def user_api_client(user):
api_client = APIClient()
token = access_token_factory(scopes=['identities'], user=user)
api_client.credentials(HTTP_AUTHORIZATION='Bearer {}'.format(token.access_token))
api_client.token = token
api_client.user = user
return api_client
def create_oidc_api_client(scopes=(), user=None):
user = user or UserFactory()
token = access_token_factory(scopes=scopes, user=user)
api_client = APIClient()
api_client.credentials(HTTP_AUTHORIZATION='Bearer {}'.format(token.access_token))
api_client.user = user
return api_client
def user_api_client(user):
api_client = APIClient()
token = access_token_factory(scopes=['devices'], user=user)
api_client.credentials(HTTP_AUTHORIZATION='Bearer {}'.format(token.access_token))
api_client.token = token
api_client.user = user
return api_client
def test_get_requires_correct_scope(api_client):
token = access_token_factory(scopes=['foo'])
response = api_client.get(LIST_URL, {'access_token': token.access_token})
assert response.status_code == 403
token._scope = 'consents'
token.save()
response = api_client.get(LIST_URL, {'access_token': token.access_token})
assert response.status_code == 200
def test_get_requires_correct_scope(api_client):
token = access_token_factory(scopes=['foo'])
response = api_client.get(LIST_URL, {'access_token': token.access_token})
assert response.status_code == 403
token._scope = 'consents'
token.save()
response = api_client.get(LIST_URL, {'access_token': token.access_token})
assert response.status_code == 200
def test_delete_requires_correct_scope(api_client, user_consent):
token = access_token_factory(scopes=['foo'], user=user_consent.user)
response = api_client.delete(get_detail_url(user_consent), HTTP_AUTHORIZATION='Bearer ' + token.access_token)
assert response.status_code == 403
assert UserConsent.objects.count() == 1
token._scope = 'consents'
token.save()
response = api_client.delete(get_detail_url(user_consent), HTTP_AUTHORIZATION='Bearer ' + token.access_token)
assert response.status_code == 204
assert UserConsent.objects.count() == 0
def test_delete_requires_correct_scope(api_client, user_consent):
token = access_token_factory(scopes=['foo'], user=user_consent.user)
response = api_client.delete(get_detail_url(user_consent),
HTTP_AUTHORIZATION='Bearer ' +
token.access_token)
assert response.status_code == 403
assert UserConsent.objects.count() == 1
token._scope = 'consents'
token.save()
response = api_client.delete(get_detail_url(user_consent),
HTTP_AUTHORIZATION='Bearer ' +
token.access_token)
assert response.status_code == 204
assert UserConsent.objects.count() == 0
def test_cors_headers_got_with_whitelisted_uris_apiendpoints(
user_api_client, application_factory, oidcclient_factory, user_factory,
application_url, cors_enabled, destructive_operation):
client = user_api_client
token = access_token_factory(scopes=['openid profile email'],
user=client.user)
if cors_enabled:
assert_cors_ok = assert_cors_found
else:
assert_cors_ok = assert_cors_not_found
urls = get_url_combinations()
index = 0 # index into url combinations
STEP = 6
def get_urls(start_index, amount=2):
return [u['url'] for u in urls[start_index:start_index + amount]]
def get_origins(start_index, amount=2):
return set(
(u['origin'] for u in urls[start_index:start_index + amount]))
def get_response(origin):
return client.get(application_url,
HTTP_ORIGIN=origin,
HTTP_AUTHORIZATION='Bearer {}'.format(
token.access_token))
applications = []
oidc_clients = []
while index + STEP <= len(urls):
application = application_factory(
post_logout_redirect_uris="\n".join(get_urls(index)),
redirect_uris="\n".join(get_urls(index + 2)))
application.save()
applications.append(application)
assert_database_state_consistent(urls, index + 2 + 2)
for origin in get_origins(index, amount=4):
assert_cors_ok(origin, get_response(origin))
oidc_client = oidcclient_factory(
# deliberate overlap with previous app
post_logout_redirect_uris=get_urls(index + 2),
redirect_uris=get_urls(index + 4))
oidc_client.save()
oidc_clients.append(oidc_client)
assert_database_state_consistent(urls, index + 6)
for origin in get_origins(index + 2, amount=4):
assert_cors_ok(origin, get_response(origin))
index += STEP
assert_cors_not_found('http://examplez.com',
get_response('http://examplez.com'))
if cors_enabled is False:
return
while index > 0:
index -= STEP
application = applications.pop()
oidc_client = oidc_clients.pop()
if destructive_operation == 'delete':
oidc_client.delete()
application.delete()
elif destructive_operation == 'erase':
oidc_client.post_logout_redirect_uris = []
oidc_client.redirect_uris = []
oidc_client.save()
application.post_logout_redirect_uris = ''
application.redirect_uris = ''
application.save()
assert_database_state_consistent(urls, index)
assert_cors_not_found('http://examplez.com',
get_response('http://examplez.com'))
for origin in get_origins(0, len(urls)):
assert_cors_not_found(origin, get_response('origin'))
def test_access_token_authentication_wrong_scope(api_client, scopes):
access_token_factory(scopes=scopes)
api_client.credentials(HTTP_AUTHORIZATION='Bearer test_access_token')
response = api_client.get(list_url)
assert response.status_code == 403
def test_access_token_authentication_wrong_scope(api_client, scopes):
access_token_factory(scopes=scopes)
api_client.credentials(HTTP_AUTHORIZATION='Bearer test_access_token')
response = api_client.get(list_url)
assert response.status_code == 403
def test_authentication_wrong_access_token(api_client, post_data):
access_token_factory(scopes=['devices'])
api_client.credentials(HTTP_AUTHORIZATION='Bearer wrong_access_token')
response = api_client.post(list_url)
assert response.status_code == 401
def test_authentication_success(api_client, scopes, post_data):
access_token_factory(scopes=scopes)
api_client.credentials(HTTP_AUTHORIZATION='Bearer test_access_token')
response = api_client.post(list_url, post_data)
assert response.status_code != 401