def save_authorization_code(self, client_id, code, request, *args,
**kwargs):
"""Save the code to the storage and remove the state as it is persisted
in the "code" argument
"""
openid = request._params["openid.claimed_id"]
email = request._params["openid.sreg.email"]
full_name = request._params["openid.sreg.fullname"]
last_login = datetime.datetime.now(pytz.utc)
user = user_api.user_get_by_openid(openid)
user_dict = {"full_name": full_name,
"email": email,
"last_login": last_login}
if not user:
user_dict.update({"openid": openid})
user = user_api.user_create(user_dict)
else:
user = user_api.user_update(user.id, user_dict)
# def save_authorization_code(self, authorization_code, user_id):
values = {
"code": code["code"],
"state": code["state"],
"user_id": user.id,
"expires_in": CONF.oauth.authorization_code_ttl
}
auth_api.authorization_code_save(values)
def test_invalid_grant_type(self):
"""This test ensures that invalid grant_type parameters get the
appropriate error response.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code',
'expires_in': 300
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'invalid_grant_type'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(400, response.status_code)
self.assertIsNotNone(response.json)
self.assertEqual('unsupported_grant_type', response.json['error'])
self.assertEqual(e_msg.INVALID_TOKEN_GRANT_TYPE,
response.json['error_description'])
def test_invalid_grant_type(self):
"""This test ensures that invalid grant_type parameters get the
appropriate error response.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code',
'expires_in':
300
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'invalid_grant_type'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(400, response.status_code)
self.assertIsNotNone(response.json)
self.assertEqual('unsupported_grant_type', response.json['error'])
self.assertEqual(e_msg.INVALID_TOKEN_GRANT_TYPE,
response.json['error_description'])
def test_delete_code(self):
created_code = auth_codes.authorization_code_save(self.code_01)
self.assertIsNotNone(created_code,
"Could not create an Authorization code")
auth_codes.authorization_code_delete(created_code.code)
fetched_code = auth_codes.authorization_code_get(created_code.code)
self.assertIsNone(fetched_code)
def test_delete_code(self):
created_code = auth_codes.authorization_code_save(self.code_01)
self.assertIsNotNone(created_code,
"Could not create an Authorization code")
auth_codes.authorization_code_delete(created_code.code)
fetched_code = auth_codes.authorization_code_get(created_code.code)
self.assertIsNone(fetched_code)
def test_expired_access_token_time(self):
"""This test ensures that an access token is seen as expired if
storyboard is installed in multiple timezones.
"""
expired = datetime.datetime.now(
pytz.utc) - datetime.timedelta(minutes=6)
# Store the old TZ info, if it exists.
old_tz = None
if 'TZ' in os.environ:
old_tz = os.environ['TZ']
# Convert now into every possible timezone out there :)
for name in self.tested_timezones:
# Override the 'default timezone' for the current runtime.
os.environ['TZ'] = name
# Create a token.
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code',
'expires_in':
300,
'created_at':
expired
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a valid call.
self.assertEqual(401, response.status_code)
# Reset the timezone.
if old_tz:
os.environ['TZ'] = old_tz
else:
del os.environ['TZ']
def test_expired_access_token_time(self):
"""This test ensures that an access token is seen as expired if
storyboard is installed in multiple timezones.
"""
expired = datetime.datetime.now(pytz.utc) - datetime.timedelta(
minutes=6)
# Store the old TZ info, if it exists.
old_tz = None
if 'TZ' in os.environ:
old_tz = os.environ['TZ']
# Convert now into every possible timezone out there :)
for name in self.tested_timezones:
# Override the 'default timezone' for the current runtime.
os.environ['TZ'] = name
# Create a token.
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code',
'expires_in': 300,
'created_at': expired
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a valid call.
self.assertEqual(401, response.status_code)
# Reset the timezone.
if old_tz:
os.environ['TZ'] = old_tz
else:
del os.environ['TZ']
def test_valid_access_token_time(self):
"""Assert that a newly created access token is valid if storyboard is
installed in a multitude of timezones.
"""
# Store the old TZ info, if it exists.
old_tz = None
if 'TZ' in os.environ:
old_tz = os.environ['TZ']
# Convert now into every possible timezone out there :)
for name in self.tested_timezones:
# Override the 'default timezone' for the current runtime.
os.environ['TZ'] = name
# Create a token.
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code',
'expires_in':
300
})
response = self.app.post(
'/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type='application/x-www-form-urlencoded',
expect_errors=True)
# Assert that this is a valid call.
self.assertEqual(200, response.status_code)
# Reset the timezone.
if old_tz:
os.environ['TZ'] = old_tz
else:
del os.environ['TZ']
def test_valid_access_token_time(self):
"""Assert that a newly created access token is valid if storyboard is
installed in a multitude of timezones.
