def testRequestOverInsecureTransport(self):
"""
Test the rejection of a request to a protected resource
with a valid token that was made over an insecure protocol.
"""
request = MockRequest('GET', 'protectedResource', isSecure=False)
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertTrue(
isAuthorized(request,
self.VALID_TOKEN_SCOPE,
allowInsecureRequestDebug=True),
msg=
'Expected isAuthorized to accept a request over an insecure protocol '
'if "allowInsecureRequestDebug" is set to True.')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg=
'Expected isAuthorized to reject a request over an insecure protocol.'
)
self.assertEqual(
400,
request.responseCode,
msg=
'The HTTP response code should be {code}, if a protected resource receives a '
'request over an insecure channel.'.format(code=400))
def testNoAccessToken(self):
""" Test the rejection of a request to a protected resource without a token. """
request = MockRequest('GET', 'protectedResource')
self.assertFalse(
isAuthorized(request, 'scope'),
msg='Expected isAuthorized to reject a request without a token.')
self.assertFailedProtectedResourceRequest(request,
MissingTokenError(['scope']))
def render_GET(self, request):
# This check is not necessary, because this method is already protected by the @oauth
# decorator. It is included here to show of the two ways of protecting a resource.
if not isAuthorized(
request, 'VIEW_CLOCK', allowInsecureRequestDebug=True):
return NOT_DONE_YET
return '<html><body>{time}</body></html>'.format(
time=time.ctime()).encode('utf-8')
def testWrongAccessToken(self):
""" Test the rejection of a request to a protected resource with an invalid token. """
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization', b'Bearer an invalid token')
self.assertFalse(
isAuthorized(request, 'scope'),
msg=
'Expected isAuthorized to reject a request with an invalid token.')
self.assertFailedProtectedResourceRequest(
request, InvalidTokenRequestError(['scope']))
def testMultipleAccessTokens(self):
""" Test the rejection of a request to a protected resource with multiple tokens. """
request = MockRequest(
'GET', 'protectedResource?access_token=' + self.VALID_TOKEN +
'&access_token=' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with two tokens.')
self.assertFailedProtectedResourceRequest(
request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
request = MockRequest(
'GET', 'protectedResource?access_token=' + self.VALID_TOKEN)
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with two tokens.')
self.assertFailedProtectedResourceRequest(
request, MultipleTokensError(self.VALID_TOKEN_SCOPE))
def render_GET(self, request): # pylint: disable=invalid-name,no-self-use
"""
Serve a clock page. This resource is protected.
:param request: The request.
:return: The result of the request.
"""
# This check is not necessary, because this method is already protected by the @oauth
# decorator. It is included here to show of the two ways of protecting a resource.
if not isAuthorized(
request, 'VIEW_CLOCK', allowInsecureRequestDebug=True):
return NOT_DONE_YET
return '<html><body>{time}</body></html>'.format(
time=time.ctime()).encode('utf-8')
def testInvalidScope(self):
"""
Test the rejection of a request to a protected resource
with a valid token that does not grant access to the necessary scopes.
"""
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertFalse(
isAuthorized(request, 'someOtherScope'),
msg='Expected isAuthorized to reject a request with token '
'that does not allow access to the given scope.')
self.assertFailedProtectedResourceRequest(
request, InsufficientScopeRequestError(['someOtherScope']))
def testWithAccessTokenInHeader(self):
"""
Test a request to a protected resource with a valid token in the Authorization header.
See https://tools.ietf.org/html/rfc6750#section-2.1
"""
request = MockRequest('GET', 'protectedResource')
request.setRequestHeader(b'Authorization',
'Bearer ' + self.VALID_TOKEN)
self.assertTrue(
isAuthorized(request, self.VALID_TOKEN_SCOPE[0]),
msg='Expected isAuthorized to accept a request with a valid token.'
)
self.assertFalse(
request.finished,
msg='isAuthorized should not finish the request if it\'s valid.')
def testAccessTokenInBodyWrongContentType(self):
"""
Test the rejection of a request to a protected resource
with a valid token but an invalid content type.
"""
request = MockRequest('POST',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type', 'application/other')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request '
'with a valid token in the request body with a content type '
'that is not "application/x-www-form-urlencoded".')
self.assertFailedProtectedResourceRequest(
request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testAccessTokenInBodyWrongMethod(self):
"""
Test the rejection of a request to a protected resource with a valid token
in the request body but a request that was not made with the POST method.
"""
request = MockRequest('GET',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
self.assertFalse(
isAuthorized(request, self.VALID_TOKEN_SCOPE),
msg='Expected isAuthorized to reject a request with a valid token '
'in the request body that was not send with the POST method.')
self.assertFailedProtectedResourceRequest(
request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testWithAccessTokenInBody(self):
"""
Test a request to a protected resource with a valid token in the request body.
See https://tools.ietf.org/html/rfc6750#section-2.2
"""
request = MockRequest('POST',
'protectedResource',
arguments={'access_token': self.VALID_TOKEN})
request.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]),
msg='Expected isAuthorized to accept a request '
'with a valid token in the request body.')
self.assertFalse(
request.finished,
msg='isAuthorized should not finish the request if it\'s valid.')
def testWithAccessTokenInQuery(self):
"""
Test a request to a protected resource with a valid token in the request query.
See https://tools.ietf.org/html/rfc6750#section-2.3
"""
request = MockRequest(
'GET', 'protectedResource?access_token=' + self.VALID_TOKEN)
self.assertTrue(isAuthorized(request, self.VALID_TOKEN_SCOPE[0]),
msg='Expected isAuthorized to accept a request '
'with a valid token as a query parameter.')
self.assertFalse(
request.finished,
msg='isAuthorized should not finish the request if it\'s valid.')
self.assertIn(
'private',
request.getResponseHeader('Cache-Control'),
msg=
'The response to a request with the access token as a query parameter '
'should contain a Cache-Control header with the "private" option.')
