def test_client_credentials(self): """ Validates the Client Credentials """ from oauth2.tokenview import OAuth2TokenView data = {'grant_type': 'client_credentials'} request = Authentication.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1') response = OAuth2TokenView.as_view()(request) # Fails because the HTTP_AUTHORIZATION header is missing self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'missing_header'})) header = 'Basic {0}'.format(base64.encodestring('{0}:{1}'.format('foo', 'bar'))) request = Authentication.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because there is no such client self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'invalid_client'})) admin_na = UserList.get_user_by_username('admin_na') admin_na_client = Client() admin_na_client.ovs_type = 'USER' admin_na_client.grant_type = 'PASSWORD' admin_na_client.client_secret = OAuth2Toolbox.create_hash(64) admin_na_client.user = admin_na admin_na_client.save() header = 'Basic {0}'.format(base64.encodestring('{0}:{1}'.format(admin_na_client.guid, admin_na_client.client_secret))) request = Authentication.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because the grant is of type Resource Owner Password Credentials self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'invalid_grant'})) admin_na_client.grant_type = 'CLIENT_CREDENTIALS' admin_na_client.save() request = Authentication.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because the grant is of type Resource Owner Password Credentials self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'inactive_user'})) admin = UserList.get_user_by_username('admin') admin_client = Client() admin_client.ovs_type = 'USER' admin_client.grant_type = 'CLIENT_CREDENTIALS' admin_client.client_secret = OAuth2Toolbox.create_hash(64) admin_client.user = admin admin_client.save() header = 'Basic {0}'.format(base64.encodestring('{0}:{1}'.format(admin_client.guid, admin_client.client_secret))) request = Authentication.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Succeeds self.assertEqual(response.status_code, 200) response_content = json.loads(response.content) self.assertIn('access_token', response_content) result = {'access_token': response_content['access_token'], 'token_type': 'bearer', 'expires_in': 3600} self.assertDictEqual(response_content, result)
def test_required_roles(self): """ Validates whether the required_roles decorator works """ from backend.decorators import required_roles from rest_framework.exceptions import NotAuthenticated, PermissionDenied @required_roles(['read', 'write', 'manage']) def the_function(input_value, *args, **kwargs): """ Decorated function """ _ = args, kwargs output['value'] = input_value return HttpResponse(json.dumps(input_value)) output = {'value': None} user = UserList.get_user_by_username('user') request = self.factory.get('/') with self.assertRaises(NotAuthenticated) as context: the_function(1, request) self.assertEqual(context.exception.status_code, 401) request.client = type('Client', (), {}) request.user = type('User', (), {}) request.user.username = '******' with self.assertRaises(NotAuthenticated) as context: the_function(2, request) self.assertEqual(context.exception.status_code, 401) access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.user.username = '******' request.token = access_token with self.assertRaises(PermissionDenied) as context: the_function(3, request) self.assertEqual(context.exception.status_code, 403) self.assertEqual(context.exception.detail, 'This call requires roles: read, write, manage') user = UserList.get_user_by_username('admin') access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read', 'write', 'manage'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.username = '******' request.token = access_token response = the_function(4, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, '4')
