aboutsummaryrefslogtreecommitdiff
path: root/tests/unit/auth/test_token.py
blob: 60d19adb122b5f0dc08ad1ab5f521083d30e2405 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
"""Test the OAuth2 authorisation"""

import pytest

from gn_auth.auth.db import sqlite3 as db

SUCCESS_RESULT = {
    "status_code": 200,
    "result": {
        "access_token": "123456ABCDE",
        "expires_in": 864000,
        "scope": "profile",
        "token_type": "Bearer"}}

USERNAME_PASSWORD_FAIL_RESULT = {
    "status_code": 400,
    "result": {
        'error': 'invalid_request',
        'error_description': 'Invalid "username" or "password" in request.'}}

def gen_token(client, grant_type, user, scope): # pylint: disable=[unused-argument]
    """Generate tokens for tests"""
    return "123456ABCDE"


@pytest.mark.skip(
    "Use of JWTs means the password grant is broken. We should probably drop "
    "support for the password grant in the code, since it is actually a "
    "deprecated type of grant anyway.")
@pytest.mark.unit_test
@pytest.mark.parametrize(
    "test_data,expected",
    ((("group@lead.er", "password_for_user_001", 0), SUCCESS_RESULT),
     (("group@mem.ber01", "password_for_user_002", 1), SUCCESS_RESULT),
     (("group@mem.ber02", "password_for_user_003", 2), SUCCESS_RESULT),
     (("unaff@iliated.user", "password_for_user_004", 3), SUCCESS_RESULT),
     (("group@lead.er", "brrr", 0), USERNAME_PASSWORD_FAIL_RESULT),
     (("group@mem.ber010", "password_for_user_002", 1), USERNAME_PASSWORD_FAIL_RESULT),
     (("papa", "yada", 2), USERNAME_PASSWORD_FAIL_RESULT),
     # (("unaff@iliated.user", "password_for_user_004", 1), USERNAME_PASSWORD_FAIL_RESULT)
     ))
def test_token(fxtr_app, fxtr_oauth2_clients, test_data, expected):
    """
    GIVEN: a registered oauth2 client, a user
    WHEN: a token is requested via the 'password' grant
    THEN: check that:
      a) when email and password are valid, we get a token back
      b) when either email or password or both are invalid, we get error message
         back
      c) TODO: when user tries to use wrong client, we get error message back
    """
    conn, oa2clients = fxtr_oauth2_clients
    email, password, client_idx = test_data
    data = {
        "grant_type": "password", "scope": "profile nonexistent-scope",
        "client_id": oa2clients[client_idx].client_id,
        "client_secret": oa2clients[client_idx].client_secret,
        "username": email, "password": password}

    with fxtr_app.test_client() as client, db.cursor(conn) as cursor:
        res = client.post("/auth/token", data=data)
        # cleanup db
        cursor.execute("DELETE FROM oauth2_tokens WHERE access_token=?",
                       (gen_token(None, None, None, None),))
    assert res.status_code == expected["status_code"]
    for key in expected["result"]:
        assert res.json[key] == expected["result"][key]