Fix 644, Add tests for BasicAuth credentials for all endpoints644-intro-revocation-basicauth

Test Introspect, Revoke, Token (web, legacy, backend) endpoints with authenticate_client and HTTP Basic Auth.

4 files changed, 65 insertions, 10 deletions

diff --git a/oauthlib/oauth2/rfc6749/endpoints/introspect.py b/oauthlib/oauth2/rfc6749/endpoints/introspect.py
index ff7a32d..47022fd 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/introspect.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/introspect.py
@@ -56,7 +56,7 @@ class IntrospectEndpoint(BaseEndpoint):
         an introspection response indicating the token is not active
         as described in Section 2.2.
         """
-        headers = {
+        resp_headers = {
             'Content-Type': 'application/json',
             'Cache-Control': 'no-store',
             'Pragma': 'no-cache',
@@ -67,8 +67,8 @@ class IntrospectEndpoint(BaseEndpoint):
             log.debug('Token introspect valid for %r.', request)
         except OAuth2Error as e:
             log.debug('Client error during validation of %r. %r.', request, e)
-            headers.update(e.headers)
-            return headers, e.json, e.status_code
+            resp_headers.update(e.headers)
+            return resp_headers, e.json, e.status_code
 
         claims = self.request_validator.introspect_token(
             request.token,
@@ -76,10 +76,10 @@ class IntrospectEndpoint(BaseEndpoint):
             request
         )
         if claims is None:
-            return headers, json.dumps(dict(active=False)), 200
+            return resp_headers, json.dumps(dict(active=False)), 200
         if "active" in claims:
             claims.pop("active")
-        return headers, json.dumps(dict(active=True, **claims)), 200
+        return resp_headers, json.dumps(dict(active=True, **claims)), 200
 
     def validate_introspect_request(self, request):
         """Ensure the request is valid.
diff --git a/oauthlib/oauth2/rfc6749/endpoints/revocation.py b/oauthlib/oauth2/rfc6749/endpoints/revocation.py
index 4cd96a7..fda3f30 100644
--- a/oauthlib/oauth2/rfc6749/endpoints/revocation.py
+++ b/oauthlib/oauth2/rfc6749/endpoints/revocation.py
@@ -58,7 +58,7 @@ class RevocationEndpoint(BaseEndpoint):
         An invalid token type hint value is ignored by the authorization server
         and does not influence the revocation response.
         """
-        headers = {
+        resp_headers = {
             'Content-Type': 'application/json',
             'Cache-Control': 'no-store',
             'Pragma': 'no-cache',
@@ -73,8 +73,8 @@ class RevocationEndpoint(BaseEndpoint):
             response_body = e.json
             if self.enable_jsonp and request.callback:
                 response_body = '%s(%s);' % (request.callback, response_body)
-            headers.update(e.headers)
-            return headers, response_body, e.status_code
+            resp_headers.update(e.headers)
+            return resp_headers, response_body, e.status_code
 
         self.request_validator.revoke_token(request.token,
                                             request.token_type_hint, request)
diff --git a/tests/oauth2/rfc6749/endpoints/test_client_authentication.py b/tests/oauth2/rfc6749/endpoints/test_client_authentication.py
index 48c5f5a..133da59 100644
--- a/tests/oauth2/rfc6749/endpoints/test_client_authentication.py
+++ b/tests/oauth2/rfc6749/endpoints/test_client_authentication.py
@@ -43,6 +43,11 @@ class ClientAuthenticationTest(TestCase):
                 token_generator=self.inspect_client)
         self.backend = BackendApplicationServer(self.validator,
                 token_generator=self.inspect_client)
+        self.token_uri = 'http://example.com/path'
+        self.auth_uri = 'http://example.com/path?client_id=abc&response_type=token'
+        # should be base64 but no added value in this unittest
+        self.basicauth_client_creds = {"Authorization": "john:doe"}
+        self.basicauth_client_id = {"Authorization": "john:"}
 
     def set_client(self, request):
         request.client = mock.MagicMock()
@@ -54,7 +59,9 @@ class ClientAuthenticationTest(TestCase):
         request.client.client_id = 'mocked'
         return True
 
-    def set_username(self, username, password, client, request):
+    def basicauth_authenticate_client(self, request):
+        assert "Authorization" in request.headers
+        assert "john:doe" in request.headers["Authorization"]
         request.client = mock.MagicMock()
         request.client.client_id = 'mocked'
         return True
@@ -86,6 +93,55 @@ class ClientAuthenticationTest(TestCase):
         self.assertIn('Location', h)
         self.assertIn('access_token', get_fragment_credentials(h['Location']))
 
+    def test_basicauth_web(self):
+        self.validator.authenticate_client.side_effect = self.basicauth_authenticate_client
+        _, body, _ = self.web.create_token_response(
+            self.token_uri,
+            body='grant_type=authorization_code&code=mock',
+            headers=self.basicauth_client_creds
+        )
+        self.assertIn('access_token', json.loads(body))
+
+    def test_basicauth_legacy(self):
+        self.validator.authenticate_client.side_effect = self.basicauth_authenticate_client
+        _, body, _ = self.legacy.create_token_response(
+            self.token_uri,
+            body='grant_type=password&username=abc&password=secret',
+            headers=self.basicauth_client_creds
+        )
+        self.assertIn('access_token', json.loads(body))
+
+    def test_basicauth_backend(self):
+        self.validator.authenticate_client.side_effect = self.basicauth_authenticate_client
+        _, body, _ = self.backend.create_token_response(
+            self.token_uri,
+            body='grant_type=client_credentials',
+            headers=self.basicauth_client_creds
+        )
+        self.assertIn('access_token', json.loads(body))
+
+    def test_basicauth_revoke(self):
+        self.validator.authenticate_client.side_effect = self.basicauth_authenticate_client
+
+        # legacy or any other uses the same RevocationEndpoint
+        _, body, status = self.legacy.create_revocation_response(
+            self.token_uri,
+            body='token=foobar',
+            headers=self.basicauth_client_creds
+        )
+        self.assertEqual(status, 200, body)
+
+    def test_basicauth_introspect(self):
+        self.validator.authenticate_client.side_effect = self.basicauth_authenticate_client
+
+        # legacy or any other uses the same IntrospectEndpoint
+        _, body, status = self.legacy.create_introspect_response(
+            self.token_uri,
+            body='token=foobar',
+            headers=self.basicauth_client_creds
+        )
+        self.assertEqual(status, 200, body)
+
     def test_custom_authentication(self):
         token_uri = 'http://example.com/path'
 
diff --git a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
index f92652b..b9bf76a 100644
--- a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
@@ -123,7 +123,6 @@ class IntrospectEndpointTest(TestCase):
         self.assertEqual(loads(b)['error'], 'invalid_client')
         self.assertEqual(s, 401)
 
-
     def test_introspect_unsupported_token(self):
         endpoint = IntrospectEndpoint(self.validator,
                                       supported_token_types=['access_token'])