Пример #1
0
    def post(self, user, account, **kwargs):
        app_id = (kwargs['app_id'] if 'app_id' in kwargs else 'new')
        body_json = self.request.body
        body = json.loads(body_json)

        if 'name' not in body:
            logging.exception(exception)
            self.response.set_status(400)
            self.response.write('Invalid JSON data')


#            return BadRequest("Invalid JSON data")

        if app_id == 'new':
            app = App(name=body['name'],
                      created_by=account.key(),
                      editors=[account.key()])
        else:
            app = App.get_by_id(int(app_id))
            if app is None:
                return render_json_response(self, {'error': 'app-not-found'})
            if account.key() not in app.editors:
                return render_json_response(self, {'error': 'access-denied'})
        app.name = body['name']
        app.body = db.Text(body_json.decode('utf-8'))
        app.put()
        return render_json_response(self, {'id': app.key().id()})
Пример #2
0
    def post(self, user, account, **kwargs):
        app_id = kwargs["app_id"] if "app_id" in kwargs else "new"
        body_json = self.request.body
        body = json.loads(body_json)

        if "name" not in body:
            logging.exception(exception)
            self.response.set_status(400)
            self.response.write("Invalid JSON data")
        #            return BadRequest("Invalid JSON data")

        if app_id == "new":
            app = App(name=body["name"], created_by=account.key(), editors=[account.key()])
        else:
            app = App.get_by_id(int(app_id))
            if app is None:
                return render_json_response(self, {"error": "app-not-found"})
            if account.key() not in app.editors:
                return render_json_response(self, {"error": "access-denied"})
        app.name = body["name"]
        app.body = db.Text(body_json.decode("utf-8"))
        app.put()
        return render_json_response(self, {"id": app.key().id()})
Пример #3
0
class APIAuthorizationTests(test.base.BaseAsyncTestCase):
    def setUp(self):
        """
        . Need to create a user and a test app
        . Create second account that is going to auth
        """
        super(APIAuthorizationTests, self).setUp()
        self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_a.set_password('asdfasdf')
        self.user_a.save()
        self.sign_in('admin', 'asdfasdf')
        self.xsrf = self.get_xsrf()

        self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_b.set_password('asdfasdf')
        self.user_b.save()

        self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return')
        self.app.save()

        self.app_query = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return?query=param')
        self.app_query.save()

        self.app_no_redirect = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='')
        self.app_no_redirect.save()

    def test_authorize_code_request_redirects_to_sign_in(self):

        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key())

        response = api_request(self, self.get_url(authorization_url), unsigned=True)
        self.assertEqual(response.effective_url, self.get_url('/sign-in?next=%s' % url_escape(authorization_url)))
        self.assertEqual(response.code, 200)

    def test_authorization_code_request_accepts_authenticated_user(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key())

        response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True)
        self.assertEqual(response.effective_url, self.get_url(authorization_url))

    def test_authorization_code_request_accepts_authtime_redirect(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key())

        response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True)
        self.assertEqual(response.effective_url, self.get_url(authorization_url))
        self.assertEqual(response.code, 200)
        self.assertTrue('http://client.example.com/return' in response.body)

    def test_authorization_code_request_accepts_matching_redirect(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app.key())

        response = api_request(self, self.get_url(authorization_url), headers={'Cookie':'_xsrf=%s;sid=%s' % (self.xsrf, self.sid)}, unsigned=True)
        self.assertEqual(response.effective_url, self.get_url(authorization_url))
        self.assertEqual(response.code, 200)
        self.assertTrue('http://client.example.com/return' in response.body)

    def test_authorization_code_request_error_on_mismatched_redirect(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://othersite.example.com/path' % (self.app.key())
        response = self.fetch_url(authorization_url, follow_redirects=False)
        self.assertEqual(response.code, 400)

    def test_authorize_code_submitting_agree_redirects_to_apps_redirect_url(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key())
        arguments = { 'agree' : 1 }
        response = self.post_url(authorization_url, arguments, follow_redirects=False)
        auth_code = Authorizationcode.get('id = 1')
        self.assert_redirect(
            response,
            'http://client.example.com/return?code=%s' % auth_code.code
        )

    def test_authorize_code_submitting_agree_redirects_to_apps_redirect_url_with_query(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app_query.key())
        arguments = { 'agree' : 1 }
        response = self.post_url(authorization_url, arguments, follow_redirects=False)
        auth_code = Authorizationcode.get('id = 1')
        self.assert_redirect(
            response,
            'http://client.example.com/return?query=param&code=%s' % auth_code.code
        )

