def account_with_multiple_auth_creds(db): email = '*****@*****.**' resp = { 'access_token': '', 'expires_in': 3600, 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': '' } all_scopes = ' '.join( [GOOGLE_CALENDAR_SCOPE, GOOGLE_CONTACTS_SCOPE, GOOGLE_EMAIL_SCOPE]) first_auth_args = { 'refresh_token': 'refresh_token_1', 'client_id': 'client_id_1', 'client_secret': 'client_secret_1', 'scope': all_scopes, 'sync_contacts': True, 'sync_events': True } second_auth_args = { 'refresh_token': 'refresh_token_2', 'client_id': 'client_id_2', 'client_secret': 'client_secret_2', 'scope': GOOGLE_EMAIL_SCOPE, 'sync_contacts': False, 'sync_events': False } g = GmailAuthHandler('gmail') g.verify_config = lambda x: True resp.update(first_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() resp.update(second_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() return account
def account_with_multiple_auth_creds(db): email = '*****@*****.**' resp = {'access_token': '', 'expires_in': 3600, 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': ''} all_scopes = ' '.join( [GOOGLE_CALENDAR_SCOPE, GOOGLE_CONTACTS_SCOPE, GOOGLE_EMAIL_SCOPE]) first_auth_args = { 'refresh_token': 'refresh_token_1', 'client_id': 'client_id_1', 'client_secret': 'client_secret_1', 'scope': all_scopes, 'sync_contacts': True, 'sync_events': True } second_auth_args = { 'refresh_token': 'refresh_token_2', 'client_id': 'client_id_2', 'client_secret': 'client_secret_2', 'scope': GOOGLE_EMAIL_SCOPE, 'sync_contacts': False, 'sync_events': False } g = GmailAuthHandler('gmail') g.verify_config = lambda x: True resp.update(first_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() resp.update(second_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() return account
def account_with_single_auth_creds(db): email = '*****@*****.**' resp = {'access_token': '', 'expires_in': 3600, 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': '', 'refresh_token': 'refresh_token_3', 'client_id': 'client_id_1', 'client_secret': 'client_secret_1', 'scope': ' '.join([GOOGLE_CALENDAR_SCOPE, GOOGLE_EMAIL_SCOPE]), 'sync_contacts': False, 'sync_events': True } g = GmailAuthHandler('gmail') g.verify_config = lambda x: True account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() return account
def test_token(db, config, encrypt): """ If encryption is enabled, ensure that: * tokens are encrypted. * tokens are decrypted correctly on retrieval. Note: This tests refresh_tokens but passwords work in the same way """ config['ENCRYPT_SECRETS'] = encrypt token = 'tH*$&123abcº™™∞' email = '*****@*****.**' resp = {'access_token': '', 'expires_in': 3600, 'refresh_token': token, 'scope': '', 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': ''} g = GmailAuthHandler('gmail') g.verify_config = lambda x: True account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() secret_id = account.refresh_token_id secret = db.session.query(Secret).get(secret_id) assert secret == account.secret if encrypt: assert secret._secret != token, 'token not encrypted' else: assert secret._secret == token, \ 'token encrypted when encryption disabled' decrypted_secret = secret.secret assert decrypted_secret == token and \ account.refresh_token == decrypted_secret, \ 'token not decrypted correctly' # Remove auth credentials row, else weird things # happen when we try to read both encrypted and # unencrypted data from the database. for ac in account.auth_credentials: db.session.delete(ac) # db.session.delete(account.auth_credentials[0]) db.session.commit()
def test_get_account(db): email = '*****@*****.**' resp = {'access_token': '', 'expires_in': 3600, 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': ''} g = GmailAuthHandler('gmail') g.verify_config = lambda x: True # Auth me once... token_1 = 'the_first_token' client_id_1 = 'first client id' client_secret_1 = 'first client secret' scopes_1 = 'scope scop sco sc s' scopes_1_list = scopes_1.split(' ') first_auth_args = { 'refresh_token': token_1, 'scope': scopes_1, 'client_id': client_id_1, 'client_secret': client_secret_1 } resp.update(first_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() db.session.refresh(account) assert len(account.auth_credentials) == 1 auth_creds = account.auth_credentials[0] assert auth_creds.client_id == client_id_1 assert auth_creds.client_secret == client_secret_1 assert auth_creds.scopes == scopes_1_list assert auth_creds.refresh_token == token_1 # Auth me twice... token_2 = 'second_token_!' client_id_2 = 'second client id' client_secret_2 = 'second client secret' scopes_2 = 'scope scop sco sc s' scopes_2_list = scopes_2.split(' ') second_auth_args = { 'refresh_token': token_2, 'scope': scopes_2, 'client_id': client_id_2, 'client_secret': client_secret_2 } resp.update(second_auth_args) account = g.get_account(SHARD_ID, email, resp) db.session.merge(account) db.session.commit() assert len(account.auth_credentials) == 2 auth_creds = next((creds for creds in account.auth_credentials if creds.refresh_token == token_2), False) assert auth_creds assert auth_creds.client_id == client_id_2 assert auth_creds.client_secret == client_secret_2 assert auth_creds.scopes == scopes_2_list # Don't add duplicate row in GmailAuthCredentials for the same # client_id/client_secret pair. resp.update(first_auth_args) resp['refresh_token'] = 'a new refresh token' account = g.get_account(SHARD_ID, email, resp) db.session.merge(account) db.session.commit() assert len(account.auth_credentials) == 2 # Should still work okay if we don't get a refresh token back del resp['refresh_token'] account = g.get_account(SHARD_ID, email, resp) db.session.merge(account) db.session.commit() assert len(account.auth_credentials) == 2
def test_token(db, config, encrypt): """ If encryption is enabled, ensure that: * tokens are encrypted. * tokens are decrypted correctly on retrieval. Note: This tests refresh_tokens but passwords work in the same way """ config['ENCRYPT_SECRETS'] = encrypt token = 'tH*$&123abcº™™∞' email = '*****@*****.**' resp = { 'access_token': '', 'expires_in': 3600, 'refresh_token': token, 'scope': '', 'email': email, 'family_name': '', 'given_name': '', 'name': '', 'gender': '', 'id': 0, 'user_id': '', 'id_token': '', 'link': 'http://example.com', 'locale': '', 'picture': '', 'hd': '' } g = GmailAuthHandler('gmail') g.verify_config = lambda x: True account = g.get_account(SHARD_ID, email, resp) db.session.add(account) db.session.commit() secret_id = account.refresh_token_id secret = db.session.query(Secret).get(secret_id) assert secret == account.secret if encrypt: assert secret._secret != token, 'token not encrypted' else: assert secret._secret == token, \ 'token encrypted when encryption disabled' decrypted_secret = secret.secret assert decrypted_secret == token and \ account.refresh_token == decrypted_secret, \ 'token not decrypted correctly' # Remove auth credentials row, else weird things # happen when we try to read both encrypted and # unencrypted data from the database. for ac in account.auth_credentials: db.session.delete(ac) # db.session.delete(account.auth_credentials[0]) db.session.commit()