.client.post(url, data={"oauth_token": t.key, "grant": ""})
eq_(res.status_code, 302)
eq_(res.get("location"), full_redirect)
eq_(Token.objects.get(pk=t.pk).user.pk, 999)
def test_revoke_token(self):
appname = "Test Mkt App"
a = Access.objects.create(key="", secret="", user=self.user.user,
app_name=appname, redirect_uri="")
t = Token.generate_new(token_type=ACCESS_TOKEN, creds=a,
user=self.user.user)
r = self.client.post(self.url, {'authorized_apps': [str(t.pk)]})
doc = pq(r.content)
eq_(r.status_code, 200)
eq_(len(doc('#authorized_apps')), 0)
eq_(Token.objects.count(), 0)
def test_tokens(self):
appname = "Test Mkt App"
a = Access.objects.create(key="", secret="", user=self.user.user,
app_name=appname, redirect_uri="")
t = Token.generate_new(token_type=ACCESS_TOKEN, creds=a,
user=self.user.user)
r = self.client.get(self.url)
doc = pq(r.content)
eq_(r.status_code, 200)
eq_(doc('#authorized_apps option').text(), appname)
eq_(doc('#authorized_apps option').attr('value'), str(t.pk))
def test_post_authorize_page(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
full_redirect = (
self.redirect_uri + '?oauth_token=%s&oauth_verifier=%s'
% (t.key, t.verifier))
self.client.login(username='******', password='******')
url = reverse('mkt.developers.oauth_authorize')
res = self.client.post(url, data={'oauth_token': t.key, 'grant': ''})
eq_(res.status_code, 302)
eq_(res.get('location'), full_redirect)
eq_(Token.objects.get(pk=t.pk).user.pk, 999)
def test_bad_access_request(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
url = urlparse.urljoin(settings.SITE_URL,
reverse('mkt.developers.oauth_access_request'))
url, auth_header = self._oauth_request_info(
url, client_key=t.key, client_secret=t.secret,
resource_owner_key=generate(), resource_owner_secret=generate(),
verifier=generate(), callback_uri=self.access.redirect_uri)
res = self.client.get(url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 401)
assert not Token.objects.filter(token_type=ACCESS_TOKEN).exists()
def test_use_access_token(self):
url = get_absolute_url(("api_dispatch_list", {"resource_name": "app"}))
t = Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2)
url, auth_header = self._oauth_request_info(
url,
client_key=self.access.key,
client_secret=self.access.secret,
resource_owner_key=t.key,
resource_owner_secret=t.secret,
)
auth = authentication.OAuthAuthentication()
req = RequestFactory().get(url, HTTP_HOST="testserver", HTTP_AUTHORIZATION=auth_header)
assert auth.is_authenticated(req)
eq_(req.user, self.user2)
def test_use_access_token(self):
url = absolutify(reverse('app-list'))
t = Token.generate_new(ACCESS_TOKEN, creds=self.access,
user=self.user2)
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key, client_secret=self.access.secret,
resource_owner_key=t.key, resource_owner_secret=t.secret)
auth = authentication.RestOAuthAuthentication()
req = RequestFactory().get(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
req.API = True
RestOAuthMiddleware().process_request(req)
assert auth.authenticate(Request(req))
eq_(req.user, self.user2)
def token_request(request):
try:
oauth_req = server._create_request(
request.build_absolute_uri(), request.method, request.body, get_request_headers(request)
)
valid, oauth_req = server.validate_request_token_request(oauth_req)
except ValueError:
valid = False
if valid:
consumer = Access.objects.get(key=oauth_req.client_key)
t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer)
return HttpResponse(
urlencode({"oauth_token": t.key, "oauth_token_secret": t.secret, "oauth_callback_confirmed": True}),
content_type="application/x-www-form-urlencoded",
)
else:
log.error("Invalid OAuth request for acquiring request token")
