django-oidc-provider/oidc_provider/tests/test_token_endpoint.py

import json
try:
    from urllib.parse import urlencode
except ImportError:
    from urllib import urlencode
import uuid

from Crypto.PublicKey import RSA
from django.core.urlresolvers import reverse
from django.test import RequestFactory
from django.test import TestCase
from jwkest import base64_to_long
import jwt

from oidc_provider.lib.utils.token import *
from oidc_provider.tests.app.utils import *
from oidc_provider.views import *


class TokenTestCase(TestCase):
    """
    To obtain an Access Token and an ID Token, the RP Client sends a
    Token Request to the Token Endpoint to obtain a Token Response
    when using the Authorization Code Flow.
    """

    def setUp(self):
        self.factory = RequestFactory()
        self.user = create_fake_user()
        self.client = create_fake_client(response_type='code')

    def _post_data(self, code):
        """
        All the data that will be POSTed to the Token Endpoint.
        """
        post_data = {
            'client_id': self.client.client_id,
            'client_secret': self.client.client_secret,
            'redirect_uri': self.client.default_redirect_uri,
            'grant_type': 'authorization_code',
            'code': code,
            'state': uuid.uuid4().hex,
        }

        return post_data

    def _post_request(self, post_data):
        """
        Makes a request to the token endpoint by sending the
        `post_data` parameters using the 'application/x-www-form-urlencoded'
        format.
        """
        url = reverse('oidc_provider:token')

        request = self.factory.post(url,
            data=urlencode(post_data),
            content_type='application/x-www-form-urlencoded')

        response = TokenView.as_view()(request)

        return response

    def _create_code(self):
        """
        Generate a valid grant code.
        """
        code = create_code(
            user=self.user,
            client=self.client,
            scope=['openid', 'email'],
            nonce=FAKE_NONCE)
        code.save()

        return code

    def test_request_methods(self):
        """
        Client sends an HTTP POST request to the Token Endpoint. Other request
        methods MUST NOT be allowed.
        """
        url = reverse('oidc_provider:token')

        requests = [
            self.factory.get(url),
            self.factory.put(url),
            self.factory.delete(url),
        ]

        for request in requests:
            response = TokenView.as_view()(request)

            self.assertEqual(response.status_code == 405, True,
                msg=request.method+' request does not return a 405 status.')

        request = self.factory.post(url)

        response = TokenView.as_view()(request)

        self.assertEqual(response.status_code == 400, True,
                msg=request.method+' request does not return a 400 status.')

    def test_client_authentication(self):
        """
        The authorization server support including the
        client credentials in the request-body using the `client_id` and
        `client_secret`parameters.

        See: http://tools.ietf.org/html/rfc6749#section-2.3.1
        """
        code = self._create_code()

        # Test a valid request to the token endpoint.
        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        self.assertEqual('access_token' in response_dic, True,
                msg='"access_token" key is missing in response.')
        self.assertEqual('error' in response_dic, False,
                msg='"error" key should not exists in response.')

        # Now, test with an invalid client_id.
        invalid_data = post_data.copy()
        invalid_data['client_id'] = self.client.client_id * 2 # Fake id.

        # Create another grant code.
        code = self._create_code()
        invalid_data['code'] = code.code

        response = self._post_request(invalid_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        self.assertEqual('error' in response_dic, True,
                msg='"error" key should exists in response.')
        self.assertEqual(response_dic.get('error') == 'invalid_client', True,
                msg='"error" key value should be "invalid_client".')

    def test_access_token_contains_nonce(self):
        """
        If present in the Authentication Request, Authorization Servers MUST
        include a nonce Claim in the ID Token with the Claim Value being the
        nonce value sent in the Authentication Request.
        If the client does not supply a nonce parameter, it SHOULD not be
        included in the `id_token`.

