def test_callback_handles_bad_flow_exchange(self, pickle): request = self.factory.get('oauth2/oauth2callback', data={ "state": json.dumps(self.fake_state), "code": 123 }) self.session['google_oauth2_csrf_token'] = self.CSRF_TOKEN flow = OAuth2WebServerFlow( client_id='clientid', client_secret='clientsecret', scope=['email'], state=json.dumps(self.fake_state), redirect_uri=request.build_absolute_uri("oauth2/oauth2callback")) self.session['google_oauth2_flow_{0}'.format(self.CSRF_TOKEN)]\ = pickle.dumps(flow) def local_throws(code): raise FlowExchangeError("test") flow.step2_exchange = local_throws pickle.loads.return_value = flow request.session = self.session response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseBadRequest))
def test_error_returns_bad_request(self): request = self.factory.get('oauth2/oauth2callback', data={ 'error': 'There was an error in your authorization.', }) response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertIn(b'Authorization failed', response.content)
def test_callback_works(self, pickle): request = self.factory.get('oauth2/oauth2callback', data={ "state": json.dumps(self.fake_state), "code": 123 }) self.session['google_oauth2_csrf_token'] = self.CSRF_TOKEN flow = OAuth2WebServerFlow( client_id='clientid', client_secret='clientsecret', scope=['email'], state=json.dumps(self.fake_state), redirect_uri=request.build_absolute_uri("oauth2/oauth2callback")) self.session['google_oauth2_flow_{0}'.format(self.CSRF_TOKEN)] \ = pickle.dumps(flow) flow.step2_exchange = mock.Mock() pickle.loads.return_value = flow request.session = self.session response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseRedirect)) self.assertEquals(response.status_code, 302) self.assertEquals(response['Location'], self.RETURN_URL)
def test_callback_works(self, jsonpickle_mock): request = self.factory.get('oauth2/oauth2callback', data={ 'state': json.dumps(self.fake_state), 'code': 123 }) self.session['google_oauth2_csrf_token'] = self.CSRF_TOKEN flow = client.OAuth2WebServerFlow( client_id='clientid', client_secret='clientsecret', scope=['email'], state=json.dumps(self.fake_state), redirect_uri=request.build_absolute_uri("oauth2/oauth2callback")) name = 'google_oauth2_flow_{0}'.format(self.CSRF_TOKEN) pickled_flow = object() self.session[name] = pickled_flow flow.step2_exchange = mock.Mock() jsonpickle_mock.decode.return_value = flow request.session = self.session request.user = self.user response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseRedirect) self.assertEqual( response.status_code, django.http.HttpResponseRedirect.status_code) self.assertEqual(response['Location'], self.RETURN_URL) jsonpickle_mock.decode.assert_called_once_with(pickled_flow)
def test_callback_handles_bad_flow_exchange(self, jsonpickle_mock): request = self.factory.get('oauth2/oauth2callback', data={ "state": json.dumps(self.fake_state), "code": 123 }) self.session['google_oauth2_csrf_token'] = self.CSRF_TOKEN flow = client.OAuth2WebServerFlow( client_id='clientid', client_secret='clientsecret', scope=['email'], state=json.dumps(self.fake_state), redirect_uri=request.build_absolute_uri('oauth2/oauth2callback')) session_key = 'google_oauth2_flow_{0}'.format(self.CSRF_TOKEN) pickled_flow = object() self.session[session_key] = pickled_flow def local_throws(code): raise client.FlowExchangeError('test') flow.step2_exchange = local_throws jsonpickle_mock.decode.return_value = flow request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) jsonpickle_mock.decode.assert_called_once_with(pickled_flow)
def test_bad_csrf(self): request = self.factory.get("oauth2/oauth2callback", data={"state": json.dumps(self.fake_state), "code": 123}) self.session["google_oauth2_csrf_token"] = "WRONG TOKEN" request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b"Invalid CSRF token.")
def test_bad_state(self): request = self.factory.get("oauth2/oauth2callback", data={"code": 123, "state": json.dumps({"wrong": "state"})}) self.session["google_oauth2_csrf_token"] = "token" request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b"Invalid state parameter.")