return HttpResponse(status=401)
def test_access_request(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
url = urlparse.urljoin(settings.SITE_URL,
reverse('mkt.developers.oauth_access_request'))
url, auth_header = self._oauth_request_info(
url, client_key=self.access.key, client_secret=self.access.secret,
resource_owner_key=t.key, resource_owner_secret=t.secret,
verifier=t.verifier, callback_uri=self.access.redirect_uri)
res = self.client.get(url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 200)
data = dict(urlparse.parse_qsl(res.content))
assert Token.objects.filter(
token_type=ACCESS_TOKEN,
key=data['oauth_token'],
secret=data['oauth_token_secret'],
user=t.user,
creds=self.access).exists()
assert not Token.objects.filter(
token_type=REQUEST_TOKEN,
key=t.key).exists()
def token_request(request):
oa = OAuthServer()
try:
valid, oauth_request = oa.verify_request_token_request(
request.build_absolute_uri(), request.method, request.body, {
'Authorization': request.META.get('HTTP_AUTHORIZATION'),
'Content-Type': request.META.get('CONTENT_TYPE')
})
except ValueError:
valid = False
if valid:
consumer = Access.objects.get(key=oauth_request.client_key)
t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer)
return HttpResponse(urlencode({
'oauth_token': t.key,
'oauth_token_secret': t.secret,
'oauth_callback_confirmed': True
}),
content_type='application/x-www-form-urlencoded')
else:
log.error('Invalid OAuth request for acquiring request token')
return HttpResponse(status=401)
def token_request(request):
oa = OAuthServer()
try:
valid, oauth_request = oa.verify_request_token_request(
request.build_absolute_uri(),
request.method,
request.body,
{'Authorization': request.META.get('HTTP_AUTHORIZATION'),
'Content-Type': request.META.get('CONTENT_TYPE')
})
except ValueError:
valid = False
if valid:
consumer = Access.objects.get(key=oauth_request.client_key)
t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer)
return HttpResponse(
urlencode({'oauth_token': t.key,
'oauth_token_secret': t.secret,
'oauth_callback_confirmed': True}),
content_type='application/x-www-form-urlencoded')
else:
log.error('Invalid OAuth request for acquiring request token')
return HttpResponse(status=401)
def test_access_request(self):
t = Token.generate_new(REQUEST_TOKEN, self.access)
url = urlparse.urljoin(settings.SITE_URL,
reverse('mkt.developers.oauth_access_request'))
url, auth_header = self._oauth_request_info(
url,
client_key=self.access.key,
client_secret=self.access.secret,
resource_owner_key=t.key,
resource_owner_secret=t.secret,
verifier=t.verifier,
callback_uri=self.access.redirect_uri)
res = self.client.get(url,
HTTP_HOST='testserver',
HTTP_AUTHORIZATION=auth_header)
eq_(res.status_code, 200)
data = dict(urlparse.parse_qsl(res.content))
assert Token.objects.filter(token_type=ACCESS_TOKEN,
key=data['oauth_token'],
secret=data['oauth_token_secret'],
user=t.user,
creds=self.access).exists()
assert not Token.objects.filter(token_type=REQUEST_TOKEN,
key=t.key).exists()
def access_request(request):
try:
oauth_req = server._create_request(request.build_absolute_uri(),
request.method, request.body,
get_request_headers(request))
valid, oauth_req = server.validate_access_token_request(oauth_req)
except ValueError:
valid = False
if valid:
req_t = Token.objects.get(token_type=REQUEST_TOKEN,
key=oauth_req.resource_owner_key)
t = Token.generate_new(token_type=ACCESS_TOKEN,
creds=req_t.creds,
user=req_t.user)
# Clean up as we go.
req_t.delete()
return HttpResponse(urlencode({
'oauth_token': t.key,
'oauth_token_secret': t.secret
}),
content_type='application/x-www-form-urlencoded')
else:
log.error('Invalid OAuth request for acquiring access token')
return HttpResponse(status=401)