    def test_authorize_code_submitting_agree_redirects_to_authtime_redirect_url(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key())
        arguments = { 'agree' : 1 }
        response = self.post_url(authorization_url, arguments, follow_redirects=False)
        auth_code = Authorizationcode.get('id = 1')
        self.assert_redirect(
            response,
            'http://client.example.com/return?code=%s' % auth_code.code
        )

    def test_authorize_code_submitting_disagree_redirects_to_apps_redirect_url(self):
        """
        access_denied
            The resource owner or authorization server denied the
            request.
        """
        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app.key())
        response = self.post_url(authorization_url, follow_redirects=False)
        auth_codes = Authorizationcode.all()
        self.assertEqual(len(auth_codes), 0)
        self.assert_redirect(
            response,
            'http://client.example.com/return?error=access_denied'
        )

    def test_authorize_code_submitting_disagree_redirects_to_apps_redirect_url_with_query(self):
        """
        access_denied
            The resource owner or authorization server denied the
            request.
        """
        authorization_url = '/api/authorize?response_type=code&client_id=%s' % (self.app_query.key())
        response = self.post_url(authorization_url, follow_redirects=False)
        auth_codes = Authorizationcode.all()
        self.assertEqual(len(auth_codes), 0)
        self.assert_redirect(
            response,
            'http://client.example.com/return?query=param&error=access_denied'
        )

    def test_authorize_code_submitting_disagree_redirects_to_authtime_redirect_url(self):
        authorization_url = '/api/authorize?response_type=code&client_id=%s&redirect_uri=http://client.example.com/return' % (self.app_no_redirect.key())
        response = self.post_url(authorization_url, follow_redirects=False)
        auth_codes = Authorizationcode.all()
        self.assert_redirect(
          response,
          'http://client.example.com/return?error=access_denied'
        )
        self.assertEqual(len(auth_codes), 0)

    def test_authorize_code_returns_errors(self):
        """
        invalid_request - The request is missing a required parameter, includes an
               unsupported parameter or parameter value, or is otherwise
               malformed.
        """
        authorization_url = '/api/authorize?response_type=&client_id=%s' % (self.app.key())
        response = self.fetch_url(authorization_url, follow_redirects=False)
        self.assert_redirect(
            response,
            'http://client.example.com/return?error=invalid_request'
        )

        """
        invalid_client - The client identifier provided is invalid.
        """
        authorization_url = '/api/authorize?response_type=code&client_id=0&redirect_uri=%s' % url_escape('http://client.example.com/return')
        response = self.fetch_url(authorization_url, follow_redirects=False)
        self.assert_redirect(
            response,
            'http://client.example.com/return?error=invalid_client'
        )

        ##THIS TEST is if the client is invalid and no redirect_uri is given
        authorization_url = '/api/authorize?response_type=code&client_id=0'
        response = self.fetch_url(authorization_url, follow_redirects=False)
        self.assertEqual(response.code, 404)

        """
        unsupported_response_type
               The authorization server does not support obtaining an
               authorization code using this method.
        """
        authorization_url = '/api/authorize?response_type=asdf&client_id=%s' % (self.app.key())
        response = self.fetch_url(authorization_url, follow_redirects=False)
        self.assert_redirect(
            response,
            'http://client.example.com/return?error=unsupported_response_type'
        )

        """
Пример #4
0
class APIResourceOwnerPasswordCredentials(test.base.BaseAsyncTestCase):
    """
    Passing in a username and password along with API credentials returns a valid access
        token.
    """
    def setUp(self):
        super(APIResourceOwnerPasswordCredentials, self).setUp()
        self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_a.set_password('asdfasdf')
        self.user_a.save()
        self.sid = self.sign_in('admin', 'asdfasdf')
        self.xsrf = self.get_xsrf()


        self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_b.set_password('asdfasdf')
        self.user_b.save()

        self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return')
        self.app.save()

    def test_sending_valid_request_returns_access_token(self):
        message = "grant_type=password&client_id=%s&client_secret=%s&username=%s&password=%s" % (self.app.key(), self.app.secret, 'admin', 'asdfasdf')
        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        access_token = Accesstoken.all()
        self.assertEqual(len(access_token), 1)
        self.assertTrue(access_token[0])

