def testRequestOverInsecureTransport(self): """ Test the rejection of a request to a protected resource with a valid token that was made over an insecure protocol. """ request = MockRequest('GET', 'protectedResource', isSecure=False) request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertTrue( isAuthorized(request, self.VALID_TOKEN_SCOPE, allowInsecureRequestDebug=True), msg= 'Expected isAuthorized to accept a request over an insecure protocol ' 'if "allowInsecureRequestDebug" is set to True.') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg= 'Expected isAuthorized to reject a request over an insecure protocol.' ) self.assertEqual( 400, request.responseCode, msg= 'The HTTP response code should be {code}, if a protected resource receives a ' 'request over an insecure channel.'.format(code=400))
def testWrongAccessToken(self): """ Test the rejection of a request to a protected resource with an invalid token. """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', b'Bearer an invalid token') self.assertFalse( isAuthorized(request, 'scope'), msg= 'Expected isAuthorized to reject a request with an invalid token.') self.assertFailedProtectedResourceRequest( request, InvalidTokenRequestError(['scope']))
def _testValidAccessRequest(self, token=_VALID_TOKEN): """ Test that a request to the protected resource with the given token is accepted. :param token: The token to use in the request. """ request = MockRequest('GET', 'clock') request.setRequestHeader(b'Authorization', 'Bearer ' + token) self._makeExampleRequest(request) self.assertIn( request.responseCode, (None, 200), msg='Expected the protected clock resource to accept a request with a valid token.') self.assertSubstring( b'<html><body>', request.getResponse(), msg='Expected the protected clock resource to send the protected content.')
def testInvalidScope(self): """ Test the rejection of a request to a protected resource with a valid token that does not grant access to the necessary scopes. """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, 'someOtherScope'), msg='Expected isAuthorized to reject a request with token ' 'that does not allow access to the given scope.') self.assertFailedProtectedResourceRequest( request, InsufficientScopeRequestError(['someOtherScope']))
def testWithAccessTokenInHeader(self): """ Test a request to a protected resource with a valid token in the Authorization header. See https://tools.ietf.org/html/rfc6750#section-2.1 """ request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertTrue( isAuthorized(request, self.VALID_TOKEN_SCOPE[0]), msg='Expected isAuthorized to accept a request with a valid token.' ) self.assertFalse( request.finished, msg='isAuthorized should not finish the request if it\'s valid.')
def testAccessTokenInBodyWrongContentType(self): """ Test the rejection of a request to a protected resource with a valid token but an invalid content type. """ request = MockRequest('POST', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/other') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request ' 'with a valid token in the request body with a content type ' 'that is not "application/x-www-form-urlencoded".') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testAccessTokenInBodyWrongMethod(self): """ Test the rejection of a request to a protected resource with a valid token in the request body but a request that was not made with the POST method. """ request = MockRequest('GET', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with a valid token ' 'in the request body that was not send with the POST method.') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testWithAccessTokenInBody(self): """ Test a request to a protected resource with a valid token in the request body. See https://tools.ietf.org/html/rfc6750#section-2.2 """ request = MockRequest('POST', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]), msg='Expected isAuthorized to accept a request ' 'with a valid token in the request body.') self.assertFalse( request.finished, msg='isAuthorized should not finish the request if it\'s valid.')
def testMultipleAccessTokens(self): """ Test the rejection of a request to a protected resource with multiple tokens. """ request = MockRequest( 'GET', 'protectedResource?access_token=' + self.VALID_TOKEN + '&access_token=' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with two tokens.') self.assertFailedProtectedResourceRequest( request, MultipleTokensError(self.VALID_TOKEN_SCOPE)) request = MockRequest( 'GET', 'protectedResource?access_token=' + self.VALID_TOKEN) request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with two tokens.') self.assertFailedProtectedResourceRequest( request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
def generateValidTokenRequest(url='token', urlQuery='', authentication=None, **kwargs): """ :param url: The request url. :param urlQuery: An optional query part of the request url. :param authentication: An optional client to use for header-authentication. :param kwargs: Optional arguments to the the request. :return: A valid request to the token resource. """ if urlQuery: url = '?'.join((url, urlQuery)) request = MockRequest('POST', url, **kwargs) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') if authentication is not None: AbstractTokenResourceTest._addAuthenticationToRequestHeader( request, authentication) return request
def testInvalidContentType(self): """ Test the rejection requests whose content is not "x-www-form-urlencoded". """ request = MockRequest('POST', 'token', arguments={ 'grant_type': 'refresh_token', 'refresh_token': self._VALID_REFRESH_TOKEN }) request.setRequestHeader('Content-Type', 'application/not-x-www-form-urlencoded') result = self._TOKEN_RESOURCE.render_POST(request) self.assertFailedTokenRequest( request, result, MalformedRequestError( 'The Content-Type must be "application/x-www-form-urlencoded"' ), msg= 'Expected the token resource to reject a request with an invalid content type.' )
def testDecorator(self): """ Test that the oauth2 functions as expected. """ protectedContent = b'protectedContent' @oauth2(self.VALID_TOKEN_SCOPE) def render(_self, _request): # pylint: disable=missing-docstring return protectedContent request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) self.assertEqual(protectedContent, render(self, request), msg='Expected oauth2 to accept a valid request.') request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer invalidToken') self.assertNotEqual( protectedContent, render(self, request), msg='Expected oauth2 to reject a request with an invalid token.') request = MockRequest('GET', 'protectedResource') request.setRequestHeader(b'Authorization', 'Bearer ' + self.VALID_TOKEN) @oauth2(['Other']) def render2(_self, _request): # pylint: disable=missing-docstring return protectedContent self.assertNotEqual( protectedContent, render2(self, request), msg='Expected oauth2 to reject a request with an invalid scope.')