summaryrefslogtreecommitdiff
path: root/tests/oauth2/rfc6749/endpoints
diff options
context:
space:
mode:
authorAbhishek Patel <5524161+Abhishek8394@users.noreply.github.com>2019-05-06 23:26:29 -0700
committerAbhishek Patel <5524161+Abhishek8394@users.noreply.github.com>2019-05-14 00:37:59 -0700
commit047ceccf48ea7ccd4ecc6b48a8ddb6dd4a14abd6 (patch)
treeb4a8b62f205d5e41dc245273e34669319b1734f1 /tests/oauth2/rfc6749/endpoints
parentbbbcca731d5db16d7b1765070880aa54288788e9 (diff)
downloadoauthlib-047ceccf48ea7ccd4ecc6b48a8ddb6dd4a14abd6.tar.gz
Add tests + create a global variable for blacklisted query parameters
Diffstat (limited to 'tests/oauth2/rfc6749/endpoints')
-rw-r--r--tests/oauth2/rfc6749/endpoints/test_error_responses.py27
-rw-r--r--tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py16
-rw-r--r--tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py16
3 files changed, 59 insertions, 0 deletions
diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
index a249cb1..4a288ad 100644
--- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py
+++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
@@ -6,10 +6,12 @@ import json
import mock
+from oauthlib.common import urlencode
from oauthlib.oauth2 import (BackendApplicationServer, LegacyApplicationServer,
MobileApplicationServer, RequestValidator,
WebApplicationServer)
from oauthlib.oauth2.rfc6749 import errors
+from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS
from ....unittest import TestCase
@@ -437,3 +439,28 @@ class ErrorResponseTest(TestCase):
_, body, _ = self.backend.create_token_response('https://i.b/token',
body='grant_type=bar')
self.assertEqual('unsupported_grant_type', json.loads(body)['error'])
+
+ def test_invalid_post_request(self):
+ self.validator.authenticate_client.side_effect = self.set_client
+ for param in BLACKLIST_QUERY_PARAMS:
+ uri = 'https://i/b/token?' + urlencode([(param, 'secret')])
+ _, body, s = self.web.create_introspect_response(uri,
+ body='grant_type=access_token&code=123')
+ self.assertEqual(json.loads(body)['error'], 'invalid_request')
+ self.assertIn(param, json.loads(body)['error_description'])
+ self.assertIn('not allowed', json.loads(body)['error_description'])
+ self.assertEqual(s, 400)
+
+ _, body, s = self.legacy.create_introspect_response(uri,
+ body='grant_type=access_token&code=123')
+ self.assertEqual(json.loads(body)['error'], 'invalid_request')
+ self.assertIn(param, json.loads(body)['error_description'])
+ self.assertIn('not allowed', json.loads(body)['error_description'])
+ self.assertEqual(s, 400)
+
+ _, body, s = self.backend.create_introspect_response(uri,
+ body='grant_type=access_token&code=123')
+ self.assertEqual(json.loads(body)['error'], 'invalid_request')
+ self.assertIn(param, json.loads(body)['error_description'])
+ self.assertIn('not allowed', json.loads(body)['error_description'])
+ self.assertEqual(s, 400)
diff --git a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
index b9bf76a..234a4ef 100644
--- a/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_introspect_endpoint.py
@@ -7,6 +7,7 @@ from mock import MagicMock
from oauthlib.common import urlencode
from oauthlib.oauth2 import RequestValidator, IntrospectEndpoint
+from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS
from ....unittest import TestCase
@@ -139,3 +140,18 @@ class IntrospectEndpointTest(TestCase):
self.assertEqual(h, self.resp_h)
self.assertEqual(loads(b)['error'], 'invalid_request')
self.assertEqual(s, 400)
+
+ def test_introspect_bad_post_request(self):
+ endpoint = IntrospectEndpoint(self.validator,
+ supported_token_types=['access_token'])
+ for param in BLACKLIST_QUERY_PARAMS:
+ uri = 'http://some.endpoint?' + urlencode([(param, 'secret')])
+ body = urlencode([('token', 'foo'),
+ ('token_type_hint', 'access_token')])
+ h, b, s = endpoint.create_introspect_response(uri,
+ headers=self.headers, body=body)
+ self.assertEqual(h, self.resp_h)
+ self.assertEqual(loads(b)['error'], 'invalid_request')
+ self.assertIn(param, loads(b)['error_description'])
+ self.assertIn('not allowed', loads(b)['error_description'])
+ self.assertEqual(s, 400)
diff --git a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
index 2a24177..e89c3bd 100644
--- a/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
+++ b/tests/oauth2/rfc6749/endpoints/test_revocation_endpoint.py
@@ -7,6 +7,7 @@ from mock import MagicMock
from oauthlib.common import urlencode
from oauthlib.oauth2 import RequestValidator, RevocationEndpoint
+from oauthlib.oauth2.rfc6749.endpoints.base import BLACKLIST_QUERY_PARAMS
from ....unittest import TestCase
@@ -120,3 +121,18 @@ class RevocationEndpointTest(TestCase):
self.assertEqual(h, self.resp_h)
self.assertEqual(loads(b)['error'], 'invalid_request')
self.assertEqual(s, 400)
+
+ def test_revoke_bad_post_request(self):
+ endpoint = RevocationEndpoint(self.validator,
+ supported_token_types=['access_token'])
+ for param in BLACKLIST_QUERY_PARAMS:
+ uri = 'http://some.endpoint?' + urlencode([(param, 'secret')])
+ body = urlencode([('token', 'foo'),
+ ('token_type_hint', 'access_token')])
+ h, b, s = endpoint.create_revocation_response(uri,
+ headers=self.headers, body=body)
+ self.assertEqual(h, self.resp_h)
+ self.assertEqual(loads(b)['error'], 'invalid_request')
+ self.assertIn(param, loads(b)['error_description'])
+ self.assertIn('not allowed', loads(b)['error_description'])
+ self.assertEqual(s, 400)