Merge branch 'master' into 670-pkce-requestinfo

4 files changed, 195 insertions, 5 deletions

diff --git a/tests/oauth1/rfc5849/endpoints/test_base.py b/tests/oauth1/rfc5849/endpoints/test_base.py
index 60f7860..795ddee 100644
--- a/tests/oauth1/rfc5849/endpoints/test_base.py
+++ b/tests/oauth1/rfc5849/endpoints/test_base.py
@@ -4,7 +4,7 @@ from re import sub
 
 from mock import MagicMock
 
-from oauthlib.common import safe_string_equals
+from oauthlib.common import CaseInsensitiveDict, safe_string_equals
 from oauthlib.oauth1 import Client, RequestValidator
 from oauthlib.oauth1.rfc5849 import (SIGNATURE_HMAC, SIGNATURE_PLAINTEXT,
                                      SIGNATURE_RSA, errors)
@@ -179,6 +179,17 @@ class BaseEndpointTest(TestCase):
         self.assertRaises(errors.InvalidRequestError,
                 e._check_mandatory_parameters, r)
 
+    def test_case_insensitive_headers(self):
+        """Ensure headers are case-insensitive"""
+        v = RequestValidator()
+        e = BaseEndpoint(v)
+        r = e._create_request('https://a.b', 'POST',
+                ('oauth_signature=a&oauth_consumer_key=b&oauth_nonce=c&'
+                 'oauth_version=1.0&oauth_signature_method=RSA-SHA1&'
+                 'oauth_timestamp=123456789a'),
+                URLENCODED)
+        self.assertIsInstance(r.headers, CaseInsensitiveDict)
+
     def test_signature_method_validation(self):
         """Ensure valid signature method is used."""
 
diff --git a/tests/oauth2/rfc6749/test_tokens.py b/tests/oauth2/rfc6749/test_tokens.py
index 061754f..e6f49b1 100644
--- a/tests/oauth2/rfc6749/test_tokens.py
+++ b/tests/oauth2/rfc6749/test_tokens.py
@@ -1,10 +1,14 @@
 from __future__ import absolute_import, unicode_literals
 
+import mock
+
+from oauthlib.common import Request
 from oauthlib.oauth2.rfc6749.tokens import (
-    prepare_mac_header,
-    prepare_bearer_headers,
+    BearerToken,
     prepare_bearer_body,
+    prepare_bearer_headers,
     prepare_bearer_uri,
+    prepare_mac_header,
 )
 
