django-oidc-provider/oidc_provider/tests/app/utils.py

import random
import string

import django
from django.contrib.auth.backends import ModelBackend

try:
    from urlparse import parse_qs, urlsplit
except ImportError:
    from urllib.parse import parse_qs, urlsplit

from django.utils import timezone
from django.contrib.auth.models import User

from oidc_provider.models import (
    Client,
    Code,
    Token,
    ResponseType)


FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
FAKE_RANDOM_STRING = ''.join(
    random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
FAKE_CODE_CHALLENGE = 'YlYXEqXuRm-Xgi2BOUiK50JW1KsGTX6F1TDnZSC8VTg'
FAKE_CODE_VERIFIER = 'SmxGa0XueyNh5bDgTcSrqzAh2_FmXEqU8kDT6CuXicw'


def create_fake_user():
    """
    Create a test user.

    Return a User object.
    """
    user = User()
    user.username = 'johndoe'
    user.email = 'johndoe@example.com'
    user.first_name = 'John'
    user.last_name = 'Doe'
    user.set_password('1234')

    user.save()

    return user


def create_fake_client(response_type, is_public=False, require_consent=True):
    """
    Create a test client, response_type argument MUST be:
    'code', 'id_token' or 'id_token token'.

    Return a Client object.
    """
    client = Client()
    client.name = 'Some Client'
    client.client_id = str(random.randint(1, 999999)).zfill(6)
    if is_public:
        client.client_type = 'public'
        client.client_secret = ''
    else:
        client.client_secret = str(random.randint(1, 999999)).zfill(6)
    client.redirect_uris = ['http://example.com/']
    client.require_consent = require_consent

    client.save()

    # check if response_type is a string in a python 2 and 3 compatible way
    if isinstance(response_type, ("".__class__, u"".__class__)):
        response_type = (response_type,)
    for value in response_type:
        client.response_types.add(ResponseType.objects.get(value=value))

    return client


def create_fake_token(user, scopes, client):
    expires_at = timezone.now() + timezone.timedelta(seconds=60)
    token = Token(user=user, client=client, expires_at=expires_at)
    token.scope = scopes

    token.save()

    return token


def is_code_valid(url, user, client):
    """
    Check if the code inside the url is valid. Supporting both query string and fragment.
    """
    try:
        parsed = urlsplit(url)
        params = parse_qs(parsed.query or parsed.fragment)
        code = params['code'][0]
        code = Code.objects.get(code=code)
        is_code_ok = (code.client == client) and (code.user == user)
    except Exception:
        is_code_ok = False

    return is_code_ok


def userinfo(claims, user):
    """
    Fake function for setting OIDC_USERINFO.
    """
    claims['given_name'] = 'John'
    claims['family_name'] = 'Doe'
    claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])
    claims['email'] = user.email
    claims['email_verified'] = True
    claims['address']['country'] = 'Argentina'
    return claims


def fake_sub_generator(user):
    """
    Fake function for setting OIDC_IDTOKEN_SUB_GENERATOR.
    """
    return user.email


def fake_idtoken_processing_hook(id_token, user, **kwargs):
    """
    Fake function for inserting some keys into token. Testing OIDC_IDTOKEN_PROCESSING_HOOK.
    """
    id_token['test_idtoken_processing_hook'] = FAKE_RANDOM_STRING
    id_token['test_idtoken_processing_hook_user_email'] = user.email
    return id_token


def fake_idtoken_processing_hook2(id_token, user, **kwargs):
    """
    Fake function for inserting some keys into token.
    Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param
    """
    id_token['test_idtoken_processing_hook2'] = FAKE_RANDOM_STRING
    id_token['test_idtoken_processing_hook_user_email2'] = user.email
    return id_token


def fake_idtoken_processing_hook3(id_token, user, token, **kwargs):
    """
    Fake function for checking scope is passed to processing hook.
    """
    id_token['scope_of_token_passed_to_processing_hook'] = token.scope
    return id_token


def fake_idtoken_processing_hook4(id_token, user, **kwargs):
    """
    Fake function for checking kwargs passed to processing hook.
    """
    id_token['kwargs_passed_to_processing_hook'] = {
        key: repr(value)
        for (key, value) in kwargs.items()
    }
    return id_token


def fake_introspection_processing_hook(response_dict, client, id_token):
    response_dict['test_introspection_processing_hook'] = FAKE_RANDOM_STRING
    return response_dict


class TestAuthBackend:
    def authenticate(self, *args, **kwargs):
        if django.VERSION[0] >= 2 or (django.VERSION[0] == 1 and django.VERSION[1] >= 11):
            assert len(args) > 0 and args[0]
        return ModelBackend().authenticate(*args, **kwargs)
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00			`import random`
			`import string`
include request in password grant authenticate call An an example this can be used to help implement measures against brute force attacks and to alert on or mitigate other untrusted authentication attempts. 2017-11-22 17:40:58 +00:00
			`import django`
			`from django.contrib.auth.backends import ModelBackend`

