def test_bad_access_token(self): url = get_absolute_url(('api_dispatch_list', {'resource_name': 'app'})) Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=generate(), resource_owner_secret=generate()) auth = authentication.OAuthAuthentication() req = RequestFactory().get( url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) eq_(auth.is_authenticated(req).status_code, 401)
def test_bad_access_token(self): url = absolutify(reverse('app-list')) Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=generate(), resource_owner_secret=generate()) auth = authentication.RestOAuthAuthentication() req = RequestFactory().get( url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) assert not auth.is_authenticated(req)
def test_bad_access_token(self): url = absolutify(reverse('app-list')) Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=generate(), resource_owner_secret=generate()) auth = authentication.RestOAuthAuthentication() req = RequestFactory().get( url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) req.API = True req.user = AnonymousUser() RestOAuthMiddleware().process_request(req) ok_(not auth.authenticate(Request(req))) ok_(not req.user.is_authenticated())
def test_get_authorize_page(self): t = Token.generate_new(REQUEST_TOKEN, self.access) self.client.login(username="******", password="******") res = self.client.get("/oauth/authorize/", data={"oauth_token": t.key}) eq_(res.status_code, 200) page = pq(res.content) eq_(page("input[name=oauth_token]").attr("value"), t.key)
def access_request(request): try: oauth_req = server._create_request(request.build_absolute_uri(), request.method, request.body, get_request_headers(request)) valid, oauth_req = server.validate_access_token_request(oauth_req) except ValueError: valid = False if valid: req_t = Token.objects.get( token_type=REQUEST_TOKEN, key=oauth_req.resource_owner_key) t = Token.generate_new( token_type=ACCESS_TOKEN, creds=req_t.creds, user=req_t.user) # Clean up as we go. req_t.delete() return HttpResponse( urlencode({'oauth_token': t.key, 'oauth_token_secret': t.secret}), content_type='application/x-www-form-urlencoded') else: log.error('Invalid OAuth request for acquiring access token') return HttpResponse(status=401)
def test_deny_authorize_page(self): t = Token.generate_new(REQUEST_TOKEN, self.access) self.client.login(username='******', password='******') url = reverse('mkt.developers.oauth_authorize') res = self.client.post(url, data={'oauth_token': t.key, 'deny': ''}) eq_(res.status_code, 200) eq_(Token.objects.filter(pk=t.pk).count(), 0)
def test_get_authorize_page(self): t = Token.generate_new(REQUEST_TOKEN, self.access) self.client.login(username='******', password='******') res = self.client.get('/oauth/authorize/', data={'oauth_token': t.key}) eq_(res.status_code, 200) page = pq(res.content) eq_(page('input[name=oauth_token]').attr('value'), t.key)
def access_request(request): oa = OAuthServer() try: valid, oauth_request = oa.verify_access_token_request( request.build_absolute_uri(), request.method, request.body, {'Authorization': request.META.get('HTTP_AUTHORIZATION'), 'Content-Type': request.META.get('CONTENT_TYPE') }) except ValueError: valid = False if valid: req_t = Token.objects.get( token_type=REQUEST_TOKEN, key=oauth_request.resource_owner_key) t = Token.generate_new( token_type=ACCESS_TOKEN, creds=req_t.creds, user=req_t.user) # Clean up as we go. req_t.delete() return HttpResponse( urlencode({'oauth_token': t.key, 'oauth_token_secret': t.secret}), content_type='application/x-www-form-urlencoded') else: log.error('Invalid OAuth request for acquiring access token') return HttpResponse(status=401)
def test_post_authorize_page(self): t = Token.generate_new(REQUEST_TOKEN, self.access) full_redirect = self.redirect_uri + "?oauth_token=%s&oauth_verifier=%s" % (t.key, t.verifier) self.client.login(username="******", password="******") url = reverse("mkt.developers.oauth_authorize") res = self.client.post(url, data={"oauth_token": t.key, "grant": ""}) eq_(res.status_code, 302) eq_(res.get("location"), full_redirect) eq_(Token.objects.get(pk=t.pk).user.pk, 999)
def test_revoke_token(self): appname = "Test Mkt App" a = Access.objects.create(key="", secret="", user=self.user.user, app_name=appname, redirect_uri="") t = Token.generate_new(token_type=ACCESS_TOKEN, creds=a, user=self.user.user) r = self.client.post(self.url, {'authorized_apps': [str(t.pk)]}) doc = pq(r.content) eq_(r.status_code, 200) eq_(len(doc('#authorized_apps')), 0) eq_(Token.objects.count(), 0)
def test_tokens(self): appname = "Test Mkt App" a = Access.objects.create(key="", secret="", user=self.user.user, app_name=appname, redirect_uri="") t = Token.generate_new(token_type=ACCESS_TOKEN, creds=a, user=self.user.user) r = self.client.get(self.url) doc = pq(r.content) eq_(r.status_code, 200) eq_(doc('#authorized_apps option').text(), appname) eq_(doc('#authorized_apps option').attr('value'), str(t.pk))
def test_post_authorize_page(self): t = Token.generate_new(REQUEST_TOKEN, self.access) full_redirect = ( self.redirect_uri + '?oauth_token=%s&oauth_verifier=%s' % (t.key, t.verifier)) self.client.login(username='******', password='******') url = reverse('mkt.developers.oauth_authorize') res = self.client.post(url, data={'oauth_token': t.key, 'grant': ''}) eq_(res.status_code, 302) eq_(res.get('location'), full_redirect) eq_(Token.objects.get(pk=t.pk).user.pk, 999)