"""
# Store the old TZ info, if it exists.
old_tz = None
if 'TZ' in os.environ:
old_tz = os.environ['TZ']
# Convert now into every possible timezone out there :)
for name in self.tested_timezones:
# Override the 'default timezone' for the current runtime.
os.environ['TZ'] = name
# Create a token.
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code',
'expires_in': 300
})
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=
'application/x-www-form-urlencoded',
expect_errors=True)
# Assert that this is a valid call.
self.assertEqual(200, response.status_code)
# Reset the timezone.
if old_tz:
os.environ['TZ'] = old_tz
else:
del os.environ['TZ']
def test_valid_refresh_token(self):
"""This test ensures that a valid refresh token can be converted into
a valid access token, and cleans up after itself.
"""
# Generate a valid access code
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# Generate an auth and a refresh token.
resp_1 = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, resp_1.status_code)
# Assert that the token came back in the response
t1 = resp_1.json
# Assert that both are in the database.
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(t1['access_token'])
self.assertIsNotNone(access_token)
with base.HybridSessionManager():
refresh_token = refresh_tokens.refresh_token_get_by_token(
t1['refresh_token'])
self.assertIsNotNone(refresh_token)
content_type = 'application/x-www-form-urlencoded'
# Issue a refresh token request.
resp_2 = self.app.post('/v1/openid/token',
params={
'refresh_token': t1['refresh_token'],
'grant_type': 'refresh_token'
},
content_type=content_type,
expect_errors=True)
# Assert that the response is good.
self.assertEqual(200, resp_2.status_code)
# Assert that the token came back in the response
t2 = resp_2.json
self.assertIsNotNone(t2['access_token'])
self.assertIsNotNone(t2['expires_in'])
self.assertIsNotNone(t2['id_token'])
self.assertIsNotNone(t2['refresh_token'])
self.assertIsNotNone(t2['token_type'])
self.assertEqual('Bearer', t2['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
new_access_token = \
token_api.access_token_get_by_token(t2['access_token'])
self.assertIsNotNone(new_access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, new_access_token.user_id)
self.assertEqual(t2['id_token'], new_access_token.user_id)
self.assertEqual(t2['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(t2['expires_in'], new_access_token.expires_in)
self.assertEqual(t2['access_token'],
new_access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
new_refresh_token = refresh_tokens.refresh_token_get_by_token(
t2['refresh_token'])
self.assertIsNotNone(new_refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, new_refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
new_refresh_token.expires_in)
self.assertEqual(t2['refresh_token'],
new_refresh_token.refresh_token)
# Assert that the old access tokens are no longer in the database and
# have been cleaned up.
with base.HybridSessionManager():
no_access_token = \
token_api.access_token_get_by_token(t1['access_token'])
with base.HybridSessionManager():
no_refresh_token = \
refresh_tokens.refresh_token_get_by_token(t1['refresh_token'])
self.assertIsNone(no_refresh_token)
self.assertIsNone(no_access_token)
def test_valid_access_request(self):
"""This test ensures that the access token request may execute
properly with a valid token.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id': 2,
'state': 'test_state',
'code': 'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, response.status_code)
# Assert that the token came back in the response
token = response.json
self.assertIsNotNone(token['access_token'])
self.assertIsNotNone(token['expires_in'])
self.assertIsNotNone(token['id_token'])
self.assertIsNotNone(token['refresh_token'])
self.assertIsNotNone(token['token_type'])
self.assertEqual('Bearer', token['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(token['access_token'])
self.assertIsNotNone(access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, access_token.user_id)
self.assertEqual(token['id_token'], access_token.user_id)
self.assertEqual(token['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(token['expires_in'], access_token.expires_in)
self.assertEqual(token['access_token'], access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
refresh_token = \
refresh_tokens.refresh_token_get_by_token(
token['refresh_token'])
self.assertIsNotNone(refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
refresh_token.expires_in)
self.assertEqual(token['refresh_token'], refresh_token.refresh_token)
# Assert that the authorization code is no longer in the database.
with base.HybridSessionManager():
none_code = \
auth_api.authorization_code_get(authorization_code.code)
self.assertIsNone(none_code)
def test_valid_refresh_token(self):
"""This test ensures that a valid refresh token can be converted into
a valid access token, and cleans up after itself.
