def test_create_authorization_grant(self):
bearer = BearerToken(self.mock_validator)
self.request.response_mode = 'query'
h, b, s = self.auth.create_authorization_response(self.request, bearer)
grant = dict(Request(h['Location']).uri_query_params)
self.assertIn('code', grant)
self.assertTrue(self.mock_validator.validate_redirect_uri.called)
self.assertTrue(self.mock_validator.validate_response_type.called)
self.assertTrue(self.mock_validator.validate_scopes.called)
def setUp(self):
self.request = Request('http://a.b/path')
request_validator = mock.MagicMock()
implicit_grant = OAuth2ImplicitGrant(request_validator)
openid_connect_implicit = ImplicitGrant(request_validator)
self.dispatcher = ImplicitTokenGrantDispatcher(
default_implicit_grant=implicit_grant,
oidc_implicit_grant=openid_connect_implicit)
def validate_authorization_request(self, uri, http_method='GET', body=None,
headers=None):
"""Extract response_type and route to the designated handler."""
request = Request(
uri, http_method=http_method, body=body, headers=headers)
request.scopes = None
response_type_handler = self.response_types.get(
request.response_type, self.default_response_type_handler)
return response_type_handler.validate_authorization_request(request)
def test_header_with_multispaces_is_validated(self):
request_validator = mock.MagicMock()
request_validator.validate_bearer_token = self._mocked_validate_bearer_token
request = Request("/", headers=self.valid_header_with_multiple_spaces)
result = BearerToken(
request_validator=request_validator).validate_request(request)
self.assertTrue(result)
def test_extract_params_with_urlencoded_json(self):
wsgi_environ = {
'QUERY_STRING': 'state=%7B%22t%22%3A%22a%22%2C%22i%22%3A%22l%22%7D'
}
with set_flask_request(wsgi_environ):
uri, http_method, body, headers = extract_params()
# Request constructor will try to urldecode the querystring, make
# sure this doesn't fail.
Request(uri, http_method, body, headers)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'urn:ietf:params:oauth:grant-type:saml2-bearer'
self.request.assertion = 'assertion'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = SAML2BearerGrant(request_validator=self.mock_validator)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.assertion = 'mocked assertion'
self.request.grant_type = JWT_BEARER
self.request.client = mock_client
self.request.scope = 'foo'
self.mock_validator = mock.MagicMock()
self.auth = JWTBearerGrant(request_validator=self.mock_validator)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'refresh_token'
self.request.refresh_token = 'lsdkfhj230'
self.request.client = mock_client
self.request.scope = 'foo'
self.mock_validator = mock.MagicMock()
self.auth = RefreshTokenGrant(request_validator=self.mock_validator)
def test_fake_bearer_is_not_validated(self):
request_validator = mock.MagicMock()
request_validator.validate_bearer_token = self._mocked_validate_bearer_token
for fake_header in self.fake_bearer_headers:
request = Request("/", headers=fake_header)
result = BearerToken(
request_validator=request_validator).validate_request(request)
self.assertFalse(result)
def test_sanitizing_authorization_header(self):
r = Request(URI,
headers={
'Accept': 'application/json',
'Authorization': 'Basic Zm9vOmJhcg=='
})
self.assertNotIn('Zm9vOmJhcg==', repr(r))
self.assertIn('<SANITIZED>', repr(r))
# Double-check we didn't modify the underlying object:
self.assertEqual(r.headers['Authorization'], 'Basic Zm9vOmJhcg==')
def test_authenticate_client(self):
request = Request('http://localhost/authenticate_client', 'GET', None,
{
'client_id': '10',
'client_secret': 'secret'
})
self.assertTrue(self.validator.authenticate_client(request))
request = Request('http://localhost/authenticate_client', 'GET', None,
{
'client_id': '10',
'client_secret': 'secre'
})
self.assertFalse(self.validator.authenticate_client(request))
request = Request('http://localhost/authenticate_client', 'GET', None,
{
'client_id': '1',
'client_secret': 'secret'
})
self.assertFalse(self.validator.authenticate_client(request))
def setUp(self):
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = 'mock authenticated'
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'client_credentials'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ClientCredentialsGrant(
request_validator=self.mock_validator)
def setUp(self):
self.request = Request('http://a.b/path')
self.request.decoded_body = (
("client_id", "me"),
("code", "code"),
("redirect_url", "https://a.b/cb"),
)
self.request_validator = mock.MagicMock()
self.auth_grant = OAuth2AuthorizationCodeGrant(self.request_validator)
self.openid_connect_auth = AuthorizationCodeGrant(self.request_validator)
def test_request_invalid_client_id(self):
request = Request('https://a.b./path')
request.scope = 'openid profile'
request.response_type = 'code'
with pytest.raises(errors.MissingClientIdError):
