forked from kubernetes/test-infra
-
Notifications
You must be signed in to change notification settings - Fork 41
/
github_auth_test.py
145 lines (120 loc) · 4.78 KB
/
github_auth_test.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/usr/bin/env python
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import unittest
import urlparse
import webtest
import gcs_async_test
import main
CLIENT_ID = '12345'
CLIENT_SECRET = 'swordfish'
GH_LOGIN_CODE = 'somerandomcode'
main.app.config['github_client'] = {
'id': CLIENT_ID,
'secret': CLIENT_SECRET,
}
main.app.config['webapp2_extras.sessions']['secret_key'] = 'abcd'
app = webtest.TestApp(main.app)
VEND_URL = 'https://github.com/login/oauth/access_token'
USER_URL = 'https://api.github.com/user'
class TestGithubAuth(unittest.TestCase):
def setUp(self):
app.reset()
self.testbed.init_app_identity_stub()
self.testbed.init_urlfetch_stub()
self.calls = []
self.results = {
VEND_URL: ('{"access_token": "token"}', 200),
USER_URL: ('{"login": "foo"}', 200),
}
gcs_async_test.install_handler_dispatcher(
self.testbed.get_stub('urlfetch'),
(lambda url: url in self.results),
self.dispatcher)
def dispatcher(self, method, url, payload, headers):
self.calls.append([method, url, payload, headers])
return self.results[url]
@staticmethod
def do_phase1(arg=''):
return app.get('/github_auth' + arg)
@staticmethod
def parse_phase1(phase1):
parsed = urlparse.urlparse(phase1.location)
query = urlparse.parse_qs(parsed.query)
state = query.pop('state')[0]
return state, query
def do_phase2(self, phase1=None, status=None):
if not phase1:
phase1 = self.do_phase1()
state, query = self.parse_phase1(phase1)
code = GH_LOGIN_CODE
return app.get(
query['redirect_uri'][0],
{'code': code, 'state': state},
status=status)
def test_login_works(self):
"oauth login works"
# 1) Redirect to github
resp = self.do_phase1()
self.assertEqual(resp.status_code, 302)
loc = resp.location
assert loc.startswith('https://github.com/login/oauth/authorize'), loc
state, query = self.parse_phase1(resp)
self.assertEqual(query, {
'redirect_uri': ['http://localhost/github_auth/done'],
'client_id': [CLIENT_ID]})
# 2) Github redirects back
resp = self.do_phase2(resp)
self.assertIn('Welcome, foo', resp)
# Test that we received the right calls to our fake API.
self.assertEqual(len(self.calls), 2)
vend_call = self.calls[0]
user_call = self.calls[1]
self.assertEqual(vend_call[:2], ['POST', VEND_URL])
self.assertEqual(user_call[:3], ['GET', USER_URL, None])
self.assertEqual(
urlparse.parse_qs(vend_call[2]),
dict(client_secret=[CLIENT_SECRET], state=[state],
code=[GH_LOGIN_CODE], client_id=[CLIENT_ID]))
vend_headers = {h.key(): h.value() for h in vend_call[3]}
self.assertEqual(vend_headers, {'Accept': 'application/json'})
def test_redirect_pr(self):
"login can redirect to another page at the end"
phase1 = self.do_phase1('/pr')
phase2 = self.do_phase2(phase1)
self.assertEqual(phase2.status_code, 302)
self.assertEqual(phase2.location, 'http://localhost/pr')
def test_redirect_ignored(self):
"login only redirects to whitelisted URLs"
phase1 = self.do_phase1('/bad/redirect')
phase2 = self.do_phase2(phase1)
self.assertEqual(phase2.status_code, 200)
def test_phase2_missing_cookie(self):
"missing cookie for phase2 fails (CSRF)"
phase1 = self.do_phase1()
app.reset() # clears cookies
self.do_phase2(phase1, status=400)
def test_phase2_mismatched_state(self):
"wrong state for phase2 fails (CSRF)"
phase1 = self.do_phase1()
phase1.location = phase1.location.replace('state=', 'state=NOPE')
self.do_phase2(phase1, status=400)
def test_phase2_vend_failure(self):
"GitHub API error vending tokens raises 500"
self.results[VEND_URL] = ('', 403)
self.do_phase2(status=500)
def test_phase2_user_failure(self):
"GitHub API error getting user information raises 500"
self.results[USER_URL] = ('', 403)
self.do_phase2(status=500)