Google Git
Sign in
android / platform / external / python / google-auth-library-python / f3568df232f8d2ae67c64397228034edd308922e / . / tests / oauth2 / test_sts.py
blob: e8e008df5da893591adf79ea41a5ec316742d94a [file] [log] [blame]
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import json
import mock
import pytest
from six.moves import http_client
from six.moves import urllib
from google.auth import exceptions
from google.auth import transport
from google.oauth2 import sts
from google.oauth2 import utils
CLIENT_ID = "username"
CLIENT_SECRET = "password"
# Base64 encoding of "username:password"
BASIC_AUTH_ENCODING = "dXNlcm5hbWU6cGFzc3dvcmQ="
class TestStsClient(object):
GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange"
RESOURCE = "https://api.example.com/"
AUDIENCE = "urn:example:cooperation-context"
SCOPES = ["scope1", "scope2"]
REQUESTED_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token"
SUBJECT_TOKEN = "HEADER.SUBJECT_TOKEN_PAYLOAD.SIGNATURE"
SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"
ACTOR_TOKEN = "HEADER.ACTOR_TOKEN_PAYLOAD.SIGNATURE"
ACTOR_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt"
TOKEN_EXCHANGE_ENDPOINT = "https://example.com/token.oauth2"
ADDON_HEADERS = {"x-client-version": "0.1.2"}
ADDON_OPTIONS = {"additional": {"non-standard": ["options"], "other": "some-value"}}
SUCCESS_RESPONSE = {
"access_token": "ACCESS_TOKEN",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "scope1 scope2",
}
ERROR_RESPONSE = {
"error": "invalid_request",
"error_description": "Invalid subject token",
"error_uri": "https://tools.ietf.org/html/rfc6749",
}
CLIENT_AUTH_BASIC = utils.ClientAuthentication(
utils.ClientAuthType.basic, CLIENT_ID, CLIENT_SECRET
)
CLIENT_AUTH_REQUEST_BODY = utils.ClientAuthentication(
utils.ClientAuthType.request_body, CLIENT_ID, CLIENT_SECRET
)
@classmethod
def make_client(cls, client_auth=None):
return sts.Client(cls.TOKEN_EXCHANGE_ENDPOINT, client_auth)
@classmethod
def make_mock_request(cls, data, status=http_client.OK):
response = mock.create_autospec(transport.Response, instance=True)
response.status = status
response.data = json.dumps(data).encode("utf-8")
request = mock.create_autospec(transport.Request)
request.return_value = response
return request
@classmethod
def assert_request_kwargs(cls, request_kwargs, headers, request_data):
"""Asserts the request was called with the expected parameters.
"""
assert request_kwargs["url"] == cls.TOKEN_EXCHANGE_ENDPOINT
assert request_kwargs["method"] == "POST"
assert request_kwargs["headers"] == headers
assert request_kwargs["body"] is not None
body_tuples = urllib.parse.parse_qsl(request_kwargs["body"])
for (k, v) in body_tuples:
assert v.decode("utf-8") == request_data[k.decode("utf-8")]
assert len(body_tuples) == len(request_data.keys())
def test_exchange_token_full_success_without_auth(self):
"""Test token exchange success without client authentication using full
parameters.
"""
client = self.make_client()
headers = self.ADDON_HEADERS.copy()
headers["Content-Type"] = "application/x-www-form-urlencoded"
request_data = {
"grant_type": self.GRANT_TYPE,
"resource": self.RESOURCE,
"audience": self.AUDIENCE,
"scope": " ".join(self.SCOPES),
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
"actor_token": self.ACTOR_TOKEN,
"actor_token_type": self.ACTOR_TOKEN_TYPE,
"options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)),
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_partial_success_without_auth(self):
"""Test token exchange success without client authentication using
partial (required only) parameters.
"""
client = self.make_client()
headers = {"Content-Type": "application/x-www-form-urlencoded"}
request_data = {
"grant_type": self.GRANT_TYPE,
"audience": self.AUDIENCE,
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
grant_type=self.GRANT_TYPE,
subject_token=self.SUBJECT_TOKEN,
subject_token_type=self.SUBJECT_TOKEN_TYPE,
audience=self.AUDIENCE,
requested_token_type=self.REQUESTED_TOKEN_TYPE,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_non200_without_auth(self):
"""Test token exchange without client auth responding with non-200 status.