def test_required_roles(self): """ Validates whether the required_roles decorator works """ from backend.decorators import required_roles from rest_framework.exceptions import NotAuthenticated, PermissionDenied @required_roles(["read", "write", "manage"]) def the_function(input_value, *args, **kwargs): """ Decorated function """ _ = args, kwargs output["value"] = input_value return HttpResponse(json.dumps(input_value)) output = {"value": None} user = UserList.get_user_by_username("user") request = Decorators.factory.get("/") with self.assertRaises(NotAuthenticated) as context: the_function(1, request) self.assertEqual(context.exception.status_code, 401) request.client = type("Client", (), {}) request.user = type("User", (), {}) request.user.username = "******" with self.assertRaises(NotAuthenticated) as context: the_function(2, request) self.assertEqual(context.exception.status_code, 401) access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(["read"]) ) access_token.expiration = int(time.time() + 86400) access_token.save() request.user.username = "******" request.token = access_token with self.assertRaises(PermissionDenied) as context: the_function(3, request) self.assertEqual(context.exception.status_code, 403) self.assertEqual(context.exception.detail, "This call requires roles: read, write, manage") user = UserList.get_user_by_username("admin") access_token, _ = OAuth2Toolbox.generate_tokens( user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(["read", "write", "manage"]) ) access_token.expiration = int(time.time() + 86400) access_token.save() request.username = "******" request.token = access_token response = the_function(4, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, "4")
def create(self, request, role_guids=None): """ Creates a Client """ if 'role_guids' in request.DATA: del request.DATA['role_guids'] serializer = FullSerializer(Client, instance=Client(), data=request.DATA) if serializer.is_valid(): client = serializer.object if client.user is not None: if client.user_guid == request.client.user_guid or Toolbox.is_client_in_roles(request.client, ['manage']): client.grant_type = 'CLIENT_CREDENTIALS' client.client_secret = OAuth2Toolbox.create_hash(64) serializer.save() if not role_guids: roles = [junction.role for junction in client.user.group.roles] else: possible_role_guids = [junction.role_guid for junction in client.user.group.roles] roles = [Role(guid) for guid in role_guids if guid in possible_role_guids] for role in roles: roleclient = RoleClient() roleclient.client = client roleclient.role = role roleclient.save() return Response(serializer.data, status=status.HTTP_201_CREATED) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def test_required_roles(self): """ Validates whether the required_roles decorator works """ from backend.decorators import required_roles from rest_framework.exceptions import NotAuthenticated, PermissionDenied @required_roles(['read', 'write', 'manage']) def the_function(input_value, *args, **kwargs): """ Decorated function """ _ = args, kwargs output['value'] = input_value return HttpResponse(json.dumps(input_value)) output = {'value': None} user = UserList.get_user_by_username('user') request = self.factory.get('/') with self.assertRaises(NotAuthenticated) as context: the_function(1, request) self.assertEqual(context.exception.status_code, 401) request.client = type('Client', (), {}) request.user = type('User', (), {}) request.user.username = '******' with self.assertRaises(NotAuthenticated) as context: the_function(2, request) self.assertEqual(context.exception.status_code, 401) access_token, _ = OAuth2Toolbox.generate_tokens(user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.user.username = '******' request.token = access_token with self.assertRaises(PermissionDenied) as context: the_function(3, request) self.assertEqual(context.exception.status_code, 403) self.assertEqual(context.exception.detail, 'This call requires roles: read, write, manage') user = UserList.get_user_by_username('admin') access_token, _ = OAuth2Toolbox.generate_tokens(user.clients[0], generate_access=True, scopes=RoleList.get_roles_by_codes(['read', 'write', 'manage'])) access_token.expiration = int(time.time() + 86400) access_token.save() request.username = '******' request.token = access_token response = the_function(4, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.content, '4')
