def initialize_server_request(request):
"""
Shortcut for initialization.
"""
if request.method == "POST": #and \
# request.META['CONTENT_TYPE'] == "application/x-www-form-urlencoded":
params = dict(request.REQUEST.items())
else:
params = {}
# Seems that we want to put HTTP_AUTHORIZATION into 'Authorization'
# for oauth.py to understand. Lovely.
request.META['Authorization'] = request.META.get('HTTP_AUTHORIZATION', '')
oauth_request = oauth.OAuthRequest.from_request(
request.method,
request.build_absolute_uri(),
headers=request.META,
parameters=params,
query_string=request.environ.get('QUERY_STRING', ''))
if oauth_request:
oauth_server = oauth.OAuthServer(oauth_datastore(oauth_request))
oauth_server.add_signature_method(
oauth.OAuthSignatureMethod_PLAINTEXT())
oauth_server.add_signature_method(
oauth.OAuthSignatureMethod_HMAC_SHA1())
else:
oauth_server = None
return oauth_server, oauth_request
class OAuthTests(MainTests):
signature_method = oauth.OAuthSignatureMethod_HMAC_SHA1()
def setUp(self):
super(OAuthTests, self).setUp()
self.consumer = Consumer.objects.create_consumer('Test Consumer')
self.consumer.status = 'accepted'
self.consumer.save()
def tearDown(self):
super(OAuthTests, self).tearDown()
self.consumer.delete()
def test_handshake(self):
'''Test the OAuth handshake procedure
'''
oaconsumer = oauth.OAuthConsumer(self.consumer.key, self.consumer.secret)
# Get a request key...
request = oauth.OAuthRequest.from_consumer_and_token(oaconsumer,
http_url='http://testserver/api/oauth/request_token')
request.sign_request(self.signature_method, oaconsumer, None)
response = self.client.get('/api/oauth/request_token', request.parameters)
oatoken = oauth.OAuthToken.from_string(response.content)
token = Token.objects.get(key=oatoken.key, token_type=Token.REQUEST)
self.assertEqual(token.secret, oatoken.secret)
# Simulate user authentication...
self.failUnless(self.client.login(username='******', password='******'))
request = oauth.OAuthRequest.from_token_and_callback(token=oatoken,
callback='http://printer.example.com/request_token_ready',
http_url='http://testserver/api/oauth/authorize')
request.sign_request(self.signature_method, oaconsumer, oatoken)
# Request the login page
# TODO: Parse the response to make sure all the fields exist
# response = self.client.get('/api/oauth/authorize', {
# 'oauth_token': oatoken.key,
# 'oauth_callback': 'http://printer.example.com/request_token_ready',
# })
response = self.client.post('/api/oauth/authorize', {
'oauth_token': oatoken.key,
'oauth_callback': 'http://printer.example.com/request_token_ready',
'csrf_signature': OAuthAuthenticationForm.get_csrf_signature(settings.SECRET_KEY, oatoken.key),
'authorize_access': 1,
})
# Response should be a redirect...
self.assertEqual(302, response.status_code)
self.failUnless(response['Location'].startswith("http://printer.example.com/request_token_ready?"))
self.failUnless(('oauth_token='+oatoken.key in response['Location']))
class OAuthTests(APIMainTest):
"""
OAuthTest Does oauth handshake test and gives derived test classes tests the possibility
to do OAuth resource requests.
"""
signature_method = oauth.OAuthSignatureMethod_HMAC_SHA1()
def setUp(self):
super(OAuthTests, self).setUp()
self.consumer = Consumer(name='Test Consumer',
description='Test',
status='accepted')
self.consumer.generate_random_codes()
self.consumer.save()
self.oa_atoken = None
self.test_handshake()
def tearDown(self):
super(OAuthTests, self).tearDown()
self.consumer.delete()
def do_oauth_request(self, url, parameters={}, http_method='POST'):
oaconsumer = oauth.OAuthConsumer(self.consumer.key,
self.consumer.secret)
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer,
http_method=http_method,
token=self.oa_atoken,
http_url='http://testserver%s' % url)
request.parameters.update(parameters)
request.sign_request(self.signature_method, oaconsumer, self.oa_atoken)
if http_method == 'POST':
response = self.client.post(url, request.parameters)
else:
response = self.client.get(url, request.parameters)
return response
def test_handshake(self):
'''Test the OAuth handshake procedure
'''
oaconsumer = oauth.OAuthConsumer(self.consumer.key,
self.consumer.secret)