def test_no_session(self): request = self.factory.get("oauth2/oauth2callback", data={"code": 123, "state": json.dumps(self.fake_state)}) request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b"No existing session for this flow.")
def test_error_returns_bad_request(self): request = self.factory.get('oauth2/oauth2callback', data={ "error": "There was an error in your authorization.", }) response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseBadRequest)) self.assertTrue(b"Authorization failed" in response.content)
def test_error_escapes_html(self): request = self.factory.get('oauth2/oauth2callback', data={ 'error': '<script>bad</script>', }) response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertNotIn(b'<script>', response.content) self.assertIn(b'<script>', response.content)
def test_no_saved_flow(self): request = self.factory.get("oauth2/oauth2callback", data={"state": json.dumps(self.fake_state), "code": 123}) self.session["google_oauth2_csrf_token"] = self.CSRF_TOKEN self.session["google_oauth2_flow_{0}".format(self.CSRF_TOKEN)] = None request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b"Missing Oauth2 flow.")
def test_missing_state_returns_bad_request(self): request = self.factory.get('oauth2/oauth2callback', data={ 'code': 123 }) self.session['google_oauth2_csrf_token'] = "token" request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest)
def test_missing_state_returns_bad_request(self): request = self.factory.get('oauth2/oauth2callback', data={ "code": 123 }) self.session['google_oauth2_csrf_token'] = "token" request.session = self.session response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseBadRequest))
def test_error_returns_bad_request(self): request = self.factory.get( 'oauth2/oauth2callback', data={ "error": "There was an error in your authorization.", }) response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseBadRequest)) self.assertTrue(b"Authorization failed" in response.content)
def test_bad_state(self): request = self.factory.get('oauth2/oauth2callback', data={ 'code': 123, 'state': json.dumps({'wrong': 'state'}) }) self.session['google_oauth2_csrf_token'] = 'token' request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b'Invalid state parameter.')
def test_bad_csrf(self): request = self.factory.get('oauth2/oauth2callback', data={ "state": json.dumps(self.fake_state), "code": 123 }) self.session['google_oauth2_csrf_token'] = 'WRONG TOKEN' request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b'Invalid CSRF token.')
def test_no_session(self): request = self.factory.get('oauth2/oauth2callback', data={ 'code': 123, 'state': json.dumps(self.fake_state) }) request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual( response.content, b'No existing session for this flow.')
def test_bad_state(self): request = self.factory.get('oauth2/oauth2callback', data={ "code": 123, "state": json.dumps({"wrong": "state"}) }) self.session['google_oauth2_csrf_token'] = "token" request.session = self.session response = views.oauth2_callback(request) self.assertTrue(isinstance(response, http.HttpResponseBadRequest)) self.assertEquals(response.content, b'Invalid state parameter.')
def test_no_saved_flow(self): request = self.factory.get('oauth2/oauth2callback', data={ 'state': json.dumps(self.fake_state), 'code': 123 }) self.session['google_oauth2_csrf_token'] = self.CSRF_TOKEN self.session['google_oauth2_flow_{0}'.format(self.CSRF_TOKEN)] = None request.session = self.session response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertEqual(response.content, b'Missing Oauth2 flow.')
def test_callback_works(self, pickle): request = self.factory.get("oauth2/oauth2callback", data={"state": json.dumps(self.fake_state), "code": 123}) self.session["google_oauth2_csrf_token"] = self.CSRF_TOKEN flow = OAuth2WebServerFlow( client_id="clientid", client_secret="clientsecret", scope=["email"], state=json.dumps(self.fake_state), redirect_uri=request.build_absolute_uri("oauth2/oauth2callback"), ) name = "google_oauth2_flow_{0}".format(self.CSRF_TOKEN) self.session[name] = pickle.dumps(flow) flow.step2_exchange = mock.Mock() pickle.loads.return_value = flow request.session = self.session request.user = self.user response = views.oauth2_callback(request) self.assertIsInstance(response, http.HttpResponseRedirect) self.assertEqual(response.status_code, django.http.HttpResponseRedirect.status_code) self.assertEqual(response["Location"], self.RETURN_URL)