OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1752 Commits
13 Branches
0 Tags
45 MiB
Tree: 0a434a4736
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a434a4736'
${ noResults }
server-tools/oauth_provider/tests/common_test_oauth_provider_...

419 lines
17 KiB
Raw Normal View History

[ADD] Add oauth_provider module
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016 SYLEAM
  3. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
  5. import hashlib
  6. import json
  7. import mock
  8. import logging
  9. from datetime import datetime
  10. from openerp import fields
  12. _logger = logging.getLogger(__name__)
  15. class TestOAuthProviderAurhorizeController(object):
  16. def test_authorize_error_missing_arguments(self):
  17. """ Call /oauth2/authorize without any argument
  19. Must return an unknown client identifier error
  20. """
  21. self.login('demo', 'demo')
  22. response = self.get_request('/oauth2/authorize')
  23. self.assertEqual(response.status_code, 200)
  24. self.assertTrue('Unknown Client Identifier!' in response.data)
  25. self.assertTrue('This client identifier is invalid.' in response.data)
  27. def test_authorize_error_invalid_request(self):
  28. """ Call /oauth2/authorize with only the client_id argument
  30. Must return an invalid_request error
  31. """
  32. self.login('demo', 'demo')
  33. response = self.get_request('/oauth2/authorize', data={
  34. 'client_id': self.client.identifier,
  35. })
  36. self.assertEqual(response.status_code, 200)
  37. self.assertTrue('Error: invalid_request' in response.data)
  38. self.assertTrue('An unknown error occured! Please contact your '
  39. 'administrator' in response.data)
  41. def test_authorize_error_unsupported_response_type(self):
  42. """ Call /oauth2/authorize with an unsupported response type
  44. Must return an unsupported_response_type error
  45. """
  46. self.login('demo', 'demo')
  47. response = self.get_request('/oauth2/authorize', data={
  48. 'client_id': self.client.identifier,
  49. 'response_type': 'wrong response type',
  50. })
  51. self.assertEqual(response.status_code, 200)
  52. self.assertTrue('Error: unsupported_response_type' in response.data)
  53. self.assertTrue('An unknown error occured! Please contact your '
  54. 'administrator' in response.data)
  56. def test_authorize_error_wrong_scopes(self):
  57. """ Call /oauth2/authorize with wrong scopes
  59. Must return an invalid_scope error
  60. """
  61. self.login('demo', 'demo')
  62. response = self.get_request('/oauth2/authorize', data={
  63. 'client_id': self.client.identifier,
  64. 'response_type': self.client.response_type,
  65. 'scope': 'wrong scope',
  66. })
  67. self.assertEqual(response.status_code, 200)
  68. self.assertTrue('Error: invalid_scope' in response.data)
  69. self.assertTrue('An unknown error occured! Please contact your '
  70. 'administrator' in response.data)
  72. def test_authorize_error_wrong_uri(self):
  73. """ Call the authorize method with a wrong redirect_uri
  75. Must return an invalid_request error
  76. """
  77. self.login('demo', 'demo')
  78. response = self.get_request('/oauth2/authorize', data={
  79. 'client_id': self.client.identifier,
  80. 'response_type': self.client.response_type,
  81. 'redirect_uri': 'http://wrong.redirect.uri',
  82. })
  83. self.assertEqual(response.status_code, 200)
  84. self.assertTrue('Error: invalid_request' in response.data)
  85. self.assertTrue('Mismatching redirect URI' in response.data)
  87. def test_authorize_error_missing_uri(self):
  88. """ Call /oauth2/authorize without any configured redirect URI
  90. Must return an invalid_request error
  91. """
  92. self.client.redirect_uri_ids.unlink()
  93. self.login('demo', 'demo')
  94. response = self.get_request('/oauth2/authorize', data={
  95. 'client_id': self.client.identifier,
  96. 'response_type': self.client.response_type,
  97. 'scope': self.client.scope_ids[0].code,
  98. })
  99. self.assertEqual(response.status_code, 200)
  100. self.assertTrue('Error: invalid_request' in response.data)
  101. self.assertTrue('Missing redirect URI.' in response.data)
  103. def test_authorize_post_errors(self):
