def test_token_getter(remote, models_fixture, app):
"""Test token getter on response from OAuth server."""
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Missing RemoteToken
oauth_authenticate('dev', user)
assert not token_getter(remote)
# Populated RemoteToken
RemoteToken.create(user.id, 'testkey', 'mytoken', 'mysecret')
oauth_authenticate('dev', user)
assert token_getter(remote) == ('mytoken', 'mysecret')
def test_token_getter(remote, models_fixture):
"""Test token getter on response from OAuth server."""
app = models_fixture
datastore = app.extensions['invenio-accounts'].datastore
existing_email = '*****@*****.**'
user = datastore.find_user(email=existing_email)
# Missing RemoteToken
oauth_authenticate('dev', user)
assert not token_getter(remote)
# Populated RemoteToken
RemoteToken.create(user.id, 'testkey', 'mytoken', 'mysecret')
oauth_authenticate('dev', user)
assert token_getter(remote) == ('mytoken', 'mysecret')
def authorized_signup_handler(resp, remote, *args, **kwargs):
"""Handle sign-in/up functionality.
This is needed as we don't use Flask Forms (for now), thus the default
function would fail.
"""
# Remove any previously stored auto register session key
session.pop(token_session_key(remote.name) + '_autoregister', None)
# Store token in session
# ----------------------
# Set token in session - token object only returned if
# current_user.is_autenticated().
token = response_token_setter(remote, resp)
handlers = current_oauthclient.signup_handlers[remote.name]
# Sign-in/up user
# ---------------
if not current_user.is_authenticated:
account_info = handlers['info'](resp)
account_info_received.send(remote,
token=token,
response=resp,
account_info=account_info)
user = oauth_get_user(
remote.consumer_key,
account_info=account_info,
access_token=token_getter(remote)[0],
)
if user is None:
# Auto sign-up if user not found
user = oauth_register(account_info)
# Authenticate user
if not oauth_authenticate(
remote.consumer_key,
user,
require_existing_link=False,
remember=current_app.config['OAUTHCLIENT_REMOTE_APPS'][
remote.name].get('remember', False)):
return current_app.login_manager.unauthorized()
# Link account
# ------------
# Need to store token in database instead of only the session when
# called first time.
token = response_token_setter(remote, resp)
# Setup account
# -------------
if not token.remote_account.extra_data:
account_setup = handlers['setup'](token, resp)
account_setup_received.send(remote,
token=token,
response=resp,
account_setup=account_setup)
return redirect('/')
def session_token(self):
"""Return OAuth session token."""
session_token = None
if self.user_id is not None:
session_token = token_getter(self.remote)
if session_token:
token = RemoteToken.get(self.user_id,
self.remote.consumer_key,
access_token=session_token[0])
return token
return None
def session_token(self):
"""Return OAuth session token."""
session_token = None
if self.user_id is not None:
session_token = token_getter(self.remote)
if session_token:
token = RemoteToken.get(
self.user_id, self.remote.consumer_key,
access_token=session_token[0]
)
return token
return None
def get_token(user_id=None):
"""Retrieve token for linked GitHub account."""
session_token = None
if user_id is None:
session_token = token_getter(get_remote())
if session_token:
token = RemoteToken.get(
current_user.get_id(), get_client_id(),
access_token=session_token[0]
)
return token
return None
def authorized_signup_handler(resp, remote, *args, **kwargs):
"""Handle sign-in/up functionality.
This is needed as we don't use Flask Forms (for now), thus the default
function would fail.