        See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
        """
        code = self._create_code()

        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)

        response_dic = json.loads(response.content.decode('utf-8'))
        id_token = jwt.decode(response_dic['id_token'],
                              options={'verify_signature': False, 'verify_aud': False})

        self.assertEqual(id_token['nonce'], FAKE_NONCE)

        # Client does not supply a nonce parameter.
        code.nonce = ''
        code.save()

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        id_token = jwt.decode(response_dic['id_token'],
                              options={'verify_signature': False, 'verify_aud': False})

        self.assertEqual(id_token.get('nonce'), None)

    def test_idtoken_sign_validation(self):
        """
        We MUST validate the signature of the ID Token according to JWS
        using the algorithm specified in the alg Header Parameter of
        the JOSE Header.
        """
        # Get public key from discovery.
        request = self.factory.get(reverse('oidc_provider:jwks'))
        response = JwksView.as_view()(request)
        response_dic = json.loads(response.content.decode('utf-8'))
        # Construct PEM key from exponent and modulus.
        try:
            key_e = base64_to_long(response_dic['keys'][0]['e'].encode('utf-8'))
            key_e = long(key_e)
        except NameError:
            key_e = int(key_e) # Python 3 support.
        key_n = base64_to_long(response_dic['keys'][0]['n'].encode('utf-8'))
        KEY = RSA.construct((key_n, key_e)).exportKey('PEM')

        self.assertEqual(response_dic['keys'][0]['alg'] == 'RS256', True,
            msg='Key from jwks_uri MUST have alg "RS256".')

        code = self._create_code()

        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        id_token = jwt.decode(response_dic['id_token'], KEY,
            algorithm='RS256', audience=str(self.client.client_id))
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`import json`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`try:`
			`from urllib.parse import urlencode`
Add urllib and change iteritems() with items(). 2015-07-01 19:43:35 +00:00			`except ImportError:`
			`from urllib import urlencode`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`import uuid`

Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`from Crypto.PublicKey import RSA`
Add import for reverse function in tests. 2015-05-07 18:47:00 +00:00			`from django.core.urlresolvers import reverse`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from django.test import RequestFactory`
			`from django.test import TestCase`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`from jwkest import base64_to_long`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`import jwt`

Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from oidc_provider.lib.utils.token import *`
Fix imports in tests. 2015-07-14 17:52:48 +00:00			`from oidc_provider.tests.app.utils import *`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from oidc_provider.views import *`


			`class TokenTestCase(TestCase):`
			`"""`
			`To obtain an Access Token and an ID Token, the RP Client sends a`
			`Token Request to the Token Endpoint to obtain a Token Response`
			`when using the Authorization Code Flow.`
			`"""`

			`def setUp(self):`
			`self.factory = RequestFactory()`
			`self.user = create_fake_user()`
			`self.client = create_fake_client(response_type='code')`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00
			`def _post_data(self, code):`
			`"""`
			`All the data that will be POSTed to the Token Endpoint.`
			`"""`
			`post_data = {`
			`'client_id': self.client.client_id,`
			`'client_secret': self.client.client_secret,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'grant_type': 'authorization_code',`
			`'code': code,`
			`'state': uuid.uuid4().hex,`
			`}`

			`return post_data`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`def _post_request(self, post_data):`
			`"""`
			`Makes a request to the token endpoint by sending the`
			`post_data` parameters using the 'application/x-www-form-urlencoded'
			`format.`
			`"""`
			`url = reverse('oidc_provider:token')`

			`request = self.factory.post(url,`
			`data=urlencode(post_data),`
			`content_type='application/x-www-form-urlencoded')`

			`response = TokenView.as_view()(request)`

			`return response`

			`def _create_code(self):`
			`"""`
			`Generate a valid grant code.`
			`"""`
			`code = create_code(`
			`user=self.user,`
			`client=self.client,`
Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00			`scope=['openid', 'email'],`
			`nonce=FAKE_NONCE)`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`code.save()`

			`return code`

			`def test_request_methods(self):`
			`"""`
			`Client sends an HTTP POST request to the Token Endpoint. Other request`
			`methods MUST NOT be allowed.`
			`"""`
			`url = reverse('oidc_provider:token')`

			`requests = [`
			`self.factory.get(url),`
			`self.factory.put(url),`
			`self.factory.delete(url),`
			`]`

			`for request in requests:`
			`response = TokenView.as_view()(request)`

			`self.assertEqual(response.status_code == 405, True,`
			`msg=request.method+' request does not return a 405 status.')`

			`request = self.factory.post(url)`

			`response = TokenView.as_view()(request)`

			`self.assertEqual(response.status_code == 400, True,`
			`msg=request.method+' request does not return a 400 status.')`

			`def test_client_authentication(self):`
			`"""`
			`The authorization server support including the`
			client credentials in the request-body using the `client_id` and
			`client_secret`parameters.