self.auth.validate_authorization_request(request)
request.client_id = 'invalid_client'
self.validator.validate_client_id.return_value = False
with pytest.raises(errors.InvalidClientIdError):
self.auth.validate_authorization_request(request)
def test_validate_lti_old_timestamp(self):
request = Request(uri='https://example.com/lti',
http_method='POST',
body=self.read_data_file('lti_old_timestamp.txt'))
parameters = LTIAuthBackend._get_validated_lti_params_from_values( # pylint: disable=protected-access
request=request,
current_time=1436900000,
lti_consumer_valid=True,
lti_consumer_secret='secret',
lti_max_timestamp_age=10)
self.assertFalse(parameters)
def setUp(self):
self.request = Request('http://a.b/path')
self.request.scopes = ('hello', 'world')
self.request.client = 'batman'
self.request.client_id = 'abcdef'
self.request.response_type = 'token'
self.request.state = 'xyz'
self.request.redirect_uri = 'https://b.c/p'
self.mock_validator = mock.MagicMock()
self.auth = ImplicitGrant(request_validator=self.mock_validator)
def verify_request(self, uri, http_method='GET', body=None, headers=None,
scopes=None):
"""Validate client, code etc, return body + headers"""
request = Request(uri, http_method, body, headers)
request.token_type = self.find_token_type(request)
request.scopes = scopes
token_type_handler = self.tokens.get(request.token_type,
self.default_token_type_handler)
log.debug('Dispatching token_type %s request to %r.',
request.token_type, token_type_handler)
return token_type_handler.validate_request(request), request
def oauth_error(self, request, error, **kwargs):
# UGLY HACK
from oauthlib.common import Request
core = self.get_oauthlib_core()
uri, http_method, body, headers = core._extract_params(request)
orequest = Request(uri,
http_method=http_method,
body=body,
headers=headers)
raise OAuthToolkitError(
error=error(request=orequest, state=orequest.state, **kwargs))
def test_non_unicode_params(self):
r = Request(
bytes_type('http://a.b/path?query', 'utf-8'),
http_method=bytes_type('GET', 'utf-8'),
body=bytes_type('you=shall+pass', 'utf-8'),
headers={bytes_type('a', 'utf-8'): bytes_type('b', 'utf-8')})
self.assertEqual(r.uri, 'http://a.b/path?query')
self.assertEqual(r.http_method, 'GET')
self.assertEqual(r.body, 'you=shall+pass')
self.assertEqual(r.decoded_body, [('you', 'shall pass')])
self.assertEqual(r.headers, {'a': 'b'})
def test_extract_params_with_json(self):
data = {'test': 'foo', 'foo': 'bar'}
json_payload = json.dumps(data).encode('utf-8')
wsgi_environ = {
'CONTENT_TYPE': 'application/json',
'CONTENT_LENGHT': str(len(data))
}
with set_flask_request(wsgi_environ, data):
uri, http_method, body, headers = extract_params()
Request(uri, http_method, body, headers)
self.assertEqual(body, {'test': 'foo', 'foo': 'bar'})
def test_validate_lti_cannot_add_get_params(self):
request = Request(
uri='https://example.com/lti?custom_another=parameter',
http_method='POST',
body=self.read_data_file('lti_cannot_add_get_params.txt')
)
parameters = LTIAuthBackend._get_validated_lti_params_from_values( # pylint: disable=protected-access
request=request, current_time=1436823554,
lti_consumer_valid=True, lti_consumer_secret='secret',
lti_max_timestamp_age=10
)
assert not parameters
def test_non_unicode_params(self):
r = Request(b'http://a.b/path?query',
http_method=b'GET',
body=b'you=shall+pass',
headers={
b'a': b'b',
})
self.assertEqual(r.uri, 'http://a.b/path?query')
self.assertEqual(r.http_method, 'GET')
self.assertEqual(r.body, 'you=shall+pass')
self.assertEqual(r.decoded_body, [('you', 'shall pass')])
self.assertEqual(r.headers, {'a': 'b'})
def create_token_response(self, uri, http_method='GET', body=None,
headers=None, credentials=None):
"""Extract grant_type and route to the designated handler."""
request = Request(uri, http_method=http_method, body=body, headers=headers)
request.scopes = None
request.extra_credentials = credentials
grant_type_handler = self.grant_types.get(request.grant_type,
self.default_grant_type_handler)
log.debug('Dispatching grant_type %s request to %r.',
request.grant_type, grant_type_handler)
return grant_type_handler.create_token_response(
request, self.default_token_type)
def _create_request(self, uri, http_method, body, headers):
# Only include body data from x-www-form-urlencoded requests
headers = CaseInsensitiveDict(headers or {})
if (
"Content-Type" in headers
and CONTENT_TYPE_FORM_URLENCODED in headers["Content-Type"]
):
request = Request(uri, http_method, body, headers)
else:
request = Request(uri, http_method, "", headers)
signature_type, params, oauth_params = self._get_signature_type_and_params(
request
)
# The server SHOULD return a 400 (Bad Request) status code when
# receiving a request with duplicated protocol parameters.
if len(dict(oauth_params)) != len(oauth_params):
raise errors.InvalidRequestError(description="Duplicate OAuth1 entries.")