Add support for redirect_uris with query params Some clients might add extra parameters to the redirect_uri, for instance as extra verification if proper state parameter handling is not supported. This patch adds proper handling of redirect_uris with query parameters. 2015-07-10 10:22:25 +00:00			`try:`
			`from urlparse import parse_qs, urlsplit`
			`except ImportError:`
			`from urllib.parse import parse_qs, urlsplit`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00
Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors 2016-10-12 19:23:57 +00:00			`from django.utils import timezone`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from django.contrib.auth.models import User`

Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`from oidc_provider.models import (`
			`Client,`
			`Code,`
support multiple response types per client The Dynamic Client Registration spec specifies multiple response_types and grant_types per client (https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata). Since grant_types can be inferred from response_types we should be able to support both without needing to store grant_types. This also helps with oidc-client-js which expects a client that supports both "id_token" and "id_token token". 2018-08-15 20:43:48 +00:00			`Token,`
			`ResponseType)`
Add some tests. 2015-02-11 18:37:51 +00:00

Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00			`FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'`
Fix PEP8. 2018-03-23 18:46:12 +00:00			`FAKE_RANDOM_STRING = ''.join(`
			`random.choice(string.ascii_uppercase + string.digits) for _ in range(32))`
Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 19:18:47 +00:00			`FAKE_CODE_CHALLENGE = 'YlYXEqXuRm-Xgi2BOUiK50JW1KsGTX6F1TDnZSC8VTg'`
			`FAKE_CODE_VERIFIER = 'SmxGa0XueyNh5bDgTcSrqzAh2_FmXEqU8kDT6CuXicw'`
Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00
Add tests for userinfo claims. 2015-08-11 18:59:57 +00:00
Add some tests. 2015-02-11 18:37:51 +00:00			`def create_fake_user():`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`"""`
			`Create a test user.`
Add some tests. 2015-02-11 18:37:51 +00:00
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`Return a User object.`
			`"""`
			`user = User()`
			`user.username = 'johndoe'`
			`user.email = 'johndoe@example.com'`
Fix scope handling of token endpoint The token endpoint handled the scope parameter incorrectly for all of the three handled grant types: 1. For "authorization_code" grant type the scope parameter in the token request should not be respected but the scope should be taken from the authorization code. It was not totally ignored, but rather the scope parameter of the token request was used for the generated ID token. This had two consequences: * Spec conforming implementations of authorization code flow didn't get correct ID tokens, since they usually don't pass scope parameter with the token request. * It's possible to get a broader scope for the ID token than what is authorized by the user in the original authorization code request. 2. For "refresh_token" grant type the scope parameter in the token request should only allow narrowing down the scope. It wasn't narrowed, but rather the original auth code scope was used for the access token and the passed in scope parameter was used for the ID token (again allowing unauthorized scopes in the ID token). 3. For "password" grant type the scope parameter in the token request should be respected. The problem with this was that it wasn't properly splitted when passed to ID token creation. Fixes #186 2017-07-07 18:58:05 +00:00			`user.first_name = 'John'`
			`user.last_name = 'Doe'`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`user.set_password('1234')`
Add some tests. 2015-02-11 18:37:51 +00:00
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`user.save()`
Add some tests. 2015-02-11 18:37:51 +00:00
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`return user`
Add some tests. 2015-02-11 18:37:51 +00:00
Add tests for userinfo claims. 2015-08-11 18:59:57 +00:00
Adds per-client consent customization 2017-03-31 16:34:03 +00:00			`def create_fake_client(response_type, is_public=False, require_consent=True):`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`"""`
			`Create a test client, response_type argument MUST be:`
			`'code', 'id_token' or 'id_token token'.`

