def setUp(self):
self.faketime = 525942870
self.client = Client()
# create a Consumer (and associated stuff)
try:
u = User.objects.get(username='******')
except User.DoesNotExist:
u = User(username='******')
u.save()
try:
c = Consumer.objects.get(name='Test Consumer')
except Consumer.DoesNotExist:
c = Consumer(name='Test Consumer')
c.description = 'Consumer to do some tests with'
c.status = ACCEPTED
c.user = u
c.xauth_allowed = False
c.generate_random_codes()
c.save()
self.consumer = c
i = ConsumerInfo(consumer=c)
i.admin_contact = '*****@*****.**'
i.permissions = ['courses']
i.timestamp = self.faketime - 10 # make sure the ConsumerInfo was there "before" the Token was created
i.save()
self.consumerinfo = i
# create an access token so we can jump in to requests
try:
t = Token.objects.get(token_type=Token.ACCESS, consumer=c, user=u)
except Token.DoesNotExist:
t = Token(token_type=Token.ACCESS,
consumer=c,
user=u,
timestamp=self.faketime)
t.is_approved = True
t.generate_random_codes()
t.verifier = VERIFIER
t.save()
self.token = t
def setUp(self):
self.faketime = 525942870
self.client = Client()
# create a Consumer (and associated stuff)
try:
u = User.objects.get(username='******')
except User.DoesNotExist:
u = User(username='******')
u.save()
try:
c = Consumer.objects.get(name='Test Consumer')
except Consumer.DoesNotExist:
c = Consumer(name='Test Consumer')
c.description = 'Consumer to do some tests with'
c.status = ACCEPTED
c.user = u
c.xauth_allowed = False
c.generate_random_codes()
c.save()
self.consumer = c
i = ConsumerInfo(consumer=c)
i.admin_contact = '*****@*****.**'
i.permissions = ['courses']
i.timestamp = self.faketime - 10 # make sure the ConsumerInfo was there "before" the Token was created
i.save()
self.consumerinfo = i
# create an access token so we can jump in to requests
try:
t = Token.objects.get(token_type=Token.ACCESS, consumer=c, user=u)
except Token.DoesNotExist:
t = Token(token_type=Token.ACCESS, consumer=c, user=u, timestamp=self.faketime)
t.is_approved = True
t.generate_random_codes()
t.verifier = VERIFIER
t.save()
self.token = t
class OauthTestIssue24(BaseOAuthTestCase):
"""
See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should
"""
def setUp(self):
super(OauthTestIssue24, self).setUp()
#setting the access key/secret to made-up strings
self.access_token = Token(
key="key",
secret="secret",
consumer=self.consumer,
user=self.jane,
token_type=2,
scope=self.scope
)
self.access_token.save()
def __make_querystring_with_HMAC_SHA1(self, http_method, path, data, content_type):
"""
Utility method for creating a request which is signed using HMAC_SHA1 method
"""
consumer = oauth.Consumer(key=self.CONSUMER_KEY, secret=self.CONSUMER_SECRET)
token = oauth.Token(key=self.access_token.key, secret=self.access_token.secret)
url = "http://testserver:80" + path
#if data is json, we want it in the body, else as parameters (i.e. queryparams on get)
parameters=None
body = ""
if content_type=="application/json":
body = data
else:
parameters = data
request = oauth.Request.from_consumer_and_token(
consumer=consumer,
token=token,
http_method=http_method,
http_url=url,
parameters=parameters,
body=body
)
# Sign the request.
signature_method = oauth.SignatureMethod_HMAC_SHA1()
request.sign_request(signature_method, consumer, token)
return request.to_url()
def test_that_initialize_server_request_when_custom_content_type(self):
"""Chceck if post data is not included in params when constent type
is not application/x-www-form-urlencoded. It would cause problems only when signature method is
HMAC-SHA1
"""
data = json.dumps({"data": {"foo": "bar"}})
content_type = "application/json"
querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, data, content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def test_post_using_in_authorization_header_and_PLAINTEXT(self):
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
}
header = self._get_http_authorization_header(parameters)
response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header)
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_post_body_and_PLAINTEXT(self):
"""Check if auth works when authorization data is in post body when
content type is pplication/x-www-form-urlencoded
"""
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
"additional_data": "whoop" # additional data
}
response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True),
content_type="application/x-www-form-urlencoded")
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self):
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
}
header = self._get_http_authorization_header(parameters)
response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json")
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
"""Opposite of test_that_initialize_server_request_when_custom_content_type,
If content type is application/x-www-form-urlencoded, post data should be added to params,
and it affects signature
"""
self._request_token()
self._authorize_and_access_token_using_form()
data={"foo": "bar"}
content_type = "application/x-www-form-urlencoded"
querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, urllib.urlencode(data), content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
class OauthTestIssue24(BaseOAuthTestCase):
"""
See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should
"""
def setUp(self):
super(OauthTestIssue24, self).setUp()
#setting the access key/secret to made-up strings
self.access_token = Token(
key="key",
secret="secret",
consumer=self.consumer,
user=self.jane,
token_type=2,
scope=self.scope
)
self.access_token.save()
def test_that_initialize_server_request_when_custom_content_type(self):
"""Chceck if post data is not included in params when constent type
is not application/x-www-form-urlencoded. It would cause problems only when signature method is
HMAC-SHA1
"""
data = json.dumps({"data": {"foo": "bar"}})
content_type = "application/json"
querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, data, content_type)
#this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
def test_post_using_in_authorization_header_and_PLAINTEXT(self):
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
}
header = self._get_http_authorization_header(parameters)
response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header)
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_post_body_and_PLAINTEXT(self):
"""Check if auth works when authorization data is in post body when
content type is pplication/x-www-form-urlencoded
"""
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
"additional_data": "whoop" # additional data
}
response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True),
content_type="application/x-www-form-urlencoded")
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self):
self._request_token()
self._authorize_and_access_token_using_form()
parameters = {
'oauth_consumer_key': self.CONSUMER_KEY,
'oauth_signature_method': "PLAINTEXT",
'oauth_version': "1.0",
'oauth_token': self.ACCESS_TOKEN_KEY,
'oauth_timestamp': str(int(time.time())),
'oauth_nonce': str(int(time.time()))+"nonce",
'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
}
header = self._get_http_authorization_header(parameters)
response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json")
self.assertEqual(response.status_code, 200)
def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
"""Opposite of test_that_initialize_server_request_when_custom_content_type,
If content type is application/x-www-form-urlencoded, post data should be added to params,
and it affects signature
"""
self._request_token()
self._authorize_and_access_token_using_form()
data = {"foo": "bar"}
content_type = "application/x-www-form-urlencoded"
querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)
#we're just using the request, don't bother faking sending it
rf = RequestFactory()
request = rf.post(querystring, urllib.urlencode(data), content_type)
# this is basically a "remake" of the relevant parts of
# OAuthAuthentication in django-rest-framework
oauth_request = utils.get_oauth_request(request)
consumer_key = oauth_request.get_parameter('oauth_consumer_key')
consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)
token_param = oauth_request.get_parameter('oauth_token')
token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)
oauth_server, oauth_request = utils.initialize_server_request(request)
#check that this does not throw an oauth.Error
oauth_server.verify_request(oauth_request, consumer, token)
