def testRequestOverInsecureTransport(self):
"""
Test the rejection of a request to a protected resource
with a valid token that was made over an insecure protocol.
"""
request = MockRequest('GET', 'protectedResource', isSecure=False)
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertTrue(
isAuthorized(request,
self.VALID_TOKEN_SCOPE,
allowInsecureRequestDebug=True),
msg=
'Expected isAuthorized to accept a request over an insecure protocol '
'if "allowInsecureRequestDebug" is set to True.')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg=
'Expected isAuthorized to reject a request over an insecure protocol.'
)
self.assertEqual(
400,
request.responseCode,
msg=
'The HTTP response code should be {code}, if a protected resource receives a '
'request over an insecure channel.'.format(code=400))
def testWrongAccessToken(self):
""" Test the rejection of a request to a protected resource with an invalid token. """
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization', b'Bearer an invalid token')
self.assertFalse(
isAuthorized(request, 'scope'),
msg=
'Expected isAuthorized to reject a request with an invalid token.')
self.assertFailedProtectedResourceRequest(
request, InvalidTokenRequestError(['scope']))
def _testValidAccessRequest(self, token=_VALID_TOKEN):
"""
Test that a request to the protected resource with the given token is accepted.
:param token: The token to use in the request.
"""
request = MockRequest('GET', 'clock')
request.setRequestHeader(b'Authorization', 'Bearer ' + token)
self._makeExampleRequest(request)
self.assertIn(
request.responseCode, (None, 200),
msg='Expected the protected clock resource to accept a request with a valid token.')
self.assertSubstring(
b'<html><body>', request.getResponse(),
msg='Expected the protected clock resource to send the protected content.')
def testInvalidScope(self):
"""
Test the rejection of a request to a protected resource
with a valid token that does not grant access to the necessary scopes.
"""
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, 'someOtherScope'),
msg='Expected isAuthorized to reject a request with token '
'that does not allow access to the given scope.')
self.assertFailedProtectedResourceRequest(
request, InsufficientScopeRequestError(['someOtherScope']))
def testWithAccessTokenInHeader(self):
"""
Test a request to a protected resource with a valid token in the Authorization header.
See https://tools.ietf.org/html/rfc6750#section-2.1
"""
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertTrue(
isAuthorized(request, self.VALID_TOKEN_SCOPE[0]),
msg='Expected isAuthorized to accept a request with a valid token.'
)
self.assertFalse(
request.finished,
msg='isAuthorized should not finish the request if it\'s valid.')
def testAccessTokenInBodyWrongContentType(self):
"""
Test the rejection of a request to a protected resource
with a valid token but an invalid content type.
"""
request = MockRequest('POST',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type', 'application/other')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request '
'with a valid token in the request body with a content type '
'that is not "application/x-www-form-urlencoded".')
self.assertFailedProtectedResourceRequest(
request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testAccessTokenInBodyWrongMethod(self):
"""
Test the rejection of a request to a protected resource with a valid token
in the request body but a request that was not made with the POST method.
"""
request = MockRequest('GET',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with a valid token '
'in the request body that was not send with the POST method.')
self.assertFailedProtectedResourceRequest(
request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testWithAccessTokenInBody(self):
"""
Test a request to a protected resource with a valid token in the request body.
See https://tools.ietf.org/html/rfc6750#section-2.2
"""
request = MockRequest('POST',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]),
msg='Expected isAuthorized to accept a request '
'with a valid token in the request body.')
self.assertFalse(
request.finished,
msg='isAuthorized should not finish the request if it\'s valid.')
def testMultipleAccessTokens(self):
""" Test the rejection of a request to a protected resource with multiple tokens. """
request = MockRequest(
'GET', 'protectedResource?access_token=' + self.VALID_TOKEN +
'&access_token=' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with two tokens.')
self.assertFailedProtectedResourceRequest(
request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
request = MockRequest(
'GET', 'protectedResource?access_token=' + self.VALID_TOKEN)
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with two tokens.')
self.assertFailedProtectedResourceRequest(
request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
def generateValidTokenRequest(url='token',
urlQuery='',
authentication=None,
**kwargs):
"""
:param url: The request url.
:param urlQuery: An optional query part of the request url.
:param authentication: An optional client to use for header-authentication.
:param kwargs: Optional arguments to the the request.
:return: A valid request to the token resource.
"""
if urlQuery:
url = '?'.join((url, urlQuery))
request = MockRequest('POST', url, **kwargs)
request.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
if authentication is not None:
AbstractTokenResourceTest._addAuthenticationToRequestHeader(
request, authentication)
return request
def testInvalidContentType(self):
""" Test the rejection requests whose content is not "x-www-form-urlencoded". """
request = MockRequest('POST',
'token',
arguments={
'grant_type': 'refresh_token',
'refresh_token': self._VALID_REFRESH_TOKEN
})
request.setRequestHeader('Content-Type',
'application/not-x-www-form-urlencoded')
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
MalformedRequestError(
'The Content-Type must be "application/x-www-form-urlencoded"'
),
msg=
'Expected the token resource to reject a request with an invalid content type.'
)
def testDecorator(self):
""" Test that the oauth2 functions as expected. """
protectedContent = b'protectedContent'
@oauth2(self.VALID_TOKEN_SCOPE)
def render(_self, _request): # pylint: disable=missing-docstring
return protectedContent
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertEqual(protectedContent,
render(self, request),
msg='Expected oauth2 to accept a valid request.')
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization', 'Bearer invalidToken')
self.assertNotEqual(
protectedContent,
render(self, request),
msg='Expected oauth2 to reject a request with an invalid token.')
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
@oauth2(['Other'])
def render2(_self, _request): # pylint: disable=missing-docstring
return protectedContent
self.assertNotEqual(
protectedContent,
render2(self, request),
msg='Expected oauth2 to reject a request with an invalid scope.')