Skip to content

Commit 243e7a4

Browse files
n2ygkn2ygk
committed
Update tests to handle difference between cleartext and hashed application.client_secret.
1 parent d92c45c commit 243e7a4

10 files changed

+100
-82
lines changed

tests/conftest.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616
Application = get_application_model()
1717
UserModel = get_user_model()
1818

19+
CLEARTEXT_SECRET = "1234567890abcdefghijklmnopqrstuvwxyz"
20+
1921

2022
class OAuthSettingsWrapper:
2123
"""
@@ -101,12 +103,14 @@ def application():
101103
client_type=Application.CLIENT_CONFIDENTIAL,
102104
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
103105
algorithm=Application.RS256_ALGORITHM,
106+
client_secret=CLEARTEXT_SECRET,
104107
)
105108

106109

107110
@pytest.fixture
108111
def hybrid_application(application):
109112
application.authorization_grant_type = application.GRANT_OPENID_HYBRID
113+
application.client_secret = CLEARTEXT_SECRET
110114
application.save()
111115
return application
112116

@@ -141,7 +145,7 @@ def oidc_tokens(oauth2_settings, application, test_user, client):
141145
"code": code,
142146
"redirect_uri": "http://example.org",
143147
"client_id": application.client_id,
144-
"client_secret": application.client_secret,
148+
"client_secret": CLEARTEXT_SECRET,
145149
"scope": "openid",
146150
},
147151
)

tests/test_authorization_code.py

Lines changed: 25 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434

3535
URI_OOB = "urn:ietf:wg:oauth:2.0:oob"
3636
URI_OOB_AUTO = "urn:ietf:wg:oauth:2.0:oob:auto"
37+
CLEARTEXT_SECRET = "1234567890abcdefghijklmnopqrstuvwxyz"
3738

3839

3940
# mocking a protected resource view
@@ -60,6 +61,7 @@ def setUp(self):
6061
user=self.dev_user,
6162
client_type=Application.CLIENT_CONFIDENTIAL,
6263
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
64+
client_secret=CLEARTEXT_SECRET,
6365
)
6466

6567
def tearDown(self):
@@ -677,7 +679,7 @@ def test_basic_auth(self):
677679
"code": authorization_code,
678680
"redirect_uri": "http://example.org",
679681
}
680-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
682+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
681683

682684
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
683685
self.assertEqual(response.status_code, 200)
@@ -699,7 +701,7 @@ def test_refresh(self):
699701
"code": authorization_code,
700702
"redirect_uri": "http://example.org",
701703
}
702-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
704+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
703705

704706
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
705707
content = json.loads(response.content.decode("utf-8"))
@@ -744,7 +746,7 @@ def test_refresh_with_grace_period(self):
744746
"code": authorization_code,
745747
"redirect_uri": "http://example.org",
746748
}
747-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
749+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
748750

749751
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
750752
content = json.loads(response.content.decode("utf-8"))
@@ -795,7 +797,7 @@ def test_refresh_invalidates_old_tokens(self):
795797
"code": authorization_code,
796798
"redirect_uri": "http://example.org",
797799
}
798-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
800+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
799801

800802
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
801803
content = json.loads(response.content.decode("utf-8"))
@@ -827,7 +829,7 @@ def test_refresh_no_scopes(self):
827829
"code": authorization_code,
828830
"redirect_uri": "http://example.org",
829831
}
830-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
832+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
831833

832834
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
833835
content = json.loads(response.content.decode("utf-8"))
@@ -855,7 +857,7 @@ def test_refresh_bad_scopes(self):
855857
"code": authorization_code,
856858
"redirect_uri": "http://example.org",
857859
}
858-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
860+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
859861

860862
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
861863
content = json.loads(response.content.decode("utf-8"))
@@ -881,7 +883,7 @@ def test_refresh_fail_repeating_requests(self):
881883
"code": authorization_code,
882884
"redirect_uri": "http://example.org",
883885
}
884-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
886+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
885887

886888
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
887889
content = json.loads(response.content.decode("utf-8"))
@@ -911,7 +913,7 @@ def test_refresh_repeating_requests(self):
911913
"code": authorization_code,
912914
"redirect_uri": "http://example.org",
913915
}
914-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
916+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
915917

916918
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
917919
content = json.loads(response.content.decode("utf-8"))
@@ -948,7 +950,7 @@ def test_refresh_repeating_requests_non_rotating_tokens(self):
948950
"code": authorization_code,
949951
"redirect_uri": "http://example.org",
950952
}
951-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
953+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
952954