  104. """ Call /oauth2/authorize in POST without any session
  106. Must return an unknown client identifier error
  107. """
  108. self.login('demo', 'demo')
  109. response = self.post_request('/oauth2/authorize')
  110. self.assertEqual(response.status_code, 200)
  111. self.assertTrue('Unknown Client Identifier!' in response.data)
  112. self.assertTrue('This client identifier is invalid.' in response.data)
  114. @mock.patch('openerp.http.WebRequest.env', new_callable=mock.PropertyMock)
  115. def test_authorize_unsafe_chars(self, request_env):
  116. """ Call /oauth2/authorize with unsafe chars in the query string """
  117. # Mock the http request's environ to allow it to see test records
  118. request_env.return_value = self.env(user=self.user)
  120. query_string = 'client_id=%s&response_type=%s&state={}' % (
  121. self.client.identifier,
  122. self.client.response_type,
  123. )
  124. self.login('demo', 'demo')
  125. response = self.test_client.get(
  126. '/oauth2/authorize', query_string=query_string,
  127. environ_base=self.werkzeug_environ)
  128. self.assertEqual(response.status_code, 200)
  129. self.assertTrue(self.client.name in response.data)
  132. class TestOAuthProviderRefreshTokenController(object):
  133. def test_refresh_token_error_too_much_scopes(self):
  134. """ Call /oauth2/token using a refresh token, with too much scopes """
  135. token = self.new_token()
  136. response = self.post_request('/oauth2/token', data={
  137. 'client_id': self.client.identifier,
  138. 'scope': self.client.scope_ids.mapped('code'),
  139. 'grant_type': 'refresh_token',
  140. 'refresh_token': token.refresh_token,
  141. })
  142. self.assertEqual(response.status_code, 401)
  143. self.assertEqual(json.loads(response.data), {'error': 'invalid_scope'})
  145. def test_refresh_token(self):
  146. """ Get a new token using the refresh token """
  147. token = self.new_token()
  148. token.scope_ids = self.client.scope_ids[0]
  149. response = self.post_request('/oauth2/token', data={
  150. 'client_id': self.client.identifier,
  151. 'scope': ' '.join(token.scope_ids.mapped('code')),
  152. 'grant_type': 'refresh_token',
  153. 'refresh_token': token.refresh_token,
  154. })
  155. response_data = json.loads(response.data)
  156. # A new token should have been generated
  157. # We can safely pick the latest generated token here, because no other
  158. # token could have been generated during the test
  159. new_token = self.env['oauth.provider.token'].search([
  160. ('client_id', '=', self.client.id)
  161. ], order='id DESC', limit=1)
  162. self.assertEqual(response.status_code, 200)
  163. self.assertEqual(new_token.token, response_data['access_token'])
  164. self.assertEqual(new_token.token_type, response_data['token_type'])
  165. self.assertEqual(
  166. new_token.refresh_token, response_data['refresh_token'])
  167. self.assertEqual(new_token.scope_ids, token.scope_ids)
  168. self.assertEqual(new_token.user_id, self.user)
  171. class TestOAuthProviderTokeninfoController(object):
  172. def test_tokeninfo_error_missing_arguments(self):
  173. """ Call /oauth2/tokeninfo without any argument
  175. Must retun an invalid_or_expired_token error
  176. """
  177. response = self.get_request('/oauth2/tokeninfo')
  178. self.assertEqual(response.status_code, 401)
  179. self.assertEqual(
  180. json.loads(response.data), {'error': 'invalid_or_expired_token'})
  182. def test_tokeninfo(self):
  183. """ Retrieve token information """
  184. token = self.new_token()
  185. token.scope_ids = self.client.scope_ids[0]
  186. response = self.get_request('/oauth2/tokeninfo', data={
  187. 'access_token': token.token,
  188. })
  189. token_lifetime = (fields.Datetime.from_string(token.expires_at) -
  190. datetime.now()).seconds
  191. response_data = json.loads(response.data)
  192. self.assertEqual(response.status_code, 200)
  193. self.assertEqual(
  194. response_data['audience'], token.client_id.identifier)
  195. self.assertEqual(
  196. response_data['scopes'], ' '.join(token.scope_ids.mapped('code')))
  197. # Test a range because the test might not be accurate, depending on the
  198. # test system load
  199. self.assertTrue(