        # Now clean up so the invalid test will work out of order.
        for token in access_token:
            token.delete()

    def test_sending_invalid_password_returns_error(self):
        message = "grant_type=password&client_id=%s&client_secret=%s&username=%s&password=%s" % (self.app.key(), self.app.secret, 'admin', 'qwerqwer')
        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        access_token = Accesstoken.all()
        self.assertEqual(len(access_token), 0)
Пример #5
0
class APITokenTests(test.base.BaseAsyncTestCase):
    def setUp(self):
        super(APITokenTests, self).setUp()
        self.user_a = User(name='admin', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_a.set_password('asdfasdf')
        self.user_a.save()
        self.sid = self.sign_in('admin', 'asdfasdf')
        self.xsrf = self.get_xsrf()


        self.user_b = User(name='user2', email='*****@*****.**', email_confirmed=1, is_paid=1)
        self.user_b.set_password('asdfasdf')
        self.user_b.save()

        self.app = App(user_id=self.user_a.id, title='An App', description='Nothing yet.', redirect_url='http://client.example.com/return')
        self.app.save()

        self.authorization = Authorizationcode.generate(self.app.id, self.app.redirect_url, self.user_b.id)

    def test_access_token_returned_for_valid_authorization_code_and_credentials(self):
        message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)

        #one access token should have been created:
        access_token = Accesstoken.get('id=1')

        j_response = json_decode(response.body)
        self.assertEqual(j_response['token_type'], 'mac')
        self.assertEqual(j_response['access_token'], access_token.consumer_key)
        self.assertEqual(j_response['secret'], access_token.consumer_secret)
        self.assertEqual(j_response['algorithm'], 'hmac-sha-1')

    def test_access_token_is_not_deleted_when_new_one_is_requested(self):
        # First request one.
        message = "grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)

        #one access token should have been created:
        access_token = Accesstoken.get('id=1')
        self.assertTrue(access_token)
        self.assertFalse(access_token.deleted)
        access_tokens = Accesstoken.all()
        self.assertEqual(len(access_tokens), 1)

        j_response = json_decode(response.body)
        self.assertEqual(j_response['token_type'], 'mac')
        self.assertEqual(j_response['access_token'], access_token.consumer_key)
        self.assertEqual(j_response['secret'], access_token.consumer_secret)
        self.assertEqual(j_response['algorithm'], 'hmac-sha-1')

        # Now request another.
        other_authorization = Authorizationcode.generate(self.app.id, self.app.redirect_url, self.user_b.id)
        message = "grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (other_authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)

        # A second access token should have been created, but the
        # first one should be gone.
        access_token = Accesstoken.get('id=1')
        self.assertFalse(access_token.deleted)
        access_token = Accesstoken.get('id=2')
        self.assertFalse(access_token.deleted)
        access_tokens = Accesstoken.all()
        self.assertEqual(len(access_tokens), 2)

        j_response = json_decode(response.body)
        self.assertEqual(j_response['token_type'], 'mac')
        self.assertEqual(j_response['access_token'], access_token.consumer_key)
        self.assertEqual(j_response['secret'], access_token.consumer_secret)
        self.assertEqual(j_response['algorithm'], 'hmac-sha-1')

    def test_access_token_is_denied_with_missing_grant_type(self):
        message="grant_type=&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        j_response = json_decode(response.body)
        self.assertEqual(response.code, 400)
        self.assertEqual(j_response['error'], 'invalid_request')

    def test_access_token_is_denied_with_bad_grant_type(self):
        message="grant_type=asdfasdf&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        j_response = json_decode(response.body)
        self.assertEqual(response.code, 401)
        self.assertEqual(j_response['error'], 'invalid_grant')

    def test_access_token_is_denied_with_bad_client_id(self):
        message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=fart&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        j_response = json_decode(response.body)
        self.assertEqual(response.code, 401)
        self.assertEqual(j_response['error'], 'invalid_client')

    def test_access_token_denied_for_bad_secret(self):
        message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=porkchops" % (self.authorization.code, self.app.redirect_url, self.app.key())

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        j_response = json_decode(response.body)
        self.assertEqual(response.code, 401)
        self.assertEqual(j_response['error'], 'access_denied')

    def test_access_token_denied_too_old(self):
        self.authorization.expires_at = datetime.utcnow() - timedelta(seconds=50)
        self.authorization.save()
        message="grant_type=authorization_code&code=%s&redirect_uri=%s&client_id=%s&client_secret=%s" % (self.authorization.code, self.app.redirect_url, self.app.key(), self.app.secret)

        response = api_request(self, self.get_url('/api/token'), method='POST', body=message, unsigned=True)
        j_response = json_decode(response.body)
        self.assertEqual(response.code, 401)
        self.assertEqual(j_response['error'], 'invalid_grant')