Merge branch 'master' into 672-fix-null-expires-in

7 files changed, 201 insertions, 9 deletions

diff --git a/tests/oauth2/rfc6749/endpoints/test_base_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_base_endpoint.py
index 4f78d9b..bf04a42 100644
--- a/tests/oauth2/rfc6749/endpoints/test_base_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_base_endpoint.py
@@ -25,7 +25,7 @@ class BaseEndpointTest(TestCase):
         server = Server(validator)
         server.catch_errors = True
         h, b, s = server.create_token_response(
-            'https://example.com?grant_type=authorization_code&code=abc'
+            'https://example.com', body='grant_type=authorization_code&code=abc'
         )
         self.assertIn("server_error", b)
         self.assertEqual(s, 500)
diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
index a249cb1..2479836 100644
--- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py
+++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
@@ -6,11 +6,11 @@ import json
 
 import mock
 
+from oauthlib.common import urlencode
 from oauthlib.oauth2 import (BackendApplicationServer, LegacyApplicationServer,
                              MobileApplicationServer, RequestValidator,
                              WebApplicationServer)
 from oauthlib.oauth2.rfc6749 import errors
-
 from ....unittest import TestCase
 
 
@@ -437,3 +437,56 @@ class ErrorResponseTest(TestCase):
         _, body, _ = self.backend.create_token_response('https://i.b/token',
                 body='grant_type=bar')
         self.assertEqual('unsupported_grant_type', json.loads(body)['error'])
+
+    def test_invalid_request_method(self):
+        test_methods = ['GET', 'pUt', 'dEleTe', 'paTcH']
+        test_methods = test_methods + [x.lower() for x in test_methods] + [x.upper() for x in test_methods]
+        for method in test_methods:
+            self.validator.authenticate_client.side_effect = self.set_client
+
+            uri = "http://i/b/token/"
+            try:
+                _, body, s = self.web.create_token_response(uri,
+                        body='grant_type=access_token&code=123', http_method=method)
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('Unsupported request method', ire.description)
+
+            try:
+                _, body, s = self.legacy.create_token_response(uri,
+                        body='grant_type=access_token&code=123', http_method=method)
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('Unsupported request method', ire.description)
+
+            try:
+                _, body, s = self.backend.create_token_response(uri,
+                        body='grant_type=access_token&code=123', http_method=method)
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('Unsupported request method', ire.description)
+
+    def test_invalid_post_request(self):
+        self.validator.authenticate_client.side_effect = self.set_client
+        for param in ['token', 'secret', 'code', 'foo']:
+            uri = 'https://i/b/token?' + urlencode([(param, 'secret')])
+            try:
+                _, body, s = self.web.create_token_response(uri,
+                        body='grant_type=access_token&code=123')
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('URL query parameters are not allowed', ire.description)
+
+            try:
+                _, body, s = self.legacy.create_token_response(uri,
+                        body='grant_type=access_token&code=123')
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('URL query parameters are not allowed', ire.description)
+
+            try:
+                _, body, s = self.backend.create_token_response(uri,
+                        body='grant_type=access_token&code=123')
+                self.fail('This should have failed with InvalidRequestError')
+            except errors.InvalidRequestError as ire:
+                self.assertIn('URL query parameters are not allowed', ire.description)
diff --git a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
index b9bf76a..ae3deae 100644
--- a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
@@ -139,3 +139,33 @@ class IntrospectEndpointTest(TestCase):
         self.assertEqual(h, self.resp_h)
         self.assertEqual(loads(b)['error'], 'invalid_request')
         self.assertEqual(s, 400)
+
+    def test_introspect_invalid_request_method(self):
+        endpoint = IntrospectEndpoint(self.validator,
+                                      supported_token_types=['access_token'])
+        test_methods = ['GET', 'pUt', 'dEleTe', 'paTcH']
+        test_methods = test_methods + [x.lower() for x in test_methods] + [x.upper() for x in test_methods]
+        for method in test_methods:
+            body = urlencode([('token', 'foo'),
+                              ('token_type_hint', 'refresh_token')])
+            h, b, s = endpoint.create_introspect_response(self.uri,