"""
client = self.make_client()
request = self.make_mock_request(
status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE
)
with pytest.raises(exceptions.OAuthError) as excinfo:
client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
assert excinfo.match(
r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749"
)
def test_exchange_token_full_success_with_basic_auth(self):
"""Test token exchange success with basic client authentication using full
parameters.
"""
client = self.make_client(self.CLIENT_AUTH_BASIC)
headers = self.ADDON_HEADERS.copy()
headers["Content-Type"] = "application/x-www-form-urlencoded"
headers["Authorization"] = "Basic {}".format(BASIC_AUTH_ENCODING)
request_data = {
"grant_type": self.GRANT_TYPE,
"resource": self.RESOURCE,
"audience": self.AUDIENCE,
"scope": " ".join(self.SCOPES),
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
"actor_token": self.ACTOR_TOKEN,
"actor_token_type": self.ACTOR_TOKEN_TYPE,
"options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)),
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_partial_success_with_basic_auth(self):
"""Test token exchange success with basic client authentication using
partial (required only) parameters.
"""
client = self.make_client(self.CLIENT_AUTH_BASIC)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic {}".format(BASIC_AUTH_ENCODING),
}
request_data = {
"grant_type": self.GRANT_TYPE,
"audience": self.AUDIENCE,
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
grant_type=self.GRANT_TYPE,
subject_token=self.SUBJECT_TOKEN,
subject_token_type=self.SUBJECT_TOKEN_TYPE,
audience=self.AUDIENCE,
requested_token_type=self.REQUESTED_TOKEN_TYPE,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_non200_with_basic_auth(self):
"""Test token exchange with basic client auth responding with non-200
status.
"""
client = self.make_client(self.CLIENT_AUTH_BASIC)
request = self.make_mock_request(
status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE
)
with pytest.raises(exceptions.OAuthError) as excinfo:
client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
assert excinfo.match(
r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749"
)
def test_exchange_token_full_success_with_reqbody_auth(self):
"""Test token exchange success with request body client authenticaiton
using full parameters.
"""
client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY)
headers = self.ADDON_HEADERS.copy()
headers["Content-Type"] = "application/x-www-form-urlencoded"
request_data = {
"grant_type": self.GRANT_TYPE,
"resource": self.RESOURCE,
"audience": self.AUDIENCE,
"scope": " ".join(self.SCOPES),
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
"actor_token": self.ACTOR_TOKEN,
"actor_token_type": self.ACTOR_TOKEN_TYPE,
"options": urllib.parse.quote(json.dumps(self.ADDON_OPTIONS)),
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET,
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_partial_success_with_reqbody_auth(self):
"""Test token exchange success with request body client authentication
using partial (required only) parameters.
"""
client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
request_data = {
"grant_type": self.GRANT_TYPE,
"audience": self.AUDIENCE,
"requested_token_type": self.REQUESTED_TOKEN_TYPE,
"subject_token": self.SUBJECT_TOKEN,
"subject_token_type": self.SUBJECT_TOKEN_TYPE,
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET,
}
request = self.make_mock_request(
status=http_client.OK, data=self.SUCCESS_RESPONSE
)
response = client.exchange_token(
request,
grant_type=self.GRANT_TYPE,
subject_token=self.SUBJECT_TOKEN,
subject_token_type=self.SUBJECT_TOKEN_TYPE,
audience=self.AUDIENCE,
requested_token_type=self.REQUESTED_TOKEN_TYPE,
)
self.assert_request_kwargs(request.call_args[1], headers, request_data)
assert response == self.SUCCESS_RESPONSE
def test_exchange_token_non200_with_reqbody_auth(self):
"""Test token exchange with POST request body client auth responding
with non-200 status.
"""
client = self.make_client(self.CLIENT_AUTH_REQUEST_BODY)
request = self.make_mock_request(
status=http_client.BAD_REQUEST, data=self.ERROR_RESPONSE
)
with pytest.raises(exceptions.OAuthError) as excinfo:
client.exchange_token(
request,
self.GRANT_TYPE,
self.SUBJECT_TOKEN,
self.SUBJECT_TOKEN_TYPE,
self.RESOURCE,
self.AUDIENCE,
self.SCOPES,
self.REQUESTED_TOKEN_TYPE,
self.ACTOR_TOKEN,
self.ACTOR_TOKEN_TYPE,
self.ADDON_OPTIONS,
self.ADDON_HEADERS,
)
assert excinfo.match(
r"Error code invalid_request: Invalid subject token - https://tools.ietf.org/html/rfc6749"
)