def post(self, user, account, **kwargs): app_id = (kwargs['app_id'] if 'app_id' in kwargs else 'new') body_json = self.request.body body = json.loads(body_json) if 'name' not in body: logging.exception(exception) self.response.set_status(400) self.response.write('Invalid JSON data') # return BadRequest("Invalid JSON data") if app_id == 'new': app = App(name=body['name'], created_by=account.key(), editors=[account.key()]) else: app = App.get_by_id(int(app_id)) if app is None: return render_json_response(self, {'error': 'app-not-found'}) if account.key() not in app.editors: return render_json_response(self, {'error': 'access-denied'}) app.name = body['name'] app.body = db.Text(body_json.decode('utf-8')) app.put() return render_json_response(self, {'id': app.key().id()})
def post(self, user, account, **kwargs): app_id = kwargs["app_id"] if "app_id" in kwargs else "new" body_json = self.request.body body = json.loads(body_json) if "name" not in body: logging.exception(exception) self.response.set_status(400) self.response.write("Invalid JSON data") # return BadRequest("Invalid JSON data") if app_id == "new": app = App(name=body["name"], created_by=account.key(), editors=[account.key()]) else: app = App.get_by_id(int(app_id)) if app is None: return render_json_response(self, {"error": "app-not-found"}) if account.key() not in app.editors: return render_json_response(self, {"error": "access-denied"}) app.name = body["name"] app.body = db.Text(body_json.decode("utf-8")) app.put() return render_json_response(self, {"id": app.key().id()})
class APIAuthorizationTests(test.base.BaseAsyncTestCase): def setUp(self): """ . Need to create a user and a test app . Create second account that is going to auth """ super(APIAuthorizationTests, self).setUp() self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_a.set_password('asdfasdf') self.user_a.save() self.sign_in('admin', 'asdfasdf') self.xsrf = self.get_xsrf() self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_b.set_password('asdfasdf') self.user_b.save() self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return') self.app.save() self.app_query = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return?query=param') self.app_query.save() self.app_no_redirect = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='') self.app_no_redirect.save() def test_authorize_code_request_redirects_to_sign_in(self): authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key()) response = api_request(self, self.get_url(authorization_url), unsigned=True) self.assertEqual(response.effective_url, self.get_url('/sign-in?next=%s' % url_escape(authorization_url))) self.assertEqual(response.code, 200) def test_authorization_code_request_accepts_authenticated_user(self): authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key()) response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True) self.assertEqual(response.effective_url, self.get_url(authorization_url)) def test_authorization_code_request_accepts_authtime_redirect(self): authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key()) response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True) self.assertEqual(response.effective_url, self.get_url(authorization_url)) self.assertEqual(response.code, 200) self.assertTrue('http://client.example.com/return' in response.body) def test_authorization_code_request_accepts_matching_redirect(self): authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app.key()) response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True) self.assertEqual(response.effective_url, self.get_url(authorization_url)) self.assertEqual(response.code, 200) self.assertTrue('http://client.example.com/return' in response.body) def test_authorization_code_request_error_on_mismatched_redirect(self): authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://othersite.example.com/path' % (self.app.key()) response = self.fetch_url(authorization_url, follow_redirects=False) self.assertEqual(response.code, 400) def test_authorize_code_submitting_agree_redirects_to_apps_redirect_url(self): authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key()) arguments = { 'agree' : 1 } response = self.post_url(authorization_url, arguments, follow_redirects=False) auth_code = Authorizationcode.get('id = 1') self.assert_redirect( response, 'http://client.example.com/return?code=%s' % auth_code.code ) def test_authorize_code_submitting_agree_redirects_to_apps_redirect_url_with_query(self): authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app_query.key()) arguments = { 'agree' : 1 } response = self.post_url(authorization_url, arguments, follow_redirects=False) auth_code = Authorizationcode.get('id = 1') self.assert_redirect( response, 'http://client.example.com/return?query=param&code=%s' % auth_code.code ) def test_authorize_code_submitting_agree_redirects_to_authtime_redirect_url(self): authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key()) arguments = { 'agree' : 1 } response = self.post_url(authorization_url, arguments, follow_redirects=False) auth_code = Authorizationcode.get('id = 1') self.assert_redirect( response, 'http://client.example.com/return?code=%s' % auth_code.code ) def test_authorize_code_submitting_disagree_redirects_to_apps_redirect_url(self): """ access_denied The resource owner or authorization server denied the request. """ authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key()) response = self.post_url(authorization_url, follow_redirects=False) auth_codes = Authorizationcode.all() self.assertEqual(len(auth_codes), 0) self.assert_redirect( response, 'http://client.example.com/return?error=access_denied' ) def test_authorize_code_submitting_disagree_redirects_to_apps_redirect_url_with_query(self): """ access_denied The resource owner or authorization server denied the request. """ authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app_query.key()) response = self.post_url(authorization_url, follow_redirects=False) auth_codes = Authorizationcode.all() self.assertEqual(len(auth_codes), 0) self.assert_redirect( response, 'http://client.example.com/return?query=param&error=access_denied' ) def test_authorize_code_submitting_disagree_redirects_to_authtime_redirect_url(self): authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key()) response = self.post_url(authorization_url, follow_redirects=False) auth_codes = Authorizationcode.all() self.assert_redirect( response, 'http://client.example.com/return?error=access_denied' ) self.assertEqual(len(auth_codes), 0) def test_authorize_code_returns_errors(self): """ invalid_request - The request is missing a required parameter, includes an unsupported parameter or parameter value, or is otherwise malformed. """ authorization_url = '/api/authorize?response_type=&client_id=%s' % (self.app.key()) response = self.fetch_url(authorization_url, follow_redirects=False) self.assert_redirect( response, 'http://client.example.com/return?error=invalid_request' ) """ invalid_client - The client identifier provided is invalid. """ authorization_url = '/api/authorize?response_type=code&client_id=0&redirect_uri=%s' % url_escape('http://client.example.com/return') response = self.fetch_url(authorization_url, follow_redirects=False) self.assert_redirect( response, 'http://client.example.com/return?error=invalid_client' ) ##THIS TEST is if the client is invalid and no redirect_uri is given authorization_url = '/api/authorize?response_type=code&client_id=0' response = self.fetch_url(authorization_url, follow_redirects=False) self.assertEqual(response.code, 404) """ unsupported_response_type The authorization server does not support obtaining an authorization code using this method. """ authorization_url = '/api/authorize?response_type=asdf&client_id=%s' % (self.app.key()) response = self.fetch_url(authorization_url, follow_redirects=False) self.assert_redirect( response, 'http://client.example.com/return?error=unsupported_response_type' ) """
class APIResourceOwnerPasswordCredentials(test.base.BaseAsyncTestCase): """ Passing in a username and password along with API credentials returns a valid access token. """ def setUp(self): super(APIResourceOwnerPasswordCredentials, self).setUp() self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_a.set_password('asdfasdf') self.user_a.save() self.sid = self.sign_in('admin', 'asdfasdf') self.xsrf = self.get_xsrf() self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_b.set_password('asdfasdf') self.user_b.save() self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return') self.app.save() def test_sending_valid_request_returns_access_token(self): message = "grant_type=password&client_id=%s&client_secret=%s&username=%s&password=%s" % (self.app.key(), self.app.secret, 'admin', 'asdfasdf') response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) access_token = Accesstoken.all() self.assertEqual(len(access_token), 1) self.assertTrue(access_token[0]) # Now clean up so the invalid test will work out of order. for token in access_token: token.delete() def test_sending_invalid_password_returns_error(self): message = "grant_type=password&client_id=%s&client_secret=%s&username=%s&password=%s" % (self.app.key(), self.app.secret, 'admin', 'qwerqwer') response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) access_token = Accesstoken.all() self.assertEqual(len(access_token), 0)
class APITokenTests(test.base.BaseAsyncTestCase): def setUp(self): super(APITokenTests, self).setUp() self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_a.set_password('asdfasdf') self.user_a.save() self.sid = self.sign_in('admin', 'asdfasdf') self.xsrf = self.get_xsrf() self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1) self.user_b.set_password('asdfasdf') self.user_b.save() self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return') self.app.save() self.authorization = Authorizationcode.generate(self.app.id, self.app.redirect_url, self.user_b.id) def test_access_token_returned_for_valid_authorization_code_and_credentials(self): message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) #one access token should have been created: access_token = Accesstoken.get('id=1') j_response = json_decode(response.body) self.assertEqual(j_response['token_type'], 'mac') self.assertEqual(j_response['access_token'], access_token.consumer_key) self.assertEqual(j_response['secret'], access_token.consumer_secret) self.assertEqual(j_response['algorithm'], 'hmac-sha-1') def test_access_token_is_not_deleted_when_new_one_is_requested(self): # First request one. message = "grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) #one access token should have been created: access_token = Accesstoken.get('id=1') self.assertTrue(access_token) self.assertFalse(access_token.deleted) access_tokens = Accesstoken.all() self.assertEqual(len(access_tokens), 1) j_response = json_decode(response.body) self.assertEqual(j_response['token_type'], 'mac') self.assertEqual(j_response['access_token'], access_token.consumer_key) self.assertEqual(j_response['secret'], access_token.consumer_secret) self.assertEqual(j_response['algorithm'], 'hmac-sha-1') # Now request another. other_authorization = Authorizationcode.generate(self.app.id, self.app.redirect_url, self.user_b.id) message = "grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (other_authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) # A second access token should have been created, but the # first one should be gone. access_token = Accesstoken.get('id=1') self.assertFalse(access_token.deleted) access_token = Accesstoken.get('id=2') self.assertFalse(access_token.deleted) access_tokens = Accesstoken.all() self.assertEqual(len(access_tokens), 2) j_response = json_decode(response.body) self.assertEqual(j_response['token_type'], 'mac') self.assertEqual(j_response['access_token'], access_token.consumer_key) self.assertEqual(j_response['secret'], access_token.consumer_secret) self.assertEqual(j_response['algorithm'], 'hmac-sha-1') def test_access_token_is_denied_with_missing_grant_type(self): message="grant_type=&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) j_response = json_decode(response.body) self.assertEqual(response.code, 400) self.assertEqual(j_response['error'], 'invalid_request') def test_access_token_is_denied_with_bad_grant_type(self): message="grant_type=asdfasdf&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) j_response = json_decode(response.body) self.assertEqual(response.code, 401) self.assertEqual(j_response['error'], 'invalid_grant') def test_access_token_is_denied_with_bad_client_id(self): message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=fart&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) j_response = json_decode(response.body) self.assertEqual(response.code, 401) self.assertEqual(j_response['error'], 'invalid_client') def test_access_token_denied_for_bad_secret(self): message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=porkchops" % (self.authorization.code, self.app.redirect_url, self.app.key()) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) j_response = json_decode(response.body) self.assertEqual(response.code, 401) self.assertEqual(j_response['error'], 'access_denied') def test_access_token_denied_too_old(self): self.authorization.expires_at = datetime.utcnow() - timedelta(seconds=50) self.authorization.save() message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret) response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True) j_response = json_decode(response.body) self.assertEqual(response.code, 401) self.assertEqual(j_response['error'], 'invalid_grant')