| Joe Gregorio | 8b4c173 | 2011-12-06 11:28:29 -0500 | [diff] [blame] | 1 | #!/usr/bin/python2.4 |
| 2 | # |
| 3 | # Copyright 2010 Google Inc. |
| 4 | # |
| 5 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | # you may not use this file except in compliance with the License. |
| 7 | # You may obtain a copy of the License at |
| 8 | # |
| 9 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | # |
| 11 | # Unless required by applicable law or agreed to in writing, software |
| 12 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | # See the License for the specific language governing permissions and |
| 15 | # limitations under the License. |
| 16 | |
| 17 | |
| 18 | """Oauth2client tests |
| 19 | |
| 20 | Unit tests for oauth2client. |
| 21 | """ |
| 22 | |
| 23 | __author__ = 'jcgregorio@google.com (Joe Gregorio)' |
| 24 | |
| 25 | import httplib2 |
| 26 | import os |
| 27 | import sys |
| 28 | import time |
| 29 | import unittest |
| 30 | import urlparse |
| 31 | |
| 32 | try: |
| 33 | from urlparse import parse_qs |
| 34 | except ImportError: |
| 35 | from cgi import parse_qs |
| 36 | |
| 37 | try: # pragma: no cover |
| 38 | import simplejson |
| 39 | except ImportError: # pragma: no cover |
| 40 | try: |
| 41 | # Try to import from django, should work on App Engine |
| 42 | from django.utils import simplejson |
| 43 | except ImportError: |
| 44 | # Should work for Python2.6 and higher. |
| 45 | import json as simplejson |
| 46 | |
| 47 | from apiclient.http import HttpMockSequence |
| 48 | from oauth2client import crypt |
| 49 | from oauth2client.client import SignedJwtAssertionCredentials |
| 50 | from oauth2client.client import verify_id_token |
| 51 | from oauth2client.client import VerifyJwtTokenError |
| 52 | |
| 53 | |
| 54 | def datafile(filename): |
| 55 | f = open(os.path.join(os.path.dirname(__file__), 'data', filename), 'r') |
| 56 | data = f.read() |
| 57 | f.close() |
| 58 | return data |
| 59 | |
| 60 | |
| 61 | class CryptTests(unittest.TestCase): |
| 62 | |
| 63 | def test_sign_and_verify(self): |
| 64 | private_key = datafile('privatekey.p12') |
| 65 | public_key = datafile('publickey.pem') |
| 66 | |
| 67 | signer = crypt.Signer.from_string(private_key) |
| 68 | signature = signer.sign('foo') |
| 69 | |
| 70 | verifier = crypt.Verifier.from_string(public_key, True) |
| 71 | |
| 72 | self.assertTrue(verifier.verify('foo', signature)) |
| 73 | |
| 74 | self.assertFalse(verifier.verify('bar', signature)) |
| 75 | self.assertFalse(verifier.verify('foo', 'bad signagure')) |
| 76 | |
| 77 | def _check_jwt_failure(self, jwt, expected_error): |
| 78 | try: |
| 79 | public_key = datafile('publickey.pem') |
| 80 | certs = {'foo': public_key} |
| 81 | audience = 'https://www.googleapis.com/auth/id?client_id=' + \ |
| 82 | 'external_public_key@testing.gserviceaccount.com' |
| 83 | contents = crypt.verify_signed_jwt_with_certs(jwt, certs, audience) |
| 84 | self.fail('Should have thrown for %s' % jwt) |
| 85 | except: |
| 86 | e = sys.exc_info()[1] |
| 87 | msg = e.args[0] |
| 88 | self.assertTrue(expected_error in msg) |
| 89 | |
| 90 | def _create_signed_jwt(self): |
| 91 | private_key = datafile('privatekey.p12') |
| 92 | signer = crypt.Signer.from_string(private_key) |
| 93 | audience = 'some_audience_address@testing.gserviceaccount.com' |
| 94 | now = long(time.time()) |
| 95 | |
| 96 | return crypt.make_signed_jwt( |
| 97 | signer, |
| 98 | { |
| 99 | 'aud': audience, |
| 100 | 'iat': now, |
| 101 | 'exp': now + 300, |
| 102 | 'user': 'billy bob', |
| 103 | 'metadata': {'meta': 'data'}, |
| 104 | }) |
| 105 | |
| 106 | def test_verify_id_token(self): |
| 107 | jwt = self._create_signed_jwt() |
| 108 | public_key = datafile('publickey.pem') |
| 109 | certs = {'foo': public_key } |
