def test_improperly_scoped_token_can_not_create_or_email(
            self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
            url_base):
        token = ApiOAuth2PersonalToken(
            owner=user,
            name='Unauthorized Token',
        )
        token.save()

        scope = ApiOAuth2ScopeFactory()
        scope.name = 'unauthorized scope'
        scope.save()
        token.scopes.add(scope)

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s.name for s in token.scopes.all()]
                                    })
        mock_auth.return_value = user, mock_cas_resp

        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
        res = app.post_json_api(
            '{}?send_email=true'.format(url_base),
            data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)},
            expect_errors=True)

        assert res.status_code == 403
        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
        assert mock_mail.call_count == 0
    def test_admin_scoped_token_can_create_and_send_email(
            self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
            url_base):
        token = ApiOAuth2PersonalToken(
            owner=user,
            name='Admin Token',
        )
        scope = ApiOAuth2ScopeFactory()
        scope.name = 'osf.admin'
        scope.save()
        token.scopes.add(scope)

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s.name for s in token.scopes.all()]
                                    })
        mock_auth.return_value = user, mock_cas_resp

        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0
        res = app.post_json_api(
            '{}?send_email=true'.format(url_base),
            data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert res.status_code == 201
        assert res.json['data']['attributes']['username'] == email_unconfirmed
        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1
        assert mock_mail.call_count == 1
    def test_admin_scoped_token_has_admin(self, mock_auth):
        token = ApiOAuth2PersonalToken(
            owner=self.user,
            name='Admin Token',
        )
        token.save()
        scope = ApiOAuth2ScopeFactory()
        scope.name = 'osf.admin'
        scope.save()
        token.scopes.add(scope)

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=self.user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s.name for s in token.scopes.all()]
                                    })
        mock_auth.return_value = self.user, mock_cas_resp
        res = self.app.get(
            self.url,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert_equal(res.status_code, 200)
        assert_equal(res.json['meta'][ADMIN], True)
Exemplo n.º 4
0
    def test_non_admin_scoped_token_does_not_have_admin(self, mock_auth):
        token = ApiOAuth2PersonalToken(
            owner=self.user,
            name='Admin Token',
            scopes=' '.join([key for key in public_scopes if key != 'osf.admin'])
        )

        mock_cas_resp = CasResponse(
            authenticated=True,
            user=self.user._id,
            attributes={
                'accessToken': token.token_id,
                'accessTokenScope': [s for s in token.scopes.split(' ')]
            }
        )
        mock_auth.return_value = self.user, mock_cas_resp
        res = self.app.get(
            self.url,
            headers={
                'Authorization': 'Bearer {}'.format(token.token_id)
            }
        )

        assert_equal(res.status_code, 200)
        assert_not_in('admin', res.json['meta'].keys())
Exemplo n.º 5
0
    def test_admin_scoped_token_can_create_and_send_email(
            self, mock_auth, mock_mail):
        token = ApiOAuth2PersonalToken(owner=self.user,
                                       name='Admin Token',
                                       scopes='osf.admin')

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=self.user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s for s in token.scopes.split(' ')]
                                    })
        mock_auth.return_value = self.user, mock_cas_resp

        assert_equal(
            User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
        res = self.app.post_json_api(
            '{}?send_email=true'.format(self.base_url),
            self.data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert_equal(res.status_code, 201)
        assert_equal(res.json['data']['attributes']['username'],
                     self.unconfirmed_email)
        assert_equal(
            User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 1)
        assert_equal(mock_mail.call_count, 1)
Exemplo n.º 6
0
    def test_improperly_scoped_token_can_not_create_or_email(
            self, mock_auth, mock_mail):
        token = ApiOAuth2PersonalToken(owner=self.user,
                                       name='Unauthorized Token',
                                       scopes='osf.full_write')

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=self.user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s for s in token.scopes.split(' ')]
                                    })
        mock_auth.return_value = self.user, mock_cas_resp

        assert_equal(
            User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
        res = self.app.post_json_api(
            '{}?send_email=true'.format(self.base_url),
            self.data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)},
            expect_errors=True)

        assert_equal(res.status_code, 403)
        assert_equal(
            User.find(Q('username', 'eq', self.unconfirmed_email)).count(), 0)
        assert_equal(mock_mail.call_count, 0)
Exemplo n.º 7
0
    def test_properly_scoped_token_can_create_without_username_but_not_send_email(
            self, mock_auth, mock_mail):
        token = ApiOAuth2PersonalToken(owner=self.user,
                                       name='Authorized Token',
                                       scopes='osf.users.create')

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=self.user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s for s in token.scopes.split(' ')]
                                    })
        mock_auth.return_value = self.user, mock_cas_resp

        self.data['data']['attributes'] = {'full_name': 'No Email'}

        assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 0)
        res = self.app.post_json_api(
            '{}?send_email=true'.format(self.base_url),
            self.data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert_equal(res.status_code, 201)
        assert_equal(res.json['data']['attributes']['username'], None)
        assert_equal(User.find(Q('fullname', 'eq', 'No Email')).count(), 1)
        assert_equal(mock_mail.call_count, 0)
Exemplo n.º 8
0
    def test_properly_scoped_token_can_create_without_username_but_not_send_email(
            self, mock_auth, mock_mail, app, user, data, url_base):
        token = ApiOAuth2PersonalToken(owner=user,
                                       name='Authorized Token',
                                       scopes='osf.users.create')

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s for s in token.scopes.split(' ')]
                                    })
        mock_auth.return_value = user, mock_cas_resp

        data['data']['attributes'] = {'full_name': 'No Email'}

        assert OSFUser.objects.filter(fullname='No Email').count() == 0
        res = app.post_json_api(
            '{}?send_email=true'.format(url_base),
            data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert res.status_code == 201
        username = res.json['data']['attributes']['username']
        try:
            UUID(username)
        except ValueError:
            raise AssertionError('Username is not a valid UUID')
        assert OSFUser.objects.filter(fullname='No Email').count() == 1
        assert mock_mail.call_count == 0
Exemplo n.º 9
0
    def test_properly_scoped_token_does_not_send_email_without_kwarg(
            self, mock_auth, mock_mail, app, user, email_unconfirmed, data,
            url_base):
        token = ApiOAuth2PersonalToken(owner=user,
                                       name='Authorized Token',
                                       scopes='osf.users.create')

        mock_cas_resp = CasResponse(authenticated=True,
                                    user=user._id,
                                    attributes={
                                        'accessToken':
                                        token.token_id,
                                        'accessTokenScope':
                                        [s for s in token.scopes.split(' ')]
                                    })
        mock_auth.return_value = user, mock_cas_resp

        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 0

        res = app.post_json_api(
            url_base,
            data,
            headers={'Authorization': 'Bearer {}'.format(token.token_id)})

        assert res.status_code == 201
        assert res.json['data']['attributes']['username'] == email_unconfirmed
        assert OSFUser.objects.filter(username=email_unconfirmed).count() == 1
        assert mock_mail.call_count == 0