  200. token_lifetime - 5 < response_data['expires_in'] <
  201. token_lifetime + 5)
  202. self.assertEqual(
  203. response_data['user_id'],
  204. hashlib.sha256(token.client_id.identifier +
  205. token.user_id.oauth_identifier).hexdigest())
  207. def test_tokeninfo_without_scopes(self):
  208. """ Call /oauth2/tokeninfo without any scope
  210. Retrieve token information without any scopes on the token
  211. The user_id field should not be included
  212. """
  213. token = self.new_token()
  214. token.scope_ids = self.env['oauth.provider.scope']
  215. response = self.get_request('/oauth2/tokeninfo', data={
  216. 'access_token': token.token,
  217. })
  218. token_lifetime = (fields.Datetime.from_string(token.expires_at) -
  219. datetime.now()).seconds
  220. response_data = json.loads(response.data)
  221. self.assertEqual(response.status_code, 200)
  222. self.assertEqual(
  223. response_data['audience'], token.client_id.identifier)
  224. self.assertEqual(
  225. response_data['scopes'], ' '.join(token.scope_ids.mapped('code')))
  226. # Test a range because the test might not be accurate, depending on the
  227. # test system load
  228. self.assertTrue(
  229. token_lifetime - 5 < response_data['expires_in'] <
  230. token_lifetime + 5)
  233. class TestOAuthProviderUserinfoController(object):
  234. def test_userinfo_error_missing_arguments(self):
  235. """ Call /oauth2/userinfo without any argument
  237. Must return an invalid_or_expired_token error
  238. """
  239. response = self.get_request('/oauth2/userinfo')
  240. self.assertEqual(response.status_code, 401)
  241. self.assertEqual(
  242. json.loads(response.data), {'error': 'invalid_or_expired_token'})
  244. def test_userinfo_single_scope(self):
  245. """ Retrieve user information with only a single scope """
  246. token = self.new_token()
  247. token.scope_ids = self.client.scope_ids[0]
  249. # Retrieve user information
  250. response = self.get_request('/oauth2/userinfo', data={
  251. 'access_token': token.token,
  252. })
  253. self.assertEqual(response.status_code, 200)
  254. self.assertEqual(json.loads(response.data), {
  255. 'id': self.user.id,
  256. 'email': self.user.email,
  257. })
  259. def test_userinfo_multiple_scope(self):
  260. """ Retrieve user information with only a all test scopes """
  261. token = self.new_token()
  262. token.scope_ids = self.client.scope_ids
  264. # Retrieve user information
  265. response = self.get_request('/oauth2/userinfo', data={
  266. 'access_token': token.token,
  267. })
  268. # The Email scope allows to read the email
  269. # The Profile scope allows to read the name and city
  270. # The id of the recod is always added (standard Odoo behaviour)
  271. self.assertEqual(response.status_code, 200)
  272. self.assertEqual(json.loads(response.data), {
  273. 'id': self.user.id,
  274. 'name': self.user.name,
  275. 'email': self.user.email,
  276. 'city': self.user.city,
  277. })
  280. class TestOAuthProviderOtherinfoController(object):
  281. def test_otherinfo_error_missing_arguments(self):
  282. """ Call /oauth2/otherinfo method without any argument
  284. Must return an invalid_or_expired_token error
  285. """
  286. response = self.get_request('/oauth2/otherinfo')
  287. self.assertEqual(response.status_code, 401)
  288. self.assertEqual(
  289. json.loads(response.data), {'error': 'invalid_or_expired_token'})
  291. def test_otherinfo_error_missing_model(self):
  292. """ Call /oauth2/otherinfo method without the model argument
  294. Must return an invalid_model error
  295. """
  296. token = self.new_token()
  297. response = self.get_request(
  298. '/oauth2/otherinfo', data={'access_token': token.token})
  299. self.assertEqual(response.status_code, 400)
  300. self.assertEqual(json.loads(response.data), {'error': 'invalid_model'})
  302. def test_otherinfo_error_invalid_model(self):
  303. """ Call /oauth2/otherinfo method withan invalid model
  305. Must return an invalid_model error
  306. """
  307. token = self.new_token()
  308. response = self.get_request(
  309. '/oauth2/otherinfo',
  310. data={'access_token': token.token, 'model': 'invalid.model'})