def post(self, request, *args, **kwargs): """ Handles token post """ _ = args, kwargs if 'grant_type' not in request.POST: return HttpResponseBadRequest, {'error': 'invalid_request'} grant_type = request.POST['grant_type'] scopes = None if 'scope' in request.POST: scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' ')) if grant_type == 'password': # Resource Owner Password Credentials Grant if 'username' not in request.POST or 'password' not in request.POST: return HttpResponseBadRequest, {'error': 'invalid_request'} username = request.POST['username'] password = request.POST['password'] user = UserList.get_user_by_username(username) if user is None or user.password != hashlib.sha256(password).hexdigest(): return HttpResponseBadRequest, {'error': 'invalid_client'} if user.is_active is False: return HttpResponseBadRequest, {'error': 'inactive_user'} clients = [client for client in user.clients if client.ovs_type == 'FRONTEND' and client.grant_type == 'PASSWORD'] if len(clients) != 1: return HttpResponseBadRequest, {'error': 'unauthorized_client'} client = clients[0] try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) access_token.expiration = int(time.time() + 86400) access_token.save() except ValueError as error: return HttpResponseBadRequest, {'error': str(error)} Toolbox.clean_tokens(client) return HttpResponse, {'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 86400} elif grant_type == 'client_credentials': # Client Credentials if 'HTTP_AUTHORIZATION' not in request.META: return HttpResponseBadRequest, {'error': 'missing_header'} _, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ') client_id, client_secret = base64.decodestring(password_hash).split(':', 1) try: client = Client(client_id) if client.grant_type != 'CLIENT_CREDENTIALS': return HttpResponseBadRequest, {'error': 'invalid_grant'} if not client.user.is_active: return HttpResponseBadRequest, {'error': 'inactive_user'} try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) except ValueError as error: return HttpResponseBadRequest, {'error': str(error)} Toolbox.clean_tokens(client) return HttpResponse, {'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 3600} except: return HttpResponseBadRequest, {'error': 'invalid_client'} else: return HttpResponseBadRequest, {'error': 'unsupported_grant_type'}
def post(self, request, *args, **kwargs): """ Handles token post """ logger = LogHandler.get('api', 'oauth2') _ = args, kwargs if 'grant_type' not in request.POST: return HttpResponseBadRequest, {'error': 'invalid_request'} grant_type = request.POST['grant_type'] scopes = None if 'scope' in request.POST: scopes = RoleList.get_roles_by_codes(request.POST['scope'].split(' ')) if grant_type == 'password': # Resource Owner Password Credentials Grant if 'username' not in request.POST or 'password' not in request.POST: return HttpResponseBadRequest, {'error': 'invalid_request'} username = request.POST['username'] password = request.POST['password'] user = UserList.get_user_by_username(username) if user is None or user.password != hashlib.sha256(password).hexdigest(): return HttpResponseBadRequest, {'error': 'invalid_client'} if user.is_active is False: return HttpResponseBadRequest, {'error': 'inactive_user'} clients = [client for client in user.clients if client.ovs_type == 'INTERNAL' and client.grant_type == 'PASSWORD'] if len(clients) != 1: return HttpResponseBadRequest, {'error': 'unauthorized_client'} client = clients[0] try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) access_token.expiration = int(time.time() + 86400) access_token.save() except ValueError as error: return HttpResponseBadRequest, {'error': str(error)} Toolbox.clean_tokens(client) return HttpResponse, {'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 86400} elif grant_type == 'client_credentials': # Client Credentials if 'HTTP_AUTHORIZATION' not in request.META: return HttpResponseBadRequest, {'error': 'missing_header'} _, password_hash = request.META['HTTP_AUTHORIZATION'].split(' ') client_id, client_secret = base64.b64decode(password_hash).split(':', 1) try: client = Client(client_id) if client.grant_type != 'CLIENT_CREDENTIALS': return HttpResponseBadRequest, {'error': 'invalid_grant'} if client.client_secret != client_secret: return HttpResponseBadRequest, {'error': 'invalid_client'} if not client.user.is_active: return HttpResponseBadRequest, {'error': 'inactive_user'} try: access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=scopes) except ValueError as error: return HttpResponseBadRequest, {'error': str(error)} try: Toolbox.clean_tokens(client) except Exception as error: logger.error('Error during session cleanup: {0}'.format(error)) return HttpResponse, {'access_token': access_token.access_token, 'token_type': 'bearer', 'expires_in': 3600} except Exception as ex: logger.exception('Error matching client: {0}'.format(ex)) return HttpResponseBadRequest, {'error': 'invalid_client'} else: return HttpResponseBadRequest, {'error': 'unsupported_grant_type'}