"""
# Generate a valid access code
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# Generate an auth and a refresh token.
resp_1 = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, resp_1.status_code)
# Assert that the token came back in the response
t1 = resp_1.json
# Assert that both are in the database.
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(t1['access_token'])
self.assertIsNotNone(access_token)
with base.HybridSessionManager():
refresh_token = refresh_tokens.refresh_token_get_by_token(
t1['refresh_token'])
self.assertIsNotNone(refresh_token)
content_type = 'application/x-www-form-urlencoded'
# Issue a refresh token request.
resp_2 = self.app.post('/v1/openid/token',
params={
'refresh_token': t1['refresh_token'],
'grant_type': 'refresh_token'
},
content_type=content_type,
expect_errors=True)
# Assert that the response is good.
self.assertEqual(200, resp_2.status_code)
# Assert that the token came back in the response
t2 = resp_2.json
self.assertIsNotNone(t2['access_token'])
self.assertIsNotNone(t2['expires_in'])
self.assertIsNotNone(t2['id_token'])
self.assertIsNotNone(t2['refresh_token'])
self.assertIsNotNone(t2['token_type'])
self.assertEqual('Bearer', t2['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
new_access_token = \
token_api.access_token_get_by_token(t2['access_token'])
self.assertIsNotNone(new_access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, new_access_token.user_id)
self.assertEqual(t2['id_token'], new_access_token.user_id)
self.assertEqual(t2['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(t2['expires_in'], new_access_token.expires_in)
self.assertEqual(t2['access_token'], new_access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
new_refresh_token = refresh_tokens.refresh_token_get_by_token(
t2['refresh_token'])
self.assertIsNotNone(new_refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, new_refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
new_refresh_token.expires_in)
self.assertEqual(t2['refresh_token'], new_refresh_token.refresh_token)
# Assert that the old access tokens are no longer in the database and
# have been cleaned up.
with base.HybridSessionManager():
no_access_token = \
token_api.access_token_get_by_token(t1['access_token'])
with base.HybridSessionManager():
no_refresh_token = \
refresh_tokens.refresh_token_get_by_token(t1['refresh_token'])
self.assertIsNone(no_refresh_token)
self.assertIsNone(no_access_token)
def test_valid_access_request(self):
"""This test ensures that the access token request may execute
properly with a valid token.
"""
# Generate a valid auth token
with base.HybridSessionManager():
authorization_code = auth_api.authorization_code_save({
'user_id':
2,
'state':
'test_state',
'code':
'test_valid_code'
})
content_type = 'application/x-www-form-urlencoded'
# POST with content: application/x-www-form-urlencoded
response = self.app.post('/v1/openid/token',
params={
'code': authorization_code.code,
'grant_type': 'authorization_code'
},
content_type=content_type,
expect_errors=True)
# Assert that this is a successful response
self.assertEqual(200, response.status_code)
# Assert that the token came back in the response
token = response.json
self.assertIsNotNone(token['access_token'])
self.assertIsNotNone(token['expires_in'])
self.assertIsNotNone(token['id_token'])
self.assertIsNotNone(token['refresh_token'])
self.assertIsNotNone(token['token_type'])
self.assertEqual('Bearer', token['token_type'])
# Assert that the access token is in the database
with base.HybridSessionManager():
access_token = \
token_api.access_token_get_by_token(token['access_token'])
self.assertIsNotNone(access_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, access_token.user_id)
self.assertEqual(token['id_token'], access_token.user_id)
self.assertEqual(token['expires_in'], CONF.oauth.access_token_ttl)
self.assertEqual(token['expires_in'], access_token.expires_in)
self.assertEqual(token['access_token'], access_token.access_token)
# Assert that the refresh token is in the database
with base.HybridSessionManager():
refresh_token = \
refresh_tokens.refresh_token_get_by_token(
token['refresh_token'])
self.assertIsNotNone(refresh_token)
# Assert that system configured values is owned by the correct user.
self.assertEqual(2, refresh_token.user_id)
self.assertEqual(CONF.oauth.refresh_token_ttl,
refresh_token.expires_in)
self.assertEqual(token['refresh_token'], refresh_token.refresh_token)
# Assert that the authorization code is no longer in the database.
with base.HybridSessionManager():
none_code = \
auth_api.authorization_code_get(authorization_code.code)
self.assertIsNone(none_code)