  311. self.assertEqual(response.status_code, 400)
  312. self.assertEqual(json.loads(response.data), {'error': 'invalid_model'})
  314. def test_otherinfo_user_information(self):
  315. """ Call /oauth2/otherinfo to retrieve information using the token """
  316. token = self.new_token()
  317. token.scope_ids = self.client.scope_ids
  319. # Add a new scope to test informations retrieval
  320. token.scope_ids += self.env['oauth.provider.scope'].create({
  321. 'name': 'Groups',
  322. 'code': 'groups',
  323. 'description': 'List of accessible groups',
  324. 'model_id': self.env.ref('base.model_res_groups').id,
  325. 'filter_id': False,
  326. 'field_ids': [
  327. (6, 0, [self.env.ref('base.field_res_groups_name').id]),
  328. ],
  329. })
  330. # Retrieve user information
  331. response = self.get_request('/oauth2/otherinfo', data={
  332. 'access_token': token.token,
  333. 'model': 'res.users',
  334. })
  335. # The Email scope allows to read the email
  336. # The Profile scope allows to read the name and city
  337. # The id of the recod is always added (standard Odoo behaviour)
  338. self.assertEqual(response.status_code, 200)
  339. self.assertEqual(json.loads(response.data), {str(self.user.id): {
  340. 'id': self.user.id,
  341. 'name': self.user.name,
  342. 'email': self.user.email,
  343. 'city': self.user.city,
  344. }})
  346. def test_otherinfo_group_information(self):
  347. """ Call /oauth2/otherinfo to retrieve information using the token """
  348. token = self.new_token()
  349. token.scope_ids = self.client.scope_ids
  351. # Add a new scope to test informations retrieval
  352. token.scope_ids += self.env['oauth.provider.scope'].create({
  353. 'name': 'Groups',
  354. 'code': 'groups',
  355. 'description': 'List of accessible groups',
  356. 'model_id': self.env.ref('base.model_res_groups').id,
  357. 'filter_id': False,
  358. 'field_ids': [
  359. (6, 0, [self.env.ref('base.field_res_groups_name').id]),
  360. ],
  361. })
  363. # Retrieve groups information
  364. all_groups = self.env['res.groups'].search([])
  365. response = self.get_request('/oauth2/otherinfo', data={
  366. 'access_token': token.token,
  367. 'model': 'res.groups',
  368. })
  369. self.assertEqual(response.status_code, 200)
  370. self.assertEqual(
  371. sorted(json.loads(response.data).keys()),
  372. sorted(map(str, all_groups.ids)))
  375. class TestOAuthProviderRevokeTokenController(object):
  376. def test_revoke_token_error_missing_arguments(self):
  377. """ Call /oauth2/revoke_token method without any argument """
  378. response = self.post_request('/oauth2/revoke_token')
  379. self.assertEqual(response.status_code, 401)
  380. self.assertEqual(
  381. json.loads(response.data), {'error': 'invalid_or_expired_token'})
  383. def test_revoke_token_error_missing_client_id(self):
  384. """ Call /oauth2/revoke_token method without client identifier """
  385. token = self.new_token()
  386. response = self.post_request('/oauth2/revoke_token', data={
  387. 'token': token.token,
  388. })
  389. self.assertEqual(response.status_code, 401)
  390. self.assertEqual(
  391. json.loads(response.data), {'error': 'invalid_client'})
  393. def test_revoke_token_error_missing_token(self):
  394. """ Call /oauth2/revoke_token method without token """
  395. response = self.post_request('/oauth2/revoke_token', data={
  396. 'client_id': self.client.identifier,
  397. })
  398. self.assertEqual(response.status_code, 401)
  399. self.assertEqual(
  400. json.loads(response.data), {'error': 'invalid_or_expired_token'})
  402. def test_revoke_access_token(self):
  403. """ Revoke an access token """
  404. token = self.new_token()
  405. self.post_request('/oauth2/revoke_token', data={
  406. 'client_id': self.client.identifier,
  407. 'token': token.token,
  408. })
  409. self.assertFalse(token.exists())
  411. def test_revoke_refresh_token(self):
  412. """ Revoke a refresh token """
  413. token = self.new_token()
  414. self.post_request('/oauth2/revoke_token', data={
  415. 'client_id': self.client.identifier,
  416. 'token': token.refresh_token,
  417. })
  418. self.assertTrue(token.exists())
  419. self.assertFalse(token.refresh_token)