			`Return a Client object.`
			`"""`
			`client = Client()`
			`client.name = 'Some Client'`
Refactoring tests. 2016-04-14 19:22:38 +00:00			`client.client_id = str(random.randint(1, 999999)).zfill(6)`
Not auto-approve requests for non-confidential clients. 2016-04-08 21:09:24 +00:00			`if is_public:`
			`client.client_type = 'public'`
			`client.client_secret = ''`
			`else:`
Refactoring tests. 2016-04-14 19:22:38 +00:00			`client.client_secret = str(random.randint(1, 999999)).zfill(6)`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`client.redirect_uris = ['http://example.com/']`
Adds per-client consent customization 2017-03-31 16:34:03 +00:00			`client.require_consent = require_consent`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00
			`client.save()`

document non-obvious string check 2018-08-16 20:46:50 +00:00			`# check if response_type is a string in a python 2 and 3 compatible way`
support multiple response types per client The Dynamic Client Registration spec specifies multiple response_types and grant_types per client (https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata). Since grant_types can be inferred from response_types we should be able to support both without needing to store grant_types. This also helps with oidc-client-js which expects a client that supports both "id_token" and "id_token token". 2018-08-15 20:43:48 +00:00			`if isinstance(response_type, ("".__class__, u"".__class__)):`
			`response_type = (response_type,)`
			`for value in response_type:`
			`client.response_types.add(ResponseType.objects.get(value=value))`

Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`return client`

Add tests for userinfo claims. 2015-08-11 18:59:57 +00:00
Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors 2016-10-12 19:23:57 +00:00			`def create_fake_token(user, scopes, client):`
			`expires_at = timezone.now() + timezone.timedelta(seconds=60)`
			`token = Token(user=user, client=client, expires_at=expires_at)`
			`token.scope = scopes`

			`token.save()`

			`return token`


Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`def is_code_valid(url, user, client):`
			`"""`
Add test for Hybrid flow. Plus refactoring. 2016-09-08 20:15:25 +00:00			`Check if the code inside the url is valid. Supporting both query string and fragment.`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`"""`
			`try:`
Add support for redirect_uris with query params Some clients might add extra parameters to the redirect_uri, for instance as extra verification if proper state parameter handling is not supported. This patch adds proper handling of redirect_uris with query parameters. 2015-07-10 10:22:25 +00:00			`parsed = urlsplit(url)`
Add test for Hybrid flow. Plus refactoring. 2016-09-08 20:15:25 +00:00			`params = parse_qs(parsed.query or parsed.fragment)`
Add support for redirect_uris with query params Some clients might add extra parameters to the redirect_uri, for instance as extra verification if proper state parameter handling is not supported. This patch adds proper handling of redirect_uris with query parameters. 2015-07-10 10:22:25 +00:00			`code = params['code'][0]`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`code = Code.objects.get(code=code)`
Add test for Hybrid flow. Plus refactoring. 2016-09-08 20:15:25 +00:00			`is_code_ok = (code.client == client) and (code.user == user)`
Fix PEP8. 2018-03-23 18:46:12 +00:00			`except Exception:`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`is_code_ok = False`

			`return is_code_ok`
Add tests for userinfo claims. 2015-08-11 18:59:57 +00:00

Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`def userinfo(claims, user):`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`"""`
Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`Fake function for setting OIDC_USERINFO.`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`"""`
Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`claims['given_name'] = 'John'`
			`claims['family_name'] = 'Doe'`
			`claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])`
			`claims['email'] = user.email`
Made token and token_refresh endpoint return requested claims. 2017-12-14 17:03:15 +00:00			`claims['email_verified'] = True`
Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`claims['address']['country'] = 'Argentina'`
			`return claims`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00

			`def fake_sub_generator(user):`
			`"""`
			`Fake function for setting OIDC_IDTOKEN_SUB_GENERATOR.`
			`"""`
			`return user.email`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00

Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK The ID token processing hook might need the token or request too, so make them available. 2018-05-23 21:24:52 +00:00			`def fake_idtoken_processing_hook(id_token, user, **kwargs):`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00			`"""`
Rename setting. 2016-02-12 17:51:43 +00:00			`Fake function for inserting some keys into token. Testing OIDC_IDTOKEN_PROCESSING_HOOK.`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00			`"""`
Rename setting. 2016-02-12 17:51:43 +00:00			`id_token['test_idtoken_processing_hook'] = FAKE_RANDOM_STRING`
added 'user' into default_idtoken_processing_hook 2016-02-17 22:28:08 +00:00			`id_token['test_idtoken_processing_hook_user_email'] = user.email`
Rename setting. 2016-02-12 17:51:43 +00:00			`return id_token`
str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00

Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK The ID token processing hook might need the token or request too, so make them available. 2018-05-23 21:24:52 +00:00			`def fake_idtoken_processing_hook2(id_token, user, **kwargs):`
str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00			`"""`
Fix PEP8. 2018-03-23 18:46:12 +00:00			`Fake function for inserting some keys into token.`
			`Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param`
str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00			`"""`
			`id_token['test_idtoken_processing_hook2'] = FAKE_RANDOM_STRING`
			`id_token['test_idtoken_processing_hook_user_email2'] = user.email`
			`return id_token`
Pass scope to OIDC_IDTOKEN_PROCESSING_HOOK The ID token processing hook might want to add claims to the ID token conditionally based on the scope parameter. Therefore it would be very useful to provide the scope parameter to the processing hook. 2017-07-07 19:55:18 +00:00

Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK There is no need to pass in the scope parameter separately, since the scope is available via the token parameter already. 2018-05-31 07:23:58 +00:00			`def fake_idtoken_processing_hook3(id_token, user, token, **kwargs):`
Pass scope to OIDC_IDTOKEN_PROCESSING_HOOK The ID token processing hook might want to add claims to the ID token conditionally based on the scope parameter. Therefore it would be very useful to provide the scope parameter to the processing hook. 2017-07-07 19:55:18 +00:00			`"""`
			`Fake function for checking scope is passed to processing hook.`
			`"""`
Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK There is no need to pass in the scope parameter separately, since the scope is available via the token parameter already. 2018-05-31 07:23:58 +00:00			`id_token['scope_of_token_passed_to_processing_hook'] = token.scope`
Pass scope to OIDC_IDTOKEN_PROCESSING_HOOK The ID token processing hook might want to add claims to the ID token conditionally based on the scope parameter. Therefore it would be very useful to provide the scope parameter to the processing hook. 2017-07-07 19:55:18 +00:00			`return id_token`
Merge branch 'develop' of github.com:juanifioren/django-oidc-provider * 'develop' of github.com:juanifioren/django-oidc-provider: Update changelog.rst include request in password grant authenticate call Update setup.py Update changelog.rst Update changelog.rst Adjust import order and method order in introspection tests Replace resource with client in docs. Update settings docs to add extra introspection setting Update README.md Update README.md Remove the Resource model Skip csrf protection on introspection endpoint Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 Test docs with tox. Remove Django 1.7 for travis. Drop support for Django 1.7. Move extract_client_auth to oauth2 utils. Remove duplicate link in docs. Bump version v0.6.0. Fix BaseCodeTokenModel and user attr. Update README.md Edit README and contribute doc. Edit changelog. Update changelog.rst Add protected_resource_view test using client_credentials. Fix docs. Improve docs. Client credentials implementation. Move changelog into docs. Update README.md Update CHANGELOG.md Fixed infinite callback loop in check-session iframe Fix PEP8. New migration. Update example project. Fix PEP8. Fix PEP8. PEP8 errors and urls. PEP8 models. Fix contribute docs. Fix tox for checking PEP8 all files. Update README.md Update README.md Simplify test suit. Update CHANGELOG.md Bump version 0.5.3. Update installation.rst Update CHANGELOG.md Fixed wrong Object in Template Update project to support Django 2.0 Now passing along the token to create_id_token function. Made token and token_refresh endpoint return requested claims. Sphinx documentation fixes (#219) Use request.user.is_authenticated as a bool with recent Django (#216) Fixed client id retrieval when aud is a list of str. (#210) Add owner field to Client (#211) Update CHANGELOG removed tab char Add pep8 compliance and checker Bump version Update CHANGELOG.md Preparing v0.5.2 (#201) Fix Django 2.0 deprecation warnings (#185) Fix infinite login loop if "prompt=login" (#198) fixed typos Bump version Fix scope handling of token endpoint (#193) Fixes #192 Use stored user consent for public clients too (#189) Redirect URIs must match exactly. (#191) Bug #187 prompt handling (#188) Don't pin exact versions in install_requires. 2018-05-23 21:16:26 +00:00

Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK The ID token processing hook might need the token or request too, so make them available. 2018-05-23 21:24:52 +00:00			`def fake_idtoken_processing_hook4(id_token, user, **kwargs):`
			`"""`
			`Fake function for checking kwargs passed to processing hook.`
			`"""`
			`id_token['kwargs_passed_to_processing_hook'] = {`
			`key: repr(value)`
			`for (key, value) in kwargs.items()`
			`}`
			`return id_token`


Remove the Resource model 2018-04-23 13:59:56 +00:00			`def fake_introspection_processing_hook(response_dict, client, id_token):`
Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-02-05 15:29:08 +00:00			`response_dict['test_introspection_processing_hook'] = FAKE_RANDOM_STRING`
			`return response_dict`
include request in password grant authenticate call An an example this can be used to help implement measures against brute force attacks and to alert on or mitigate other untrusted authentication attempts. 2017-11-22 17:40:58 +00:00

			`class TestAuthBackend:`
			`def authenticate(self, args, *kwargs):`
			`if django.VERSION[0] >= 2 or (django.VERSION[0] == 1 and django.VERSION[1] >= 11):`
			`assert len(args) > 0 and args[0]`
			`return ModelBackend().authenticate(args, *kwargs)`