# Get a request key...
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer, http_url='http://testserver/oauth/request_token/')
request.sign_request(self.signature_method, oaconsumer, None)
response = self.client.get('/oauth/request_token/', request.parameters)
oatoken = oauth.OAuthToken.from_string(response.content)
token = Token.objects.get(key=oatoken.key, token_type=Token.REQUEST)
self.assertEqual(token.secret, oatoken.secret)
# Simulate user authentication...
self.failUnless(self.client.login(username='******', password='******'))
request = oauth.OAuthRequest.from_token_and_callback(
token=oatoken,
callback='http://printer.example.com/request_token_ready',
http_url='http://testserver/oauth/authorize/')
request.sign_request(self.signature_method, oaconsumer, oatoken)
# Request the login page
# TODO: Parse the response to make sure all the fields exist
# response = self.client.get('/api/oauth/authorize', {
# 'oauth_token': oatoken.key,
# 'oauth_callback': 'http://printer.example.com/request_token_ready',
# })
response = self.client.post(
'/oauth/authorize/', {
'oauth_token':
oatoken.key,
'oauth_callback':
'http://printer.example.com/request_token_ready',
'csrf_signature':
OAuthAuthenticationForm.get_csrf_signature(
settings.SECRET_KEY, oatoken.key),
'authorize_access':
1,
})
# Response should be a redirect...
self.assertEqual(302, response.status_code)
self.assertEqual(
'http://printer.example.com/request_token_ready?oauth_token=' +
oatoken.key, response['Location'])
# Obtain access token...
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer,
token=oatoken,
http_url='http://testserver/oauth/access_token/')
request.sign_request(self.signature_method, oaconsumer, oatoken)
response = self.client.get('/oauth/access_token/', request.parameters)
oa_atoken = oauth.OAuthToken.from_string(response.content)
atoken = Token.objects.get(key=oa_atoken.key, token_type=Token.ACCESS)
self.assertEqual(atoken.secret, oa_atoken.secret)
# save the acces token so we can do oauth requests
self.oa_atoken = oa_atoken
class OAuthTests(MainTests):
signature_method = oauth.OAuthSignatureMethod_HMAC_SHA1()
def setUp(self):
super(OAuthTests, self).setUp()
self.consumer = Consumer.objects.create_consumer('Test Consumer')
self.consumer.status = 'accepted'
self.consumer.save()
def tearDown(self):
super(OAuthTests, self).tearDown()
self.consumer.delete()
def test_normal_handshake(self):
previous_nonce = Nonce.objects.count()
self.handshake()
final_nonce = Nonce.objects.count()
self.assertTrue(previous_nonce < final_nonce)
def test_https_handshake(self):
previous_nonce = Nonce.objects.count()
self.handshake(ssl=True)
final_nonce = Nonce.objects.count()
self.assertEqual(previous_nonce, final_nonce)
def handshake(self, ssl=False):
'''Test the OAuth handshake procedure
'''
oaconsumer = oauth.OAuthConsumer(self.consumer.key,
self.consumer.secret)
# Get a request key...
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer, http_url='http://testserver/api/oauth/request_token')
request.sign_request(self.signature_method, oaconsumer, None)
response = self.client.get('/api/oauth/request_token',
request.parameters)
oatoken = oauth.OAuthToken.from_string(response.content)
token = Token.objects.get(key=oatoken.key, token_type=Token.REQUEST)
self.assertEqual(token.secret, oatoken.secret)
# Simulate user authentication...
self.failUnless(self.client.login(username='******', password='******'))
request = oauth.OAuthRequest.from_token_and_callback(
token=oatoken,
callback='http://printer.example.com/request_token_ready',
http_url='http://testserver/api/oauth/authorize')
request.sign_request(self.signature_method, oaconsumer, oatoken)
# Request the login page
# TODO: Parse the response to make sure all the fields exist
response = self.client.get(
'/api/oauth/authorize', {
'oauth_token': oatoken.key,
'oauth_callback':
'http://printer.example.com/request_token_ready',
})
response = self.client.post(
'/api/oauth/authorize', {
'oauth_token':
oatoken.key,
'oauth_callback':
'http://printer.example.com/request_token_ready',
'csrf_signature':
OAuthAuthenticationForm.get_csrf_signature(
settings.SECRET_KEY, oatoken.key),
'authorize_access':
1,
})
redirect_to = response['Location']
query_string = urllib.splitquery(redirect_to)[1]
data = dict(cgi.parse_qsl(query_string))
verifier = data['oauth_verifier']
returned_token = data['oauth_token']
# Response should be a redirect...
self.assertEqual(302, response.status_code)
self.failUnless(
redirect_to.startswith(
"http://printer.example.com/request_token_ready?"))