953955
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
954956
content = json.loads(response.content.decode("utf-8"))
@@ -977,7 +979,7 @@ def test_basic_auth_bad_authcode(self):
977979
"code": "BLAH",
978980
"redirect_uri": "http://example.org",
979981
}
980-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
982+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
981983

982984
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
983985
self.assertEqual(response.status_code, 400)
@@ -989,7 +991,7 @@ def test_basic_auth_bad_granttype(self):
989991
self.client.login(username="test_user", password="123456")
990992

991993
token_request_data = {"grant_type": "UNKNOWN", "code": "BLAH", "redirect_uri": "http://example.org"}
992-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
994+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
993995

994996
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
995997
self.assertEqual(response.status_code, 400)
@@ -1014,7 +1016,7 @@ def test_basic_auth_grant_expired(self):
10141016
"code": "BLAH",
10151017
"redirect_uri": "http://example.org",
10161018
}
1017-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1019+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
10181020

10191021
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
10201022
self.assertEqual(response.status_code, 400)
@@ -1049,7 +1051,7 @@ def test_basic_auth_wrong_auth_type(self):
10491051
"redirect_uri": "http://example.org",
10501052
}
10511053

1052-
user_pass = "{0}:{1}".format(self.application.client_id, self.application.client_secret)
1054+
user_pass = "{0}:{1}".format(self.application.client_id, CLEARTEXT_SECRET)
10531055
auth_string = base64.b64encode(user_pass.encode("utf-8"))
10541056
auth_headers = {
10551057
"HTTP_AUTHORIZATION": "Wrong " + auth_string.decode("utf-8"),
@@ -1070,7 +1072,7 @@ def test_request_body_params(self):
10701072
"code": authorization_code,
10711073
"redirect_uri": "http://example.org",
10721074
"client_id": self.application.client_id,
1073-
"client_secret": self.application.client_secret,
1075+
"client_secret": CLEARTEXT_SECRET,
10741076
}
10751077

10761078
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data)
@@ -1445,7 +1447,7 @@ def test_code_exchange_succeed_when_redirect_uri_match(self):
14451447
"code": authorization_code,
14461448
"redirect_uri": "http://example.org?foo=bar",
14471449
}
1448-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1450+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
14491451

14501452
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
14511453
self.assertEqual(response.status_code, 200)
@@ -1480,7 +1482,7 @@ def test_code_exchange_fails_when_redirect_uri_does_not_match(self):
14801482
"code": authorization_code,
14811483
"redirect_uri": "http://example.org?foo=baraa",
14821484
}
1483-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1485+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
14841486

14851487
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
14861488
self.assertEqual(response.status_code, 400)
@@ -1520,7 +1522,7 @@ def test_code_exchange_succeed_when_redirect_uri_match_with_multiple_query_param
15201522
"code": authorization_code,
15211523
"redirect_uri": "http://example.com?bar=baz&foo=bar",
15221524
}
1523-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1525+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
15241526

15251527
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
15261528
self.assertEqual(response.status_code, 200)
@@ -1565,7 +1567,7 @@ def test_oob_as_html(self):
15651567
"code": authorization_code,
15661568
"redirect_uri": URI_OOB,
15671569
"client_id": self.application.client_id,
1568-
"client_secret": self.application.client_secret,
1570+
"client_secret": CLEARTEXT_SECRET,
15691571
}
15701572

15711573
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data)
@@ -1605,7 +1607,7 @@ def test_oob_as_json(self):
16051607
"code": authorization_code,
16061608
"redirect_uri": URI_OOB_AUTO,
16071609
"client_id": self.application.client_id,
1608-
"client_secret": self.application.client_secret,
1610+
"client_secret": CLEARTEXT_SECRET,
16091611
}
16101612

16111613
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data)
@@ -1681,7 +1683,7 @@ def test_id_token_code_exchange_succeed_when_redirect_uri_match_with_multiple_qu
16811683
"code": authorization_code,
16821684
"redirect_uri": "http://example.com?bar=baz&foo=bar",
16831685
}
1684-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1686+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
16851687

16861688
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
16871689
self.assertEqual(response.status_code, 200)
@@ -1715,7 +1717,7 @@ def test_id_token(self):
17151717
"code": authorization_code,
17161718
"redirect_uri": "http://example.org",
17171719
"client_id": self.application.client_id,
1718-
"client_secret": self.application.client_secret,
1720+
"client_secret": CLEARTEXT_SECRET,
17191721
"scope": "openid",
17201722
}
17211723

