def test_validate_token_successfully_validates(rf): """ A valid token should return the decoded token. """ token = build_id_token() c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", rf.get("/")) decoded_token = tv.validate_token(token) assert decoded_token["jti"] == "randomid"
def test_no_key_raises_invalid_token(rf): """ If we dont' have a key at all we should be raising an InvalidTokenSignature. """ token = build_id_token() c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value=None)), pytest.raises(InvalidTokenSignature): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_wrong_key_raises_invalid_token(rf): """ If we get the wrong key then we should be raising an InvalidTokenSignature. """ token = build_id_token() c = Config() with patch( "okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="wrongkey") ), pytest.raises(InvalidTokenSignature): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_unmatching_nonce_raises_error(rf): """ If our token has the wrong nonce then raise a NonceDoesNotMatch """ token = build_id_token(nonce="wrong-nonce") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(NonceDoesNotMatch): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_expired_token_raises_error(rf): """ If our token is expired then we should raise an TokenExpired. """ token = build_id_token(exp=now().timestamp() - 3600) c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(TokenExpired): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_invalid_audience_in_decoded_token(rf): """ If our audience doesn't match our client id we should raise an InvalidClientID """ token = build_id_token(aud="invalid-aud") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(InvalidClientID): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_invalid_issuer_in_decoded_token(rf): """ If our issuers don't match we should raise an IssuerDoesNotMatch. """ token = build_id_token(iss="invalid-issuer") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(IssuerDoesNotMatch): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_issue_time_is_too_far_in_the_past_raises_error(rf): """ If our token was issued more than about 24 hours ago we want to raise a TokenTooFarAway. """ token = build_id_token(iat=now().timestamp() - 200000) c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(TokenTooFarAway): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_decorator_allows_access_to_valid_token(client: Client): """ If we have a valid token then we should allow access to the view. """ nonce = "123456" token = build_id_token(nonce=nonce) client.cookies.load({"okta-oauth-nonce": nonce}) session = client.session session["tokens"] = {"id_token": token} session.save() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): response = client.get("/decorated/") assert response.status_code == 200
def test_valid_token_returns_response(rf): """ If we have a valid token we should be returning the normal response from the middleware. """ nonce = "123456" # We're building a token here that we know will be valid token = build_id_token(nonce=nonce) with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): request = rf.get("/") request.COOKIES["okta-oauth-nonce"] = nonce request.session = {"tokens": {"id_token": token}} mw = OktaMiddleware(Mock(return_value=HttpResponse())) response = mw(request) assert response.status_code == 200
def test_call_token_endpoint_returns_tokens(mock_post, rf): """ when we call the token endpoint with valid data we expect to receive a bunch of tokens. See assertions to understand which. """ mock_post.return_value = Mock(ok=True) mock_post.return_value.json.return_value = { "access_token": build_access_token(), "id_token": build_id_token(), "refresh_token": "refresh", } endpoint_data = {"grant_type": "authorization_code", "code": "imacode"} c = Config() MockDiscoveryDocument = MagicMock() with patch("okta_oauth2.tokens.DiscoveryDocument", MockDiscoveryDocument): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tokens = tv.call_token_endpoint(endpoint_data) assert "access_token" in tokens assert "id_token" in tokens assert "refresh_token" in tokens
def get_normal_user_with_groups_token(self, code): return { "access_token": build_access_token(), "id_token": build_id_token(groups=["one", "two"]), "refresh_token": "refresh", }
def get_staff_token_result(self, code): return { "access_token": build_access_token(), "id_token": build_id_token(groups=[STAFF_GROUP]), "refresh_token": "refresh", }
def get_superuser_token_result(self, code): return { "access_token": build_access_token(), "id_token": build_id_token(groups=[SUPERUSER_GROUP]), "refresh_token": "refresh", }
def get_token_result(self, code): return { "access_token": build_access_token(), "id_token": build_id_token(), "refresh_token": "refresh", }