+                    http_method = method, headers=self.headers, body=body)
+            self.assertEqual(h, self.resp_h)
+            self.assertEqual(loads(b)['error'], 'invalid_request')
+            self.assertIn('Unsupported request method', loads(b)['error_description'])
+            self.assertEqual(s, 400)
+
+    def test_introspect_bad_post_request(self):
+        endpoint = IntrospectEndpoint(self.validator,
+                                      supported_token_types=['access_token'])
+        for param in ['token', 'secret', 'code', 'foo']:
+            uri = 'http://some.endpoint?' + urlencode([(param, 'secret')])
+            body = urlencode([('token', 'foo'),
+                              ('token_type_hint', 'access_token')])
+            h, b, s = endpoint.create_introspect_response(
+                uri,
+                headers=self.headers, body=body)
+            self.assertEqual(h, self.resp_h)
+            self.assertEqual(loads(b)['error'], 'invalid_request')
+            self.assertIn('query parameters are not allowed', loads(b)['error_description'])
+            self.assertEqual(s, 400)
diff --git a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
index 2a24177..17be3a5 100644
--- a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
@@ -120,3 +120,32 @@ class RevocationEndpointTest(TestCase):
         self.assertEqual(h, self.resp_h)
         self.assertEqual(loads(b)['error'], 'invalid_request')
         self.assertEqual(s, 400)
+
+    def test_revoke_invalid_request_method(self):
+        endpoint = RevocationEndpoint(self.validator,
+                                      supported_token_types=['access_token'])
+        test_methods = ['GET', 'pUt', 'dEleTe', 'paTcH']
+        test_methods = test_methods + [x.lower() for x in test_methods] + [x.upper() for x in test_methods]
+        for method in test_methods:
+            body = urlencode([('token', 'foo'),
+                              ('token_type_hint', 'refresh_token')])
+            h, b, s = endpoint.create_revocation_response(self.uri,
+                    http_method = method, headers=self.headers, body=body)
+            self.assertEqual(h, self.resp_h)
+            self.assertEqual(loads(b)['error'], 'invalid_request')
+            self.assertIn('Unsupported request method', loads(b)['error_description'])
+            self.assertEqual(s, 400)
+
+    def test_revoke_bad_post_request(self):
+        endpoint = RevocationEndpoint(self.validator,
+                                      supported_token_types=['access_token'])
+        for param in ['token', 'secret', 'code', 'foo']:
+            uri = 'http://some.endpoint?' + urlencode([(param, 'secret')])
+            body = urlencode([('token', 'foo'),
+                              ('token_type_hint', 'access_token')])
+            h, b, s = endpoint.create_revocation_response(uri,
+                    headers=self.headers, body=body)
+            self.assertEqual(h, self.resp_h)
+            self.assertEqual(loads(b)['error'], 'invalid_request')
+            self.assertIn('query parameters are not allowed', loads(b)['error_description'])
+            self.assertEqual(s, 400)
diff --git a/tests/oauth2/rfc6749/grant_types/test_authorization_code.py b/tests/oauth2/rfc6749/grant_types/test_authorization_code.py
index 00e2b6d..2c9db3c 100644
--- a/tests/oauth2/rfc6749/grant_types/test_authorization_code.py
+++ b/tests/oauth2/rfc6749/grant_types/test_authorization_code.py
@@ -215,8 +215,10 @@ class AuthorizationCodeGrantTest(TestCase):
             self.mock_validator.is_pkce_required.return_value = required
             self.request.code_challenge = "present"
             _, ri = self.auth.validate_authorization_request(self.request)
-            self.assertIsNotNone(ri["request"].code_challenge_method)
-            self.assertEqual(ri["request"].code_challenge_method, "plain")
+            self.assertIn("code_challenge", ri)
+            self.assertIn("code_challenge_method", ri)
+            self.assertEqual(ri["code_challenge"], "present")
+            self.assertEqual(ri["code_challenge_method"], "plain")
 
     def test_pkce_wrong_method(self):
         for required in [True, False]:
diff --git a/tests/oauth2/rfc6749/test_parameters.py b/tests/oauth2/rfc6749/test_parameters.py
index b9fda9c..48b7eac 100644
--- a/tests/oauth2/rfc6749/test_parameters.py
+++ b/tests/oauth2/rfc6749/test_parameters.py
@@ -73,7 +73,8 @@ class ParameterTests(TestCase):
     error_nocode = 'https://client.example.com/cb?state=xyz'
     error_nostate = 'https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA'
     error_wrongstate = 'https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=abc'
-    error_response = 'https://client.example.com/cb?error=access_denied&state=xyz'
+    error_denied = 'https://client.example.com/cb?error=access_denied&state=xyz'
+    error_invalid = 'https://client.example.com/cb?error=invalid_request&state=xyz'
 