def get(self, request, *args, **kwargs): """ Handles token post """ _ = args, kwargs html_endpoint = EtcdConfiguration.get('/ovs/framework/webapps|html_endpoint') if 'code' not in request.GET: OAuth2RedirectView._logger.error('Got OAuth2 redirection request without code') return HttpResponseRedirect, html_endpoint code = request.GET['code'] if 'state' not in request.GET: OAuth2RedirectView._logger.error('Got OAuth2 redirection request without state') return HttpResponseRedirect, html_endpoint state = request.GET['state'] if 'error' in request.GET: error = request.GET['error'] description = request.GET['error_description'] if 'error_description' in request.GET else '' OAuth2RedirectView._logger.error('Error {0} during OAuth2 redirection request: {1}'.format(error, description)) return HttpResponseRedirect, html_endpoint base_url = EtcdConfiguration.get('/ovs/framework/webapps|oauth2.token_uri') client_id = EtcdConfiguration.get('/ovs/framework/webapps|oauth2.client_id') client_secret = EtcdConfiguration.get('/ovs/framework/webapps|oauth2.client_secret') parameters = {'grant_type': 'authorization_code', 'redirect_url': 'https://{0}/api/oauth2/redirect/'.format(System.get_my_storagerouter().ip), 'client_id': client_id, 'code': code} url = '{0}?{1}'.format(base_url, urllib.urlencode(parameters)) headers = {'Accept': 'application/json', 'Authorization': 'Basic {0}'.format(base64.b64encode('{0}:{1}'.format(client_id, client_secret)).strip())} raw_response = requests.post(url=url, headers=headers, verify=False) response = raw_response.json() if 'error' in response: error = response['error'] description = response['error_description'] if 'error_description' in response else '' OAuth2RedirectView._logger.error('Error {0} during OAuth2 redirection access token: {1}'.format(error, description)) return HttpResponseRedirect, html_endpoint token = response['access_token'] expires_in = response['expires_in'] clients = ClientList.get_by_types('INTERNAL', 'CLIENT_CREDENTIALS') client = None for current_client in clients: if current_client.user.group.name == 'administrators': client = current_client break if client is None: OAuth2RedirectView._logger.error('Could not find INTERNAL CLIENT_CREDENTIALS client in administrator group.') return HttpResponseRedirect, html_endpoint roles = RoleList.get_roles_by_codes(['read', 'write', 'manage']) access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=roles) access_token.expiration = int(time.time() + expires_in) access_token.access_token = token access_token.save() expires = datetime.datetime.now() + datetime.timedelta(minutes=2) response = HttpResponseRedirect(html_endpoint) response.set_cookie('state', state, expires=expires, secure=True) response.set_cookie('accesstoken', token, expires=expires, secure=True) return response
def test_client_credentials(self): """ Validates the Client Credentials """ from oauth2.tokenview import OAuth2TokenView data = {'grant_type': 'client_credentials'} request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.1') response = OAuth2TokenView.as_view()(request) # Fails because the HTTP_AUTHORIZATION header is missing self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'missing_header'})) header = 'Basic {0}'.format( base64.encodestring('{0}:{1}'.format('foo', 'bar'))) request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.2', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because there is no such client self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'invalid_client'})) admin_na = UserList.get_user_by_username('admin_na') admin_na_client = Client() admin_na_client.ovs_type = 'USER' admin_na_client.grant_type = 'PASSWORD' admin_na_client.client_secret = OAuth2Toolbox.create_hash(64) admin_na_client.user = admin_na admin_na_client.save() header = 'Basic {0}'.format( base64.encodestring('{0}:{1}'.format( admin_na_client.guid, admin_na_client.client_secret))) request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.3', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because the grant is of type Resource Owner