 from ...unittest import TestCase
@@ -64,6 +68,7 @@ class TokenTest(TestCase):
     bearer_headers = {
         'Authorization': 'Bearer vF9dft4qmT'
     }
+    valid_bearer_header_lowercase = {"Authorization": "bearer vF9dft4qmT"}
     fake_bearer_headers = [
         {'Authorization': 'Beaver vF9dft4qmT'},
         {'Authorization': 'BeavervF9dft4qmT'},
@@ -98,3 +103,73 @@ class TokenTest(TestCase):
         self.assertEqual(prepare_bearer_headers(self.token), self.bearer_headers)
         self.assertEqual(prepare_bearer_body(self.token), self.bearer_body)
         self.assertEqual(prepare_bearer_uri(self.token, uri=self.uri), self.bearer_uri)
+
+    def test_valid_bearer_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.bearer_headers)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+        self.assertTrue(result)
+
+    def test_lowercase_bearer_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.valid_bearer_header_lowercase)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+        self.assertTrue(result)
+
+    def test_fake_bearer_is_not_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        for fake_header in self.fake_bearer_headers:
+            request = Request("/", headers=fake_header)
+            result = BearerToken(request_validator=request_validator).validate_request(
+                request
+            )
+
+            self.assertFalse(result)
+
+    def test_header_with_multispaces_is_validated(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        request = Request("/", headers=self.valid_header_with_multiple_spaces)
+        result = BearerToken(request_validator=request_validator).validate_request(
+            request
+        )
+
+        self.assertTrue(result)
+
+    def test_estimate_type(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+        request = Request("/", headers=self.bearer_headers)
+        result = BearerToken(request_validator=request_validator).estimate_type(request)
+        self.assertEqual(result, 9)
+
+    def test_estimate_type_with_fake_header_returns_type_0(self):
+        request_validator = mock.MagicMock()
+        request_validator.validate_bearer_token = self._mocked_validate_bearer_token
+
+        for fake_header in self.fake_bearer_headers:
+            request = Request("/", headers=fake_header)
+            result = BearerToken(request_validator=request_validator).estimate_type(
+                request
+            )
+
+            if (
+                fake_header["Authorization"].count(" ") == 2
+                and fake_header["Authorization"].split()[0] == "Bearer"
+            ):
+                # If we're dealing with the header containing 2 spaces, it will be recognized
+                # as a Bearer valid header, the token itself will be invalid by the way.
+                self.assertEqual(result, 9)
+            else:
+                self.assertEqual(result, 0)
diff --git a/tests/openid/connect/core/grant_types/test_base.py b/tests/openid/connect/core/grant_types/test_base.py
new file mode 100644
index 0000000..76e017f
--- /dev/null
+++ b/tests/openid/connect/core/grant_types/test_base.py
@@ -0,0 +1,104 @@
+# -*- coding: utf-8 -*-
+import mock
+import time
+
+from oauthlib.common import Request
+from oauthlib.openid.connect.core.grant_types.base import GrantTypeBase
+
+from tests.unittest import TestCase
+
+
+class GrantBase(GrantTypeBase):
+    """Class to test GrantTypeBase"""
+    def __init__(self, request_validator=None, **kwargs):
+        self.request_validator = request_validator
+
+
+class IDTokenTest(TestCase):
+
+    def setUp(self):
+        self.request = Request('http://a.b/path')
+        self.request.scopes = ('hello', 'openid')
+        self.request.expires_in = 1800
+        self.request.client_id = 'abcdef'
+        self.request.code = '1234'
+        self.request.response_type = 'id_token'
+        self.request.grant_type = 'authorization_code'
+        self.request.redirect_uri = 'https://a.b/cb'
+        self.request.state = 'abc'
+        self.request.nonce = None
+
+        self.mock_validator = mock.MagicMock()
+        self.mock_validator.get_id_token.return_value = None
+        self.mock_validator.finalize_id_token.return_value = "eyJ.body.signature"
+        self.token = {}
+
+        self.grant = GrantBase(request_validator=self.mock_validator)
+
+        self.url_query = 'https://a.b/cb?code=abc&state=abc'
+        self.url_fragment = 'https://a.b/cb#code=abc&state=abc'
+
+    def test_id_token_hash(self):
+        self.assertEqual(self.grant.id_token_hash(
+            "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk",
+        ), "LDktKdoQak3Pk0cnXxCltA", "hash differs from RFC")
+
+    def test_get_id_token_no_openid(self):
+        self.request.scopes = ('hello')
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertNotIn("id_token", token)
+
+        self.request.scopes = None
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertNotIn("id_token", token)
+
+        self.request.scopes = ()
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertNotIn("id_token", token)
+
+    def test_get_id_token(self):
+        self.mock_validator.get_id_token.return_value = "toto"
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "toto")
+
+    def test_finalize_id_token(self):
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "eyJ.body.signature")
+        id_token = self.mock_validator.finalize_id_token.call_args[0][0]
+        self.assertEqual(id_token['aud'], 'abcdef')
+        self.assertGreaterEqual(id_token['iat'], int(time.time()))
+
+    def test_finalize_id_token_with_nonce(self):
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request, "my_nonce")
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "eyJ.body.signature")
+        id_token = self.mock_validator.finalize_id_token.call_args[0][0]
+        self.assertEqual(id_token['nonce'], 'my_nonce')
+
+    def test_finalize_id_token_with_at_hash(self):
+        self.token["access_token"] = "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk"
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "eyJ.body.signature")
+        id_token = self.mock_validator.finalize_id_token.call_args[0][0]
+        self.assertEqual(id_token['at_hash'], 'LDktKdoQak3Pk0cnXxCltA')
+
+    def test_finalize_id_token_with_c_hash(self):
+        self.token["code"] = "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk"
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "eyJ.body.signature")
+        id_token = self.mock_validator.finalize_id_token.call_args[0][0]
+        self.assertEqual(id_token['c_hash'], 'LDktKdoQak3Pk0cnXxCltA')
+
+    def test_finalize_id_token_with_c_and_at_hash(self):
+        self.token["code"] = "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk"
+        self.token["access_token"] = "Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk"
+        token = self.grant.add_id_token(self.token, "token_handler_mock", self.request)
+        self.assertIn("id_token", token)
+        self.assertEqual(token["id_token"], "eyJ.body.signature")
+        id_token = self.mock_validator.finalize_id_token.call_args[0][0]
+        self.assertEqual(id_token['at_hash'], 'LDktKdoQak3Pk0cnXxCltA')
+        self.assertEqual(id_token['c_hash'], 'LDktKdoQak3Pk0cnXxCltA')
diff --git a/tests/openid/connect/core/test_request_validator.py b/tests/openid/connect/core/test_request_validator.py
index e20e88f..ebe0aeb 100644
--- a/tests/openid/connect/core/test_request_validator.py
+++ b/tests/openid/connect/core/test_request_validator.py
@@ -22,8 +22,8 @@ class RequestValidatorTest(TestCase):
         )
         self.assertRaises(
             NotImplementedError,
-            v.get_id_token,
-            'token', 'token_handler', 'request'
+            v.finalize_id_token,
+            'id_token', 'token', 'token_handler', 'request'
         )
         self.assertRaises(
             NotImplementedError,