@@ -1761,7 +1763,7 @@ def test_resource_access_allowed(self):
17611763
"code": authorization_code,
17621764
"redirect_uri": "http://example.org",
17631765
}
1764-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1766+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
17651767

17661768
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
17671769
content = json.loads(response.content.decode("utf-8"))
@@ -1819,7 +1821,7 @@ def test_id_token_resource_access_allowed(self):
18191821
"code": authorization_code,
18201822
"redirect_uri": "http://example.org",
18211823
}
1822-
auth_headers = get_basic_auth_header(self.application.client_id, self.application.client_secret)
1824+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
18231825

18241826
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
18251827
content = json.loads(response.content.decode("utf-8"))

tests/test_client_credential.py

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@
2323
AccessToken = get_access_token_model()
2424
UserModel = get_user_model()
2525

26-
CLIENT_SECRET = "abcdefghijklmnopqrstuvwxyz1234567890"
26+
CLEARTEXT_SECRET = "abcdefghijklmnopqrstuvwxyz1234567890"
2727

2828

2929
# mocking a protected resource view
@@ -45,7 +45,7 @@ def setUp(self):
4545
user=self.dev_user,
4646
client_type=Application.CLIENT_PUBLIC,
4747
authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
48-
client_secret=CLIENT_SECRET,
48+
client_secret=CLEARTEXT_SECRET,
4949
)
5050

5151
def tearDown(self):
@@ -59,12 +59,12 @@ def test_client_credential_access_allowed(self):
5959
"""
6060
Request an access token using Client Credential Flow with hashed secrets
6161
"""
62-
self.assertNotEqual(self.application.client_secret, CLIENT_SECRET)
62+
self.assertNotEqual(self.application.client_secret, CLEARTEXT_SECRET)
6363

6464
token_request_data = {
6565
"grant_type": "client_credentials",
6666
}
67-
auth_headers = get_basic_auth_header(self.application.client_id, CLIENT_SECRET)
67+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
6868

6969
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
7070
self.assertEqual(response.status_code, 200)
@@ -78,7 +78,7 @@ def test_client_credential_does_not_issue_refresh_token(self):
7878
token_request_data = {
7979
"grant_type": "client_credentials",
8080
}
81-
auth_headers = get_basic_auth_header(self.application.client_id, CLIENT_SECRET)
81+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
8282

8383
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
8484
self.assertEqual(response.status_code, 200)
@@ -88,7 +88,7 @@ def test_client_credential_does_not_issue_refresh_token(self):
8888

8989
def test_client_credential_user_is_none_on_access_token(self):
9090
token_request_data = {"grant_type": "client_credentials"}
91-
auth_headers = get_basic_auth_header(self.application.client_id, CLIENT_SECRET)
91+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
9292

9393
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
9494
self.assertEqual(response.status_code, 200)
@@ -117,7 +117,7 @@ def test_extended_request(self):
117117
token_request_data = {
118118
"grant_type": "client_credentials",
119119
}
120-
auth_headers = get_basic_auth_header(self.application.client_id, CLIENT_SECRET)
120+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
121121
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
122122
self.assertEqual(response.status_code, 200)
123123

@@ -169,11 +169,11 @@ def test_client_resource_password_based(self):
169169
user=self.dev_user,
170170
client_type=Application.CLIENT_CONFIDENTIAL,
171171
authorization_grant_type=Application.GRANT_PASSWORD,
172-
client_secret=CLIENT_SECRET,
172+
client_secret=CLEARTEXT_SECRET,
173173
)
174174

175175
token_request_data = {"grant_type": "password", "username": "test_user", "password": "123456"}
176-
auth_headers = get_basic_auth_header(self.application.client_id, CLIENT_SECRET)
176+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
177177

178178
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
179179
self.assertEqual(response.status_code, 200)

tests/test_commands.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
from io import StringIO
22

33
from django.contrib.auth import get_user_model
4+
from django.contrib.auth.hashers import check_password
45
from django.core.management import call_command
56
from django.core.management.base import CommandError
67
from django.test import TestCase
@@ -83,7 +84,7 @@ def test_application_created_with_client_secret(self):
8384
)
8485
app = Application.objects.get()
8586

86-
self.assertEqual(app.client_secret, "SECRET")
87+
self.assertTrue(check_password("SECRET", app.client_secret))
8788

8889
def test_application_created_with_client_id(self):
8990
call_command(

0 commit comments

Comments
 (0)