def _verify(self, key, audience):
if self.expiry - self.not_before > self.MAX_LIFETIME:
raise InvalidGrantError('Grant token lifetime is too long.')
try:
jwt.decode(self._token,
algorithms=['HS256'],
audience=audience,
key=key,
leeway=self.LEEWAY)
except TypeError:
raise InvalidClientError('Client is invalid.')
except jwt.DecodeError:
raise InvalidGrantError('Invalid grant token signature.')
except jwt.exceptions.InvalidAlgorithmError:
raise InvalidGrantError('Invalid grant token signature algorithm.')
except jwt.MissingRequiredClaimError as exc:
if exc.claim == 'aud':
raise errors.MissingJWTGrantTokenClaimError('aud', 'audience')
else:
raise errors.MissingJWTGrantTokenClaimError(exc.claim)
except jwt.InvalidAudienceError:
raise errors.InvalidJWTGrantTokenClaimError('aud', 'audience')
except jwt.ImmatureSignatureError:
raise InvalidGrantError('Grant token is not yet valid.')
except jwt.ExpiredSignatureError:
raise InvalidGrantError('Grant token is expired.')
except jwt.InvalidIssuedAtError:
raise InvalidGrantError(
'Grant token issue time (iat) is in the future.')
def _verify(self, key, audience): # pylint:disable=too-complex
if self.expiry - self.not_before > self.MAX_LIFETIME:
raise InvalidGrantError("Grant token lifetime is too long.")
try:
jwt.decode(
self._token,
algorithms=["HS256"],
audience=audience,
key=key,
leeway=self.LEEWAY,
)
except TypeError as err:
raise InvalidClientError("Client is invalid.") from err
except jwt.DecodeError as err:
raise InvalidGrantError("Invalid grant token signature.") from err
except jwt.exceptions.InvalidAlgorithmError as err:
raise InvalidGrantError(
"Invalid grant token signature algorithm.") from err
except jwt.MissingRequiredClaimError as err:
if err.claim == "aud":
raise MissingJWTGrantTokenClaimError("aud",
"audience") from err
raise MissingJWTGrantTokenClaimError(err.claim) from err
except jwt.InvalidAudienceError as err:
raise InvalidJWTGrantTokenClaimError("aud", "audience") from err
except jwt.ImmatureSignatureError as err:
raise InvalidGrantError("Grant token is not yet valid.") from err
except jwt.ExpiredSignatureError as err:
raise InvalidGrantError("Grant token is expired.") from err
except jwt.InvalidIssuedAtError as err:
raise InvalidGrantError(
"Grant token issue time (iat) is in the future.") from err
def test_login_controller_invalid_grant(monkeypatch, mocker, flask_app,
test_vcr):
storage = MemoryStorage({"access_token": "fake-token"})
monkeypatch.setattr(bplogin, "storage", storage)
with test_vcr.use_cassette("auth_google_token_revoke_fake.yml"):
mocker.patch("flask_dance.consumer.oauth2.redirect",
side_effect=InvalidGrantError())
with flask_app.test_client() as client:
response = client.get("auth/google/authorized")
assert re.search(r"google_login",
response.headers["Location"]) is not None
assert response.status_code == 302
def get_client(self): # type: () -> HydroShareAdapter
"""
Passes authentication details to underlying HydroShare object for authorization via OAuth 2.0.
"""
if self.auth_type == OAUTH_AC:
token = self.get_token()
auth = HydroShareAuthOAuth2(self.__client_id,
self.__client_secret,
token=token)
elif self.auth_type == OAUTH_ROPC:
auth = HydroShareAuthOAuth2(self.__client_id,
self.__client_secret,
username=self.username,
password=self.password)
else:
raise InvalidGrantError("Invalid authorization grant type.")
authorization_header = self.get_authorization_header()
return HydroShareAdapter(auth=auth,
default_headers=authorization_header)