oauth_params = dict(oauth_params)
request.signature = oauth_params.get("oauth_signature")
request.client_key = oauth_params.get("oauth_consumer_key")
request.resource_owner_key = oauth_params.get("oauth_token")
request.nonce = oauth_params.get("oauth_nonce")
request.timestamp = oauth_params.get("oauth_timestamp")
request.redirect_uri = oauth_params.get("oauth_callback")
request.verifier = oauth_params.get("oauth_verifier")
request.signature_method = oauth_params.get("oauth_signature_method")
request.realm = dict(params).get("realm")
request.oauth_params = oauth_params
# Parameters to Client depend on signature method which may vary
# for each request. Note that HMAC-SHA1 and PLAINTEXT share parameters
request.params = [(k, v) for k, v in params if k != "oauth_signature"]
if "realm" in request.headers.get("Authorization", ""):
request.params = [(k, v) for k, v in request.params if k != "realm"]
return request
async def create_revocation_response(self,
uri,
http_method='POST',
body=None,
headers=None):
"""Revoke supplied access or refresh token.
The authorization server responds with HTTP status code 200 if the
token has been revoked sucessfully or if the client submitted an
invalid token.
Note: invalid tokens do not cause an error response since the client
cannot handle such an error in a reasonable way. Moreover, the purpose
of the revocation request, invalidating the particular token, is
already achieved.
The content of the response body is ignored by the client as all
necessary information is conveyed in the response code.
An invalid token type hint value is ignored by the authorization server
and does not influence the revocation response.
"""
resp_headers = {
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
'Pragma': 'no-cache',
}
request = Request(uri,
http_method=http_method,
body=body,
headers=headers)
try:
await self.validate_revocation_request(request)
log.debug('Token revocation valid for %r.', request)
except OAuth2Error as e:
log.debug('Client error during validation of %r. %r.', request, e)
response_body = e.json
if self.enable_jsonp and request.callback:
response_body = '{}({});'.format(request.callback,
response_body)
resp_headers.update(e.headers)
return resp_headers, response_body, e.status_code
await self.request_validator.revoke_token(request.token,
request.token_type_hint,
request)
response_body = ''
if self.enable_jsonp and request.callback:
response_body = request.callback + '();'
return {}, response_body, 200
def _create_request(self, uri, http_method, body, headers):
# Only include body data from x-www-form-urlencoded requests
headers = headers or {}
if ('Content-Type' in headers
and CONTENT_TYPE_FORM_URLENCODED in headers['Content-Type']):
request = Request(uri, http_method, body, headers)
else:
request = Request(uri, http_method, '', headers)
signature_type, params, oauth_params = (
self._get_signature_type_and_params(request))
# The server SHOULD return a 400 (Bad Request) status code when
# receiving a request with duplicated protocol parameters.
if len(dict(oauth_params)) != len(oauth_params):
raise errors.InvalidRequestError(
description='Duplicate OAuth1 entries.')
oauth_params = dict(oauth_params)
request.signature = oauth_params.get('oauth_signature')
request.client_key = oauth_params.get('oauth_consumer_key')
request.resource_owner_key = oauth_params.get('oauth_token')
request.nonce = oauth_params.get('oauth_nonce')
request.timestamp = oauth_params.get('oauth_timestamp')
request.redirect_uri = oauth_params.get('oauth_callback')
request.verifier = oauth_params.get('oauth_verifier')
request.signature_method = oauth_params.get('oauth_signature_method')
request.realm = dict(params).get('realm')
request.oauth_params = oauth_params
# Parameters to Client depend on signature method which may vary
# for each request. Note that HMAC-SHA1 and PLAINTEXT share parameters
request.params = [(k, v) for k, v in params if k != 'oauth_signature']
if 'realm' in request.headers.get('Authorization', ''):
request.params = [(k, v) for k, v in request.params
if k != 'realm']
return request
def setUp(self):
"""Set up tests."""
self.token = 'f34mfSADsf45sada31mF'
self.scopes = []
self.headers = {
'Authorization': 'Bearer %s' % self.token,
'UWUM': True,
}
self.request = Request(
'https://geokey.org.uk/api/projects/',
http_method='GET',
body=None,
headers=self.headers)
def __create_django_request(
self, uri, http_method='GET', body=None, headers=None, credentials=None
):
"""
Assembles a request and assigns django_request to Request object.
"""
request = Request(uri, http_method=http_method, body=body, headers=headers)
request.scopes = ['read', 'write']
request.extra_credentials = credentials
# Make sure we consume the django request object
request.django_request = self.pop_request_object()
return request
def test_create_authorization_grant_state(self):
self.request.state = 'abc'
self.request.redirect_uri = None
self.mock_validator.get_default_redirect_uri.return_value = 'https://a.b/cb'
bearer = BearerToken(self.mock_validator)
h, b, s = self.auth.create_authorization_response(self.request, bearer)
grant = dict(Request(h['Location']).uri_query_params)
self.assertIn('code', grant)
self.assertIn('state', grant)
self.assertFalse(self.mock_validator.validate_redirect_uri.called)
self.assertTrue(self.mock_validator.get_default_redirect_uri.called)
self.assertTrue(self.mock_validator.validate_response_type.called)
self.assertTrue(self.mock_validator.validate_scopes.called)
