def testWebFlowError_ContextAwareAccessDenied(self):
"""When login was denied because of context aware access policies."""
self.mock_load.return_value = None # No creds to start.
self.mock_flow.side_effect = rfc6749_errors.AccessDeniedError(
'access_denied: Account restricted')
with self.assertRaisesRegex(flow.Error,
'access_denied: Account restricted'):
self.Login(account='*****@*****.**')
self.AssertErrContains(
'Access was blocked due to an organization policy')
def validate_token_request(self, request):
# This method's code is based on the parent method's code
# We removed the original comments to replace with ours
# explaining our modifications.
# We need to set these at None by default otherwise
# we are going to get some AttributeError later
request._params.setdefault("backend", None)
request._params.setdefault("client_secret", None)
if request.grant_type != 'convert_token':
raise errors.UnsupportedGrantTypeError(request=request)
# We check that a token parameter is present.
# It should contain the social token to be used with the backend
if request.token is None:
raise errors.InvalidRequestError(
description='Missing token parameter.', request=request)
# We check that a backend parameter is present.
# It should contain the name of the social backend to be used
if request.backend is None:
raise errors.InvalidRequestError(
description='Missing backend parameter.', request=request)
if not request.client_id:
raise errors.MissingClientIdError(request=request)
if not self.request_validator.validate_client_id(
request.client_id, request):
raise errors.InvalidClientIdError(request=request)
# Existing code to retrieve the application instance from the client id
if self.request_validator.client_authentication_required(request):
log.debug('Authenticating client, %r.', request)
if not self.request_validator.authenticate_client(request):
log.debug('Invalid client (%r), denying access.', request)
raise errors.InvalidClientError(request=request)
elif not self.request_validator.authenticate_client_id(
request.client_id, request):
log.debug('Client authentication failed, %r.', request)
raise errors.InvalidClientError(request=request)
# Ensure client is authorized use of this grant type
# We chose refresh_token as a grant_type
# as we don't want to modify all the codebase.
# It is also the most permissive and logical grant for our needs.
request.grant_type = "refresh_token"
self.validate_grant_type(request)
self.validate_scopes(request)
# TODO: Find a better way to pass the django request object
strategy = load_strategy(request=request.django_request)
try:
backend = load_backend(
strategy, request.backend,
reverse(NAMESPACE + ":complete", args=(request.backend, )))
except MissingBackend:
raise errors.InvalidRequestError(
description='Invalid backend parameter.', request=request)
try:
user = backend.do_auth(access_token=request.token)
except requests.HTTPError as e:
raise errors.InvalidRequestError(
description="Backend responded with HTTP{0}: {1}.".format(
e.response.status_code, e.response.text),
request=request)
except SocialAuthBaseException as e:
raise errors.AccessDeniedError(description=str(e), request=request)
if not user:
raise errors.InvalidGrantError('Invalid credentials given.',
request=request)
if not user.is_active:
raise errors.InvalidGrantError('User inactive or deleted.',
request=request)
request.user = user
log.debug('Authorizing access to user %r.', request.user)