Add proper and tested OIDC support on the server
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
This commit is contained in:
Joseph Schorr
parent
19f7acf575
commit
fda203e4d7
15 changed files with 756 additions and 180 deletions
|
|
@ -8,7 +8,6 @@ import base64
|
|||
from urllib import urlencode
|
||||
from urlparse import urlparse, urlunparse, parse_qs
|
||||
from datetime import datetime, timedelta
|
||||
from httmock import urlmatch, HTTMock
|
||||
|
||||
import jwt
|
||||
|
||||
|
|
@ -16,7 +15,7 @@ from Crypto.PublicKey import RSA
|
|||
from flask import url_for
|
||||
from jwkest.jwk import RSAKey
|
||||
|
||||
from app import app, oauth_login
|
||||
from app import app
|
||||
from data import model
|
||||
from data.database import ServiceKeyApprovalType
|
||||
from endpoints import keyserver
|
||||
|
|
@ -25,16 +24,9 @@ from endpoints.api.user import Signin
|
|||
from endpoints.keyserver import jwk_with_kid
|
||||
from endpoints.csrf import OAUTH_CSRF_TOKEN_NAME
|
||||
from endpoints.web import web as web_bp
|
||||
from endpoints.oauthlogin import oauthlogin as oauthlogin_bp
|
||||
from initdb import setup_database_for_testing, finished_database_for_testing
|
||||
from test.helpers import assert_action_logged
|
||||
|
||||
try:
|
||||
app.register_blueprint(oauthlogin_bp, url_prefix='/oauth2')
|
||||
except ValueError:
|
||||
# This blueprint was already registered
|
||||
pass
|
||||
|
||||
try:
|
||||
app.register_blueprint(web_bp, url_prefix='')
|
||||
except ValueError:
|
||||
|
|
@ -129,96 +121,6 @@ class EndpointTestCase(unittest.TestCase):
|
|||
self.assertEquals(rv.status_code, 200)
|
||||
|
||||
|
||||
class OAuthLoginTestCase(EndpointTestCase):
|
||||
def invoke_oauth_tests(self, callback_endpoint, attach_endpoint, service_name, service_ident,
|
||||
new_username):
|
||||
# Test callback.
|
||||
created = self.invoke_oauth_test(callback_endpoint, service_name, service_ident, new_username)
|
||||
|
||||
# Delete the created user.
|
||||
model.user.delete_user(created, [])
|
||||
|
||||
# Test attach.
|
||||
self.login('devtable', 'password')
|
||||
self.invoke_oauth_test(attach_endpoint, service_name, service_ident, 'devtable')
|
||||
|
||||
def invoke_oauth_test(self, endpoint_name, service_name, service_ident, username):
|
||||
# No CSRF.
|
||||
self.getResponse('oauthlogin.' + endpoint_name, expected_code=403)
|
||||
|
||||
# Invalid CSRF.
|
||||
self.getResponse('oauthlogin.' + endpoint_name, state='somestate', expected_code=403)
|
||||
|
||||
# Valid CSRF, invalid code.
|
||||
self.getResponse('oauthlogin.' + endpoint_name, state='someoauthtoken',
|
||||
code='invalidcode', expected_code=400)
|
||||
|
||||
# Valid CSRF, valid code.
|
||||
self.getResponse('oauthlogin.' + endpoint_name, state='someoauthtoken',
|
||||
code='somecode', expected_code=302)
|
||||
|
||||
# Ensure the user was added/modified.
|
||||
found_user = model.user.get_user(username)
|
||||
self.assertIsNotNone(found_user)
|
||||
|
||||
federated_login = model.user.lookup_federated_login(found_user, service_name)
|
||||
self.assertIsNotNone(federated_login)
|
||||
self.assertEquals(federated_login.service_ident, service_ident)
|
||||
return found_user
|
||||
|
||||
def test_google_oauth(self):
|
||||
@urlmatch(netloc=r'accounts.google.com', path='/o/oauth2/token')
|
||||
def account_handler(_, request):
|
||||
if request.body.find("code=somecode") > 0:
|
||||
content = {'access_token': 'someaccesstoken'}
|
||||
return py_json.dumps(content)
|
||||
else:
|
||||
return {'status_code': 400, 'content': '{"message": "Invalid code"}'}
|
||||
|
||||
@urlmatch(netloc=r'www.googleapis.com', path='/oauth2/v1/userinfo')
|
||||
def user_handler(_, __):
|
||||
content = {
|
||||
'id': 'someid',
|
||||
'email': 'someemail@example.com',
|
||||
'verified_email': True,
|
||||
}
|
||||
return py_json.dumps(content)
|
||||
|
||||
with HTTMock(account_handler, user_handler):
|
||||
self.invoke_oauth_tests('google_oauth_callback', 'google_oauth_attach', 'google',
|
||||
'someid', 'someemail')
|
||||
|
||||
def test_github_oauth(self):
|
||||
@urlmatch(netloc=r'github.com', path='/login/oauth/access_token')
|
||||
def account_handler(url, _):
|
||||
if url.query.find("code=somecode") > 0:
|
||||
content = {'access_token': 'someaccesstoken'}
|
||||
return py_json.dumps(content)
|
||||
else:
|
||||
return {'status_code': 400, 'content': '{"message": "Invalid code"}'}
|
||||
|
||||
@urlmatch(netloc=r'github.com', path='/api/v3/user')
|
||||
def user_handler(_, __):
|
||||
content = {
|
||||
'id': 'someid',
|
||||
'login': 'someusername'
|
||||
}
|
||||
return py_json.dumps(content)
|
||||
|
||||
@urlmatch(netloc=r'github.com', path='/api/v3/user/emails')
|
||||
def email_handler(_, __):
|
||||
content = [{
|
||||
'email': 'someemail@example.com',
|
||||
'verified': True,
|
||||
'primary': True,
|
||||
}]
|
||||
return py_json.dumps(content)
|
||||
|
||||
with HTTMock(account_handler, email_handler, user_handler):
|
||||
self.invoke_oauth_tests('github_oauth_callback', 'github_oauth_attach', 'github',
|
||||
'someid', 'someusername')
|
||||
|
||||
|
||||
class WebEndpointTestCase(EndpointTestCase):
|
||||
def test_index(self):
|
||||
self.getResponse('web.index')
|
||||
|
|
|
|||
Reference in a new issue