| 110 | audience = 'some_audience_address@testing.gserviceaccount.com' |
| 111 | contents = crypt.verify_signed_jwt_with_certs(jwt, certs, audience) |
| 112 | self.assertEquals('billy bob', contents['user']) |
| 113 | self.assertEquals('data', contents['metadata']['meta']) |
| 114 | |
| 115 | def test_verify_id_token_with_certs_uri(self): |
| 116 | jwt = self._create_signed_jwt() |
| 117 | |
| 118 | http = HttpMockSequence([ |
| 119 | ({'status': '200'}, datafile('certs.json')), |
| 120 | ]) |
| 121 | |
| 122 | contents = verify_id_token(jwt, |
| 123 | 'some_audience_address@testing.gserviceaccount.com', http) |
| 124 | self.assertEquals('billy bob', contents['user']) |
| 125 | self.assertEquals('data', contents['metadata']['meta']) |
| 126 | |
| 127 | |
| 128 | def test_verify_id_token_with_certs_uri_fails(self): |
| 129 | jwt = self._create_signed_jwt() |
| 130 | |
| 131 | http = HttpMockSequence([ |
| 132 | ({'status': '404'}, datafile('certs.json')), |
| 133 | ]) |
| 134 | |
| 135 | self.assertRaises(VerifyJwtTokenError, verify_id_token, jwt, |
| 136 | 'some_audience_address@testing.gserviceaccount.com', http) |
| 137 | |
| 138 | def test_verify_id_token_bad_tokens(self): |
| 139 | private_key = datafile('privatekey.p12') |
| 140 | |
| 141 | # Wrong number of segments |
| 142 | self._check_jwt_failure('foo', 'Wrong number of segments') |
| 143 | |
| 144 | # Not json |
| 145 | self._check_jwt_failure('foo.bar.baz', |
| 146 | 'Can\'t parse token') |
| 147 | |
| 148 | # Bad signature |
| 149 | jwt = 'foo.%s.baz' % crypt._urlsafe_b64encode('{"a":"b"}') |
| 150 | self._check_jwt_failure(jwt, 'Invalid token signature') |
| 151 | |
| 152 | # No expiration |
| 153 | signer = crypt.Signer.from_string(private_key) |
| 154 | audience = 'https:#www.googleapis.com/auth/id?client_id=' + \ |
| 155 | 'external_public_key@testing.gserviceaccount.com' |
| 156 | jwt = crypt.make_signed_jwt(signer, { |
| 157 | 'aud': 'audience', |
| 158 | 'iat': time.time(), |
| 159 | } |
| 160 | ) |
| 161 | self._check_jwt_failure(jwt, 'No exp field in token') |
| 162 | |
| 163 | # No issued at |
| 164 | jwt = crypt.make_signed_jwt(signer, { |
| 165 | 'aud': 'audience', |
| 166 | 'exp': time.time() + 400, |
| 167 | } |
| 168 | ) |
| 169 | self._check_jwt_failure(jwt, 'No iat field in token') |
| 170 | |
| 171 | # Too early |
| 172 | jwt = crypt.make_signed_jwt(signer, { |
| 173 | 'aud': 'audience', |
| 174 | 'iat': time.time() + 301, |
| 175 | 'exp': time.time() + 400, |
| 176 | }) |
| 177 | self._check_jwt_failure(jwt, 'Token used too early') |
| 178 | |
| 179 | # Too late |
| 180 | jwt = crypt.make_signed_jwt(signer, { |
| 181 | 'aud': 'audience', |
| 182 | 'iat': time.time() - 500, |
| 183 | 'exp': time.time() - 301, |
| 184 | }) |
| 185 | self._check_jwt_failure(jwt, 'Token used too late') |
| 186 | |
| 187 | # Wrong target |
| 188 | jwt = crypt.make_signed_jwt(signer, { |
| 189 | 'aud': 'somebody else', |
| 190 | 'iat': time.time(), |
| 191 | 'exp': time.time() + 300, |
| 192 | }) |
| 193 | self._check_jwt_failure(jwt, 'Wrong recipient') |
| 194 | |
| 195 | def test_signed_jwt_assertion_credentials(self): |
| 196 | private_key = datafile('privatekey.p12') |
| 197 | credentials = SignedJwtAssertionCredentials( |
| 198 | 'some_account@example.com', |
| 199 | private_key, |
| 200 | scope='read+write', |
| 201 | prn='joe@example.org') |
| 202 | http = HttpMockSequence([ |
| 203 | ({'status': '200'}, '{"access_token":"1/3w","expires_in":3600}'), |
| 204 | ({'status': '200'}, 'echo_request_headers'), |
| 205 | ]) |
| 206 | http = credentials.authorize(http) |
| 207 | resp, content = http.request('http://example.org') |
| 208 | self.assertEquals(content['authorization'], 'OAuth 1/3w') |
| 209 | |
| 210 | if __name__ == '__main__': |
| 211 | unittest.main() |