Password Credentials self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'invalid_grant'})) admin_na_client.grant_type = 'CLIENT_CREDENTIALS' admin_na_client.save() request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.4', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because the grant is of type Resource Owner Password Credentials self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'inactive_user'})) admin = UserList.get_user_by_username('admin') admin_client = Client() admin_client.ovs_type = 'USER' admin_client.grant_type = 'CLIENT_CREDENTIALS' admin_client.client_secret = OAuth2Toolbox.create_hash(64) admin_client.user = admin admin_client.save() header = 'Basic {0}'.format( base64.encodestring('{0}:foobar'.format(admin_client.guid))) request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.5', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Fails because it's an invalid secret self.assertEqual(response.status_code, 400) self.assertEqual(response.content, json.dumps({'error': 'invalid_client'})) header = 'Basic {0}'.format( base64.encodestring('{0}:{1}'.format(admin_client.guid, admin_client.client_secret))) request = self.factory.post('/', data=data, HTTP_X_REAL_IP='127.0.0.6', HTTP_AUTHORIZATION=header) response = OAuth2TokenView.as_view()(request) # Succeeds self.assertEqual(response.status_code, 200) response_content = json.loads(response.content) self.assertIn('access_token', response_content) result = { 'access_token': response_content['access_token'], 'token_type': 'bearer', 'expires_in': 3600 } self.assertDictEqual(response_content, result)
def get(self, request, *args, **kwargs): """ Handles token post """ _ = args, kwargs html_endpoint = EtcdConfiguration.get( '/ovs/framework/webapps|html_endpoint') if 'code' not in request.GET: logger.error('Got OAuth2 redirection request without code') return HttpResponseRedirect, html_endpoint code = request.GET['code'] if 'state' not in request.GET: logger.error('Got OAuth2 redirection request without state') return HttpResponseRedirect, html_endpoint state = request.GET['state'] if 'error' in request.GET: error = request.GET['error'] description = request.GET[ 'error_description'] if 'error_description' in request.GET else '' logger.error( 'Error {0} during OAuth2 redirection request: {1}'.format( error, description)) return HttpResponseRedirect, html_endpoint base_url = EtcdConfiguration.get( '/ovs/framework/webapps|oauth2.token_uri') client_id = EtcdConfiguration.get( '/ovs/framework/webapps|oauth2.client_id') client_secret = EtcdConfiguration.get( '/ovs/framework/webapps|oauth2.client_secret') parameters = { 'grant_type': 'authorization_code', 'redirect_url': 'https://{0}/api/oauth2/redirect/'.format( System.get_my_storagerouter().ip), 'client_id': client_id, 'code': code } url = '{0}?{1}'.format(base_url, urllib.urlencode(parameters)) headers = { 'Accept': 'application/json', 'Authorization': 'Basic {0}'.format( base64.b64encode('{0}:{1}'.format(client_id, client_secret)).strip()) } raw_response = requests.post(url=url, headers=headers, verify=False) response = raw_response.json() if 'error' in response: error = response['error'] description = response[ 'error_description'] if 'error_description' in response else '' logger.error( 'Error {0} during OAuth2 redirection access token: {1}'.format( error, description)) return HttpResponseRedirect, html_endpoint token = response['access_token'] expires_in = response['expires_in'] clients = ClientList.get_by_types('INTERNAL', 'CLIENT_CREDENTIALS') client = None for current_client in clients: if current_client.user.group.name == 'administrators': client = current_client break if client is None: logger.error( 'Could not find INTERNAL CLIENT_CREDENTIALS client in administrator group.' ) return HttpResponseRedirect, html_endpoint roles = RoleList.get_roles_by_codes(['read', 'write', 'manage']) access_token, _ = Toolbox.generate_tokens(client, generate_access=True, scopes=roles) access_token.expiration = int(time.time() + expires_in) access_token.access_token = token access_token.save() expires = datetime.datetime.now() + datetime.timedelta(minutes=2) response = HttpResponseRedirect(html_endpoint) response.set_cookie('state', state, expires=expires, secure=True) response.set_cookie('accesstoken', token, expires=expires, secure=True) return response