			`See: http://tools.ietf.org/html/rfc6749#section-2.3.1`
			`"""`
			`code = self._create_code()`

			`# Test a valid request to the token endpoint.`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`post_data = self._post_data(code=code.code)`

Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`response = self._post_request(post_data)`
Use decode with utf-8 encoding. 2015-07-01 20:20:16 +00:00			`response_dic = json.loads(response.content.decode('utf-8'))`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`self.assertEqual('access_token' in response_dic, True,`
			`msg='"access_token" key is missing in response.')`
			`self.assertEqual('error' in response_dic, False,`
			`msg='"error" key should not exists in response.')`

			`# Now, test with an invalid client_id.`
			`invalid_data = post_data.copy()`
			`invalid_data['client_id'] = self.client.client_id * 2 # Fake id.`

			`# Create another grant code.`
			`code = self._create_code()`
			`invalid_data['code'] = code.code`

			`response = self._post_request(invalid_data)`
Use decode with utf-8 encoding. 2015-07-01 20:20:16 +00:00			`response_dic = json.loads(response.content.decode('utf-8'))`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`self.assertEqual('error' in response_dic, True,`
			`msg='"error" key should exists in response.')`
			`self.assertEqual(response_dic.get('error') == 'invalid_client', True,`
			`msg='"error" key value should be "invalid_client".')`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00			`def test_access_token_contains_nonce(self):`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`"""`
			`If present in the Authentication Request, Authorization Servers MUST`
			`include a nonce Claim in the ID Token with the Claim Value being the`
			`nonce value sent in the Authentication Request.`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`If the client does not supply a nonce parameter, it SHOULD not be`
			included in the `id_token`.
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`See http://openid.net/specs/openid-connect-core-1_0.html#IDToken`
			`"""`
			`code = self._create_code()`

Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`post_data = self._post_data(code=code.code)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`response = self._post_request(post_data)`

			`response_dic = json.loads(response.content.decode('utf-8'))`
			`id_token = jwt.decode(response_dic['id_token'],`
			`options={'verify_signature': False, 'verify_aud': False})`

Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00			`self.assertEqual(id_token['nonce'], FAKE_NONCE)`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`# Client does not supply a nonce parameter.`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`code.nonce = ''`
			`code.save()`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`response = self._post_request(post_data)`
			`response_dic = json.loads(response.content.decode('utf-8'))`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`id_token = jwt.decode(response_dic['id_token'],`
			`options={'verify_signature': False, 'verify_aud': False})`

Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`self.assertEqual(id_token.get('nonce'), None)`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00
			`def test_idtoken_sign_validation(self):`
			`"""`
			`We MUST validate the signature of the ID Token according to JWS`
			`using the algorithm specified in the alg Header Parameter of`
			`the JOSE Header.`
			`"""`
			`# Get public key from discovery.`
			`request = self.factory.get(reverse('oidc_provider:jwks'))`
			`response = JwksView.as_view()(request)`
			`response_dic = json.loads(response.content.decode('utf-8'))`
			`# Construct PEM key from exponent and modulus.`
In python 3 use "int" instead of "long". 2015-07-23 19:22:42 +00:00			`try:`
Add missing encode in test. 2015-07-23 19:28:20 +00:00			`key_e = base64_to_long(response_dic['keys'][0]['e'].encode('utf-8'))`
In python 3 use "int" instead of "long". 2015-07-23 19:22:42 +00:00			`key_e = long(key_e)`
			`except NameError:`
			`key_e = int(key_e) # Python 3 support.`
Add missing encode in test. 2015-07-23 19:28:20 +00:00			`key_n = base64_to_long(response_dic['keys'][0]['n'].encode('utf-8'))`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`KEY = RSA.construct((key_n, key_e)).exportKey('PEM')`

			`self.assertEqual(response_dic['keys'][0]['alg'] == 'RS256', True,`
			`msg='Key from jwks_uri MUST have alg "RS256".')`

			`code = self._create_code()`

			`post_data = self._post_data(code=code.code)`

			`response = self._post_request(post_data)`
			`response_dic = json.loads(response.content.decode('utf-8'))`

			`id_token = jwt.decode(response_dic['id_token'], KEY,`
			`algorithm='RS256', audience=str(self.client.client_id))`