     implicit_base = 'https://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&scope=abc&'
     implicit_response = implicit_base + 'state={0}&token_type=example&expires_in=3600'.format(state)
@@ -196,8 +197,10 @@ class ParameterTests(TestCase):
 
         self.assertRaises(MissingCodeError, parse_authorization_code_response,
                 self.error_nocode)
-        self.assertRaises(MissingCodeError, parse_authorization_code_response,
-                self.error_response)
+        self.assertRaises(AccessDeniedError, parse_authorization_code_response,
+                self.error_denied)
+        self.assertRaises(InvalidRequestFatalError, parse_authorization_code_response,
+                self.error_invalid)
         self.assertRaises(MismatchingStateError, parse_authorization_code_response,
                 self.error_nostate, state=self.state)
         self.assertRaises(MismatchingStateError, parse_authorization_code_response,
diff --git a/tests/oauth2/rfc6749/test_tokens.py b/tests/oauth2/rfc6749/test_tokens.py
index 061754f..e6f49b1 100644
--- a/tests/oauth2/rfc6749/test_tokens.py
+++ b/tests/oauth2/rfc6749/test_tokens.py
@@ -1,10 +1,14 @@
 from __future__ import absolute_import, unicode_literals
 
+import mock
+
+from oauthlib.common import Request
 from oauthlib.oauth2.rfc6749.tokens import (
-    prepare_mac_header,
-    prepare_bearer_headers,
+    BearerToken,
     prepare_bearer_body,
+    prepare_bearer_headers,
     prepare_bearer_uri,
+    prepare_mac_header,
 )
 
 from ...unittest import TestCase
@@ -64,6 +68,7 @@ class TokenTest(TestCase):
     bearer_headers = {
         'Authorization': 'Bearer vF9dft4qmT'
     }
+    valid_bearer_header_lowercase = {"Authorization": "bearer vF9dft4qmT"}
     fake_bearer_headers = [
         {'Authorization': 'Beaver vF9dft4qmT'},
         {'Authorization': 'BeavervF9dft4qmT'},
@@ -98,3 +103,73 @@ class TokenTest(TestCase):
         self.assertEqual(prepare_bearer_headers(self.token), self.bearer_headers)
         self.assertEqual(prepare_bearer_body(self.token), self.bearer_body)
         self.assertEqual(prepare_bearer_uri(self.token, uri=self.uri), self.bearer_uri)
+
+    def test_valid_bearer_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.bearer_headers)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+        self.assertTrue(result)
+
+    def test_lowercase_bearer_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.valid_bearer_header_lowercase)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+        self.assertTrue(result)
+
+    def test_fake_bearer_is_not_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        for fake_header in self.fake_bearer_headers:
+            request = Request("/", headers=fake_header)
+            result = BearerToken(request_validator=request_validator).validate_request(
+                request
+            )
+
+            self.assertFalse(result)
+
+    def test_header_with_multispaces_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.valid_header_with_multiple_spaces)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+
+        self.assertTrue(result)
+
+    def test_estimate_type(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+        request = Request("/", headers=self.bearer_headers)
+        result = BearerToken(request_validator=request_validator).estimate_type(request)
+        self.assertEqual(result, 9)
+
+    def test_estimate_type_with_fake_header_returns_type_0(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        for fake_header in self.fake_bearer_headers:
+            request = Request("/", headers=fake_header)
+            result = BearerToken(request_validator=request_validator).estimate_type(
+                request
+            )
+
+            if (
+                fake_header["Authorization"].count(" ") == 2
+                and fake_header["Authorization"].split()[0] == "Bearer"
+            ):
+                # If we're dealing with the header containing 2 spaces, it will be recognized
+                # as a Bearer valid header, the token itself will be invalid by the way.
+                self.assertEqual(result, 9)
+            else:
+                self.assertEqual(result, 0)