def test_bad_access_request(self): t = Token.generate_new(REQUEST_TOKEN, self.access) url = urlparse.urljoin(settings.SITE_URL, reverse('mkt.developers.oauth_access_request')) url, auth_header = self._oauth_request_info( url, client_key=t.key, client_secret=t.secret, resource_owner_key=generate(), resource_owner_secret=generate(), verifier=generate(), callback_uri=self.access.redirect_uri) res = self.client.get(url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) eq_(res.status_code, 401) assert not Token.objects.filter(token_type=ACCESS_TOKEN).exists()
def test_use_access_token(self): url = get_absolute_url(("api_dispatch_list", {"resource_name": "app"})) t = Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=t.key, resource_owner_secret=t.secret, ) auth = authentication.OAuthAuthentication() req = RequestFactory().get(url, HTTP_HOST="testserver", HTTP_AUTHORIZATION=auth_header) assert auth.is_authenticated(req) eq_(req.user, self.user2)
def test_use_access_token(self): url = absolutify(reverse('app-list')) t = Token.generate_new(ACCESS_TOKEN, creds=self.access, user=self.user2) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=t.key, resource_owner_secret=t.secret) auth = authentication.RestOAuthAuthentication() req = RequestFactory().get( url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) req.API = True RestOAuthMiddleware().process_request(req) assert auth.authenticate(Request(req)) eq_(req.user, self.user2)
def token_request(request): try: oauth_req = server._create_request( request.build_absolute_uri(), request.method, request.body, get_request_headers(request) ) valid, oauth_req = server.validate_request_token_request(oauth_req) except ValueError: valid = False if valid: consumer = Access.objects.get(key=oauth_req.client_key) t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer) return HttpResponse( urlencode({"oauth_token": t.key, "oauth_token_secret": t.secret, "oauth_callback_confirmed": True}), content_type="application/x-www-form-urlencoded", ) else: log.error("Invalid OAuth request for acquiring request token") return HttpResponse(status=401)
def test_access_request(self): t = Token.generate_new(REQUEST_TOKEN, self.access) url = urlparse.urljoin(settings.SITE_URL, reverse('mkt.developers.oauth_access_request')) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=t.key, resource_owner_secret=t.secret, verifier=t.verifier, callback_uri=self.access.redirect_uri) res = self.client.get(url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) eq_(res.status_code, 200) data = dict(urlparse.parse_qsl(res.content)) assert Token.objects.filter( token_type=ACCESS_TOKEN, key=data['oauth_token'], secret=data['oauth_token_secret'], user=t.user, creds=self.access).exists() assert not Token.objects.filter( token_type=REQUEST_TOKEN, key=t.key).exists()
def token_request(request): oa = OAuthServer() try: valid, oauth_request = oa.verify_request_token_request( request.build_absolute_uri(), request.method, request.body, { 'Authorization': request.META.get('HTTP_AUTHORIZATION'), 'Content-Type': request.META.get('CONTENT_TYPE') }) except ValueError: valid = False if valid: consumer = Access.objects.get(key=oauth_request.client_key) t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer) return HttpResponse(urlencode({ 'oauth_token': t.key, 'oauth_token_secret': t.secret, 'oauth_callback_confirmed': True }), content_type='application/x-www-form-urlencoded') else: log.error('Invalid OAuth request for acquiring request token') return HttpResponse(status=401)
def token_request(request): oa = OAuthServer() try: valid, oauth_request = oa.verify_request_token_request( request.build_absolute_uri(), request.method, request.body, {'Authorization': request.META.get('HTTP_AUTHORIZATION'), 'Content-Type': request.META.get('CONTENT_TYPE') }) except ValueError: valid = False if valid: consumer = Access.objects.get(key=oauth_request.client_key) t = Token.generate_new(token_type=REQUEST_TOKEN, creds=consumer) return HttpResponse( urlencode({'oauth_token': t.key, 'oauth_token_secret': t.secret, 'oauth_callback_confirmed': True}), content_type='application/x-www-form-urlencoded') else: log.error('Invalid OAuth request for acquiring request token') return HttpResponse(status=401)
def test_access_request(self): t = Token.generate_new(REQUEST_TOKEN, self.access) url = urlparse.urljoin(settings.SITE_URL, reverse('mkt.developers.oauth_access_request')) url, auth_header = self._oauth_request_info( url, client_key=self.access.key, client_secret=self.access.secret, resource_owner_key=t.key, resource_owner_secret=t.secret, verifier=t.verifier, callback_uri=self.access.redirect_uri) res = self.client.get(url, HTTP_HOST='testserver', HTTP_AUTHORIZATION=auth_header) eq_(res.status_code, 200) data = dict(urlparse.parse_qsl(res.content)) assert Token.objects.filter(token_type=ACCESS_TOKEN, key=data['oauth_token'], secret=data['oauth_token_secret'], user=t.user, creds=self.access).exists() assert not Token.objects.filter(token_type=REQUEST_TOKEN, key=t.key).exists()
def access_request(request): try: oauth_req = server._create_request(request.build_absolute_uri(), request.method, request.body, get_request_headers(request)) valid, oauth_req = server.validate_access_token_request(oauth_req) except ValueError: valid = False if valid: req_t = Token.objects.get(token_type=REQUEST_TOKEN, key=oauth_req.resource_owner_key) t = Token.generate_new(token_type=ACCESS_TOKEN, creds=req_t.creds, user=req_t.user) # Clean up as we go. req_t.delete() return HttpResponse(urlencode({ 'oauth_token': t.key, 'oauth_token_secret': t.secret }), content_type='application/x-www-form-urlencoded') else: log.error('Invalid OAuth request for acquiring access token') return HttpResponse(status=401)