"""
# Remove any previously stored auto register session key
session.pop(token_session_key(remote.name) + '_autoregister', None)
# Store token in session
# ----------------------
# Set token in session - token object only returned if
# current_user.is_autenticated().
token = response_token_setter(remote, resp)
handlers = current_oauthclient.signup_handlers[remote.name]
# Sign-in/up user
# ---------------
if not current_user.is_authenticated:
account_info = handlers['info'](resp)
account_info_received.send(
remote, token=token, response=resp, account_info=account_info
)
user = oauth_get_user(
remote.consumer_key,
account_info=account_info,
access_token=token_getter(remote)[0],
)
if user is None:
# Auto sign-up if user not found
user = oauth_register(account_info)
# Authenticate user
if not oauth_authenticate(remote.consumer_key, user,
require_existing_link=False):
return current_app.login_manager.unauthorized()
# Link account
# ------------
# Need to store token in database instead of only the session when
# called first time.
token = response_token_setter(remote, resp)
# Setup account
# -------------
if not token.remote_account.extra_data:
account_setup = handlers['setup'](token, resp)
account_setup_received.send(
remote, token=token, response=resp, account_setup=account_setup
)
return redirect('/')
def test_token_getter_setter(app_rest, monkeypatch):
"""Test token getter setter."""
# Mock session id
monkeypatch.setattr('invenio_oauthclient._compat._create_identifier',
lambda: '1234')
monkeypatch.setattr(
'invenio_oauthclient.views.client._create_identifier', lambda: '1234')
oauth = app_rest.extensions['oauthlib.client']
# Mock user
user = MagicMock()
user.id = 1
user.get_id = MagicMock(return_value=1)
user.is_anonymous = False
with app_rest.test_client() as c:
login_user_via_session(c, user)
# First call login to be redirected
res = c.get(url_for('invenio_oauthclient.rest_login',
remote_app='full'))
assert res.status_code == 302
assert res.location.startswith(
oauth.remote_apps['full'].authorize_url
)
state = parse_qs(urlparse(res.location).query)['state'][0]
# Mock resposen class
mock_response(app_rest.extensions['oauthlib.client'], 'full')
# Imitate that the user authorized our request in the remote
# application.
c.get(url_for(
'invenio_oauthclient.rest_authorized', remote_app='full',
code='test', state=state,
))
# Assert if everything is as it should be.
from flask import session as flask_session
assert flask_session['oauth_token_full'] == \
('test_access_token', '')
t = RemoteToken.get(1, 'fullid')
assert t.remote_account.client_id == 'fullid'
assert t.access_token == 'test_access_token'
assert RemoteToken.query.count() == 1
# Mock a new authorized request
mock_response(app_rest.extensions['oauthlib.client'], 'full', data={
'access_token': 'new_access_token',
'scope': "",
'token_type': 'bearer'
})
c.get(url_for(
'invenio_oauthclient.rest_authorized', remote_app='full',
code='test', state=state
))
t = RemoteToken.get(1, 'fullid')
assert t.access_token == 'new_access_token'
assert RemoteToken.query.count() == 1
val = token_getter(
app_rest.extensions['oauthlib.client'].remote_apps['full'])
assert val == ('new_access_token', '')
# Disconnect account
res = c.get(url_for(
'invenio_oauthclient.rest_disconnect', remote_app='full',
))
assert res.status_code == 302
expected_url_args = {
"message": "Successfully disconnected.",
"code": 200
}
check_response_redirect_url_args(res, expected_url_args)
# Assert that remote account have been removed.
t = RemoteToken.get(1, 'fullid')
assert t is None
# TODO: Figure out what is leaving session open & blocked
db.session.close()
def test_token_getter_setter(monkeypatch):
"""Test token getter setter."""
# Mock session id
monkeypatch.setattr('flask_login._create_identifier', lambda: '1234')
monkeypatch.setattr(
'invenio_oauthclient.views.client._create_identifier', lambda: '1234')
app = setup_app()
oauth = app.extensions['oauthlib.client']
# Mock user
user = MagicMock()
user.id = 1
user.get_id = MagicMock(return_value=1)
user.is_anonymous = False
with patch('flask_login._get_user', return_value=user):
with app.test_client() as c:
# First call login to be redirected
res = c.get(url_for("invenio_oauthclient.login",
remote_app='full'))
assert res.status_code == 302
assert res.location.startswith(
oauth.remote_apps['full'].authorize_url
)
state = parse_qs(urlparse(res.location).query)['state'][0]
# Mock resposen class
mock_response(app.extensions['oauthlib.client'], 'full')