self.assertEqual(oatoken.key, returned_token)
#response = self.client.get(redirect_to)
oatoken.set_verifier(verifier)
# Obtain access token...
protocol = 'http'
port = '80'
if ssl:
protocol = 'https'
port = '443'
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer,
token=oatoken,
verifier=verifier,
http_url='%s://testserver:%s/api/oauth/access_token' %
(protocol, port))
request.sign_request(self.signature_method, oaconsumer, oatoken)
extra = {}
if ssl:
extra['wsgi.url_scheme'] = 'https'
extra['SERVER_PORT'] = '443'
response = self.client.get('/api/oauth/access_token',
request.parameters, **extra)
oa_atoken = oauth.OAuthToken.from_string(response.content)
atoken = Token.objects.get(key=oa_atoken.key, token_type=Token.ACCESS)
self.assertEqual(atoken.secret, oa_atoken.secret)
class OAuthRequester:
signature_method = oauth.OAuthSignatureMethod_HMAC_SHA1()
def __init__(self, test_case, username, password, consumer):
self.SERVER_NAME = 'testserver'
self.consumer = consumer
self.test_case = test_case
# Much of this method comes straight from Piston's unit tests
# TODO: Fix copyright, then!
oaconsumer = oauth.OAuthConsumer(self.consumer.key,
self.consumer.secret)
# Callback URL
c_url = 'http://printer.example.com/request_token_ready'
# Get a request key...
url = 'http://' + self.SERVER_NAME + '/oauth/request_token/'
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer, http_url=url, parameters={"oauth_callback": c_url})
request.sign_request(self.signature_method, oaconsumer, None)
response = test_case.client.get('/oauth/request_token/',
request.parameters)
oatoken = oauth.OAuthToken.from_string(response.content)
token = Token.objects.get(key=oatoken.key, token_type=Token.REQUEST)
test_case.assertEqual(token.secret, oatoken.secret)
# Simulate user authentication...
test_case.failUnless(
test_case.client.login(username=username, password=password))
url = 'http://' + self.SERVER_NAME + '/oauth/authenticate/'
request = oauth.OAuthRequest.from_token_and_callback(token=oatoken,
http_url=url)
request.sign_request(self.signature_method, oaconsumer, oatoken)
# Faking form submission seems to not work, so approve token manually
# This normally happens in piston.store.authorize_request_token
token.is_approved = True
token.verifier = generate_random(VERIFIER_SIZE)
token.user = User.objects.get(username=username)
token.save()
# Normally the oauth_verifier is transmitted with the callback to the
# consumer, which does not happen here. Get the verifier directly from
# the database instead.
oaverifier = token.verifier
# Obtain access token...
url = 'http://' + self.SERVER_NAME + '/oauth/access_token/'
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer, token=oatoken, verifier=oaverifier, http_url=url)
request.sign_request(self.signature_method, oaconsumer, oatoken)
response = test_case.client.get('/oauth/access_token/',
request.parameters)
oa_atoken = oauth.OAuthToken.from_string(response.content)
atoken = Token.objects.get(key=oa_atoken.key, token_type=Token.ACCESS)
test_case.assertEqual(atoken.secret, oa_atoken.secret)
self.oa_atoken = oa_atoken
def build_request(self, abs_uri, method, parameters={}):
url = 'http://' + self.SERVER_NAME + abs_uri
oaconsumer = oauth.OAuthConsumer(self.consumer.key,
self.consumer.secret)
request = oauth.OAuthRequest.from_consumer_and_token(
oaconsumer,
token=self.oa_atoken,
http_url=url,
http_method=method,
parameters=parameters)
request.sign_request(self.signature_method, oaconsumer, self.oa_atoken)
return request
def build_auth_header(self, request):
return request.to_header(realm='Snowy')['Authorization']
def get(self, abs_uri):
request = self.build_request(abs_uri, 'GET')
auth = self.build_auth_header(request)
return self.test_case.client.get(abs_uri, HTTP_AUTHORIZATION=auth)
def put(self, abs_uri, json):
request = self.build_request(abs_uri, 'PUT')
auth = self.build_auth_header(request)
return self.test_case.client.put(abs_uri,
data=json,
content_type='application/json',
HTTP_AUTHORIZATION=auth)
def post(self, abs_uri, json):
# Pass the json data to be appended to the http header - seems to work
request = self.build_request(abs_uri, 'POST', parameters={json: ''})
auth = self.build_auth_header(request)
return self.test_case.client.post(abs_uri,
data=json,
content_type='application/json',
HTTP_AUTHORIZATION=auth)
def delete(self, abs_uri):
request = self.build_request(abs_uri, 'DELETE')
auth = self.build_auth_header(request)
return self.test_case.client.delete(abs_uri, HTTP_AUTHORIZATION=auth)
def __init__(self, consumer, token):
self.token = oauth.OAuthToken(token.key, token.secret)
self.consumer = oauth.OAuthConsumer(consumer.key, consumer.secret)
self.signature = oauth.OAuthSignatureMethod_HMAC_SHA1()
super(OAuthClient, self).__init__()