def _request_client(request):
creds = basic_auth_creds(request)
if creds is None:
raise ClientUnauthorized()
# We fetch the client by its ID and then do a constant-time comparison of
# the secret with that provided in the request.
#
# It is important not to include the secret as part of the SQL query
# because the resulting code may be subject to a timing attack.
client_id, client_secret = creds
try:
client = request.db.query(models.AuthClient).get(client_id)
except sa.exc.StatementError: # client_id is malformed
raise ClientUnauthorized()
if client is None:
raise ClientUnauthorized()
if client.secret is None: # client is not confidential
raise ClientUnauthorized()
if client.grant_type != GrantType.client_credentials: # client not allowed to create users
raise ClientUnauthorized()
if not hmac.compare_digest(client.secret, client_secret):
raise ClientUnauthorized()
return client
def request_auth_client(request):
"""
Locate a matching AuthClient record in the database.
:param request: the request object
:type request: pyramid.request.Request
:returns: an auth client
:rtype: an AuthClient model
:raises ClientUnauthorized: if the client does not have a valid Client ID
and Client Secret or is not allowed to create users in their authority.
"""
creds = basic_auth_creds(request)
if creds is None:
raise ClientUnauthorized()
# We fetch the client by its ID and then do a constant-time comparison of
# the secret with that provided in the request.
#
# It is important not to include the secret as part of the SQL query
# because the resulting code may be subject to a timing attack.
client_id, client_secret = creds
try:
client = request.db.query(AuthClient).get(client_id)
except sa.exc.StatementError: # client_id is malformed
raise ClientUnauthorized()
if client is None:
raise ClientUnauthorized()
if client.secret is None: # client is not confidential
raise ClientUnauthorized()
if client.grant_type != GrantType.client_credentials: # client not allowed to create users
raise ClientUnauthorized()
if not hmac.compare_digest(client.secret, client_secret):
raise ClientUnauthorized()
return client
def test_status_code(self):
exc = ClientUnauthorized()
assert exc.status_code == 403
def test_message(self):
exc = ClientUnauthorized()
assert 'credentials are invalid' in exc.message
def test_it_raises_ClientUnauthorized_with_bad_auth_client(
self, group, pyramid_request, request_auth_client):
request_auth_client.side_effect = ClientUnauthorized()
with pytest.raises(ClientUnauthorized):
views.add_member(group, pyramid_request)