# Imitate that the user authorized our request in the remote
# application.
c.get(url_for(
"invenio_oauthclient.authorized", remote_app='full',
code='test', state=state,
))
# Assert if everything is as it should be.
from flask import session as flask_session
assert flask_session['oauth_token_full'] == \
('test_access_token', '')
t = RemoteToken.get(1, "fullid")
assert t.remote_account.client_id == 'fullid'
assert t.access_token == 'test_access_token'
assert RemoteToken.query.count() == 1
# Mock a new authorized request
mock_response(app.extensions['oauthlib.client'], 'full', data={
"access_token": "new_access_token",
"scope": "",
"token_type": "bearer"
})
c.get(url_for(
"invenio_oauthclient.authorized", remote_app='full',
code='test', state=state
))
t = RemoteToken.get(1, "fullid")
assert t.access_token == 'new_access_token'
assert RemoteToken.query.count() == 1
val = token_getter(
app.extensions['oauthlib.client'].remote_apps['full'])
assert val == ('new_access_token', '')
# Disconnect account
res = c.get(url_for(
"invenio_oauthclient.disconnect", remote_app='full',
))
assert res.status_code == 302
assert res.location.endswith(
url_for('invenio_oauthclient_settings.index')
)
# Assert that remote account have been removed.
t = RemoteToken.get(1, "fullid")
assert t is None
def test_token_getter_setter(views_fixture, monkeypatch):
"""Test token getter setter."""
# Mock session id
monkeypatch.setattr('flask_login._create_identifier', lambda: '1234')
monkeypatch.setattr('invenio_oauthclient.views.client._create_identifier',
lambda: '1234')
app = views_fixture
oauth = app.extensions['oauthlib.client']
# Mock user
user = MagicMock()
user.id = 1
user.get_id = MagicMock(return_value=1)
user.is_anonymous = False
with patch('flask_login._get_user', return_value=user):
with app.test_client() as c:
# First call login to be redirected
res = c.get(url_for("invenio_oauthclient.login",
remote_app='full'))
assert res.status_code == 302
assert res.location.startswith(
oauth.remote_apps['full'].authorize_url)
state = parse_qs(urlparse(res.location).query)['state'][0]
# Mock resposen class
mock_response(app.extensions['oauthlib.client'], 'full')
# Imitate that the user authorized our request in the remote
# application.
c.get(
url_for(
"invenio_oauthclient.authorized",
remote_app='full',
code='test',
state=state,
))
# Assert if everything is as it should be.
from flask import session as flask_session
assert flask_session['oauth_token_full'] == \
('test_access_token', '')
t = RemoteToken.get(1, "fullid")
assert t.remote_account.client_id == 'fullid'
assert t.access_token == 'test_access_token'
assert RemoteToken.query.count() == 1
# Mock a new authorized request
mock_response(app.extensions['oauthlib.client'],
'full',
data={
"access_token": "new_access_token",
"scope": "",
"token_type": "bearer"
})
c.get(
url_for("invenio_oauthclient.authorized",
remote_app='full',
code='test',
state=state))
t = RemoteToken.get(1, "fullid")
assert t.access_token == 'new_access_token'
assert RemoteToken.query.count() == 1
val = token_getter(
app.extensions['oauthlib.client'].remote_apps['full'])
assert val == ('new_access_token', '')
# Disconnect account
res = c.get(
url_for(
"invenio_oauthclient.disconnect",
remote_app='full',
))
assert res.status_code == 302
assert res.location.endswith(
url_for('invenio_oauthclient_settings.index'))
