def test_validate_token_successfully_validates(rf):
""" A valid token should return the decoded token. """
token = build_id_token()
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
decoded_token = tv.validate_token(token)
assert decoded_token["jti"] == "randomid"
def test_no_key_raises_invalid_token(rf):
"""
If we dont' have a key at all we should be raising an InvalidTokenSignature.
"""
token = build_id_token()
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value=None)), pytest.raises(InvalidTokenSignature):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_wrong_key_raises_invalid_token(rf):
"""
If we get the wrong key then we should be raising an InvalidTokenSignature.
"""
token = build_id_token()
c = Config()
with patch(
"okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="wrongkey")
), pytest.raises(InvalidTokenSignature):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_unmatching_nonce_raises_error(rf):
"""
If our token has the wrong nonce then raise a NonceDoesNotMatch
"""
token = build_id_token(nonce="wrong-nonce")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(NonceDoesNotMatch):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_expired_token_raises_error(rf):
"""
If our token is expired then we should raise an TokenExpired.
"""
token = build_id_token(exp=now().timestamp() - 3600)
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(TokenExpired):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_invalid_audience_in_decoded_token(rf):
"""
If our audience doesn't match our client id we should raise an InvalidClientID
"""
token = build_id_token(aud="invalid-aud")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(InvalidClientID):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_invalid_issuer_in_decoded_token(rf):
"""
If our issuers don't match we should raise an IssuerDoesNotMatch.
"""
token = build_id_token(iss="invalid-issuer")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(IssuerDoesNotMatch):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_issue_time_is_too_far_in_the_past_raises_error(rf):
"""
If our token was issued more than about 24 hours ago
we want to raise a TokenTooFarAway.
"""
token = build_id_token(iat=now().timestamp() - 200000)
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(TokenTooFarAway):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_decorator_allows_access_to_valid_token(client: Client):
"""
If we have a valid token then we should allow access to the view.
"""
nonce = "123456"
token = build_id_token(nonce=nonce)
client.cookies.load({"okta-oauth-nonce": nonce})
session = client.session
session["tokens"] = {"id_token": token}
session.save()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")):
response = client.get("/decorated/")
assert response.status_code == 200
def test_valid_token_returns_response(rf):
"""
If we have a valid token we should be returning the normal
response from the middleware.
"""
nonce = "123456"
# We're building a token here that we know will be valid
token = build_id_token(nonce=nonce)
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")):
request = rf.get("/")
request.COOKIES["okta-oauth-nonce"] = nonce
request.session = {"tokens": {"id_token": token}}
mw = OktaMiddleware(Mock(return_value=HttpResponse()))
response = mw(request)
assert response.status_code == 200
def test_call_token_endpoint_returns_tokens(mock_post, rf):
"""
when we call the token endpoint with valid data we expect
to receive a bunch of tokens. See assertions to understand which.
"""
mock_post.return_value = Mock(ok=True)
mock_post.return_value.json.return_value = {
"access_token": build_access_token(),
"id_token": build_id_token(),
"refresh_token": "refresh",
}
endpoint_data = {"grant_type": "authorization_code", "code": "imacode"}
c = Config()
MockDiscoveryDocument = MagicMock()
with patch("okta_oauth2.tokens.DiscoveryDocument", MockDiscoveryDocument):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tokens = tv.call_token_endpoint(endpoint_data)
assert "access_token" in tokens
assert "id_token" in tokens
assert "refresh_token" in tokens
def get_normal_user_with_groups_token(self, code):
return {
"access_token": build_access_token(),
"id_token": build_id_token(groups=["one", "two"]),
"refresh_token": "refresh",
}
def get_staff_token_result(self, code):
return {
"access_token": build_access_token(),
"id_token": build_id_token(groups=[STAFF_GROUP]),
"refresh_token": "refresh",
}
def get_superuser_token_result(self, code):
return {
"access_token": build_access_token(),
"id_token": build_id_token(groups=[SUPERUSER_GROUP]),
"refresh_token": "refresh",
}
def get_token_result(self, code):
return {
"access_token": build_access_token(),
"id_token": build_id_token(),
"refresh_token": "refresh",
}