# Assert that remote account have been removed.
t = RemoteToken.get(1, "fullid")
assert t is None
# TODO: Figure out what is leaving session open & blocked
db.session.close()
def test_token_getter_setter(self, session, save_session):
from invenio_oauthclient.models import RemoteToken
from invenio_oauthclient.handlers import token_getter
from invenio_oauthclient.client import oauth
# Mock user
user = MagicMock()
user.get_id = MagicMock(return_value=1)
user.is_authenticated = MagicMock(return_value=True)
# Mock session id
session.sid = '1234'
with patch('flask_login._get_user', return_value=user):
with self.app.test_client() as c:
# First call login to be redirected
res = c.get(url_for("oauthclient.login", remote_app='full'))
assert res.status_code == 302
assert res.location.startswith(
oauth.remote_apps['full'].authorize_url
)
state = parse_qs(urlparse(res.location).query)['state'][0]
# Mock resposen class
self.mock_response(app='full')
# Imitate that the user authorized our request in the remote
# application.
c.get(url_for(
"oauthclient.authorized", remote_app='full', code='test',
state=state,
))
# Assert if everything is as it should be.
from flask import session as flask_session
assert flask_session['oauth_token_full'] == \
('test_access_token', '')
t = RemoteToken.get(1, "fullid")
assert t.remote_account.client_id == 'fullid'
assert t.access_token == 'test_access_token'
assert RemoteToken.query.count() == 1
# Mock a new authorized request
self.mock_response(app='full', data={
"access_token": "new_access_token",
"scope": "",
"token_type": "bearer"
})
c.get(url_for(
"oauthclient.authorized", remote_app='full', code='test',
state=state
))
t = RemoteToken.get(1, "fullid")
assert t.access_token == 'new_access_token'
assert RemoteToken.query.count() == 1
val = token_getter(oauth.remote_apps['full'])
assert val == ('new_access_token', '')
# Disconnect account
res = c.get(url_for(
"oauthclient.disconnect", remote_app='full',
))
assert res.status_code == 302
assert res.location.endswith(
url_for('oauthclient_settings.index')
)
# Assert that remote account have been removed.
t = RemoteToken.get(1, "fullid")
assert t is None
def authorized_handler(self, resp, remote, *args, **kwargs):
"""Handle sign-in functionality.
:param remote: The remote application.
:param resp: The response.
:returns: Redirect response.
"""
# Remove any previously stored auto register session key
session.pop(token_session_key(remote.name) + '_autoregister', None)
# Store token in session
# ----------------------
# Set token in session - token object only returned if
# current_user.is_autenticated().
token = response_token_setter(remote, resp)
handlers = current_oauthclient.signup_handlers[remote.name]
# Sign-in user
# ---------------
if not current_user.is_authenticated:
account_info = handlers['info'](resp)
account_info_received.send(remote,
token=token,
response=resp,
account_info=account_info)
user = oauth_get_user(
remote.consumer_key,
account_info=account_info,
access_token=token_getter(remote)[0],
)
# Make sure that external identity either matches
# or is not yet created (gets created on first oidc login)
extid = _get_external_id(account_info)
user_identity: UserIdentity = UserIdentity.query.filter_by(
id=extid['id'], method=extid['method']).first()
if user_identity and user_identity.id != extid['id']:
abort(401)
if user is None:
abort(403)
# Authenticate user
if not oauth_authenticate(
remote.consumer_key, user, require_existing_link=False):
return current_app.login_manager.unauthorized()
# Link account
# ------------
# Need to store token in database instead of only the session when
# called first time.
token = response_token_setter(remote, resp)
# Setup account
# -------------
if not token.remote_account.extra_data:
account_setup = handlers['setup'](token, resp)
account_setup_received.send(remote,
token=token,
response=resp,
account_setup=account_setup)
db.session.commit()
account_setup_committed.send(remote, token=token)
else:
db.session.commit()
# Redirect to next
next_url = get_session_next_url(remote.name)
if next_url:
return redirect(next_url)
return redirect(url_for('invenio_oauthclient_settings.index'))
def cern_authorized_signup_handler(resp, remote, *args, **kwargs):
"""Handle sign-in/up functionality.
:param remote: The remote application.
:param resp: The response.
:returns: Redirect response.
"""
# Remove any previously stored auto register session key
session.pop(token_session_key(remote.name) + '_autoregister', None)
# Store token in session
# ----------------------
# Set token in session - token object only returned if
# current_user.is_autenticated().
token = response_token_setter(remote, resp)
handlers = current_oauthclient.signup_handlers[remote.name]
# Sign-in/up user
# ---------------
if not current_user.is_authenticated:
account_info = handlers['info'](resp)
account_info_received.send(remote,
token=token,
response=resp,
account_info=account_info)
user = oauth_get_user(
remote.consumer_key,
account_info=account_info,
access_token=token_getter(remote)[0],
)
if user is None:
# Auto sign-up if user not found
form = create_csrf_disabled_registrationform()
form = fill_form(form, account_info['user'])
user = oauth_register(form)
# if registration fails ...
if user is None:
# requires extra information
session[token_session_key(remote.name) +
'_autoregister'] = True
session[token_session_key(remote.name) +
'_account_info'] = account_info
session[token_session_key(remote.name) + '_response'] = resp
db.session.commit()
return redirect(url_for(
'.signup',
remote_app=remote.name,
))
# Authenticate user
if not oauth_authenticate(
remote.consumer_key, user, require_existing_link=False):
return current_app.login_manager.unauthorized()
# Link account
# ------------
# Need to store token in database instead of only the session when
# called first time.
token = response_token_setter(remote, resp)
# Setup account
# -------------
if not token.remote_account.extra_data:
account_setup = handlers['setup'](token, resp)
account_setup_received.send(remote,
token=token,
response=resp,
account_setup=account_setup)
db.session.commit()
account_setup_committed.send(remote, token=token)
else:
db.session.commit()
# Redirect to next
if current_user.is_authenticated and not egroup_admin():
logout_user()
return redirect(get_post_logout_redirect())
next_url = get_session_next_url(remote.name)
if next_url:
return redirect(next_url)
return redirect(url_for('invenio_oauthclient_settings.index'))
def test_token_getter_setter(self, session, save_session):
from invenio_oauthclient.models import RemoteToken
from invenio_oauthclient.handlers import token_getter
from invenio_oauthclient.client import oauth
# Mock user
user = MagicMock()
user.get_id = MagicMock(return_value=1)
user.is_authenticated = MagicMock(return_value=True)
# Mock session id
session.sid = '1234'
with patch('flask_login._get_user', return_value=user):
with self.app.test_client() as c:
# First call login to be redirected
res = c.get(url_for("oauthclient.login", remote_app='full'))
assert res.status_code == 302
assert res.location.startswith(
oauth.remote_apps['full'].authorize_url)
state = parse_qs(urlparse(res.location).query)['state'][0]
# Mock resposen class
self.mock_response(app='full')
# Imitate that the user authorized our request in the remote
# application.
c.get(
url_for(
"oauthclient.authorized",
remote_app='full',
code='test',
state=state,
))
# Assert if everything is as it should be.
from flask import session as flask_session
assert flask_session['oauth_token_full'] == \
('test_access_token', '')
t = RemoteToken.get(1, "fullid")
assert t.remote_account.client_id == 'fullid'
assert t.access_token == 'test_access_token'
assert RemoteToken.query.count() == 1
# Mock a new authorized request
self.mock_response(app='full',
data={
"access_token": "new_access_token",
"scope": "",
"token_type": "bearer"
})
c.get(
url_for("oauthclient.authorized",
remote_app='full',
code='test',
state=state))
t = RemoteToken.get(1, "fullid")
assert t.access_token == 'new_access_token'
assert RemoteToken.query.count() == 1
val = token_getter(oauth.remote_apps['full'])
assert val == ('new_access_token', '')
# Disconnect account
res = c.get(
url_for(
"oauthclient.disconnect",
remote_app='full',
))
assert res.status_code == 302
assert res.location.endswith(
url_for('oauthclient_settings.index'))
# Assert that remote account have been removed.
t = RemoteToken.get(1, "fullid")
assert t is None