1168 |
1168 |
assert len(response.json['results']) == count
|
1169 |
1169 |
|
1170 |
1170 |
|
1171 |
|
def test_resource_owner_password_credential_grant(app, oidc_client, admin, simple_user):
|
|
1171 |
def test_credentials_grant(app, oidc_client, admin, simple_user):
|
1172 |
1172 |
cache.clear()
|
1173 |
1173 |
oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
|
1174 |
1174 |
oidc_client.scope = 'openid'
|
... | ... | |
1214 |
1214 |
assert all(claims.values())
|
1215 |
1215 |
|
1216 |
1216 |
|
1217 |
|
def test_resource_owner_password_credential_grant_ratelimitation_invalid_client(
|
1218 |
|
app, oidc_client, admin, simple_user, oidc_settings):
|
|
1217 |
def test_credentials_grant_ratelimitation_invalid_client(
|
|
1218 |
app, oidc_client, admin, simple_user, oidc_settings, freezer):
|
|
1219 |
freezer.move_to('2020-01-01')
|
|
1220 |
|
1219 |
1221 |
cache.clear()
|
1220 |
1222 |
oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
|
1221 |
1223 |
oidc_client.save()
|
... | ... | |
1227 |
1229 |
'username': simple_user.username,
|
1228 |
1230 |
'password': simple_user.username,
|
1229 |
1231 |
}
|
1230 |
|
attempts = 0
|
1231 |
|
dummy_post = RequestFactory().post('/dummy')
|
1232 |
|
while attempts < 1000:
|
1233 |
|
attempts += 1
|
1234 |
|
ratelimited = is_ratelimited(
|
1235 |
|
request=dummy_post, group='test-ro-cred-grant', increment=True,
|
1236 |
|
key=lambda x, y: '127.0.0.1',
|
1237 |
|
rate=oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT)
|
|
1232 |
for i in range(int(oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT.split('/')[0])):
|
1238 |
1233 |
response = app.post(token_url, params=params, status=400)
|
1239 |
|
if not ratelimited:
|
1240 |
|
assert response.json['error'] == 'invalid_client'
|
1241 |
|
assert 'client authentication failed' in response.json['error_description']
|
1242 |
|
continue
|
1243 |
|
else:
|
1244 |
|
assert response.json['error'] == 'invalid_request'
|
1245 |
|
assert 'reached rate limitation' in response.json['error_description']
|
1246 |
|
break
|
1247 |
|
if not ratelimited:
|
1248 |
|
assert 0
|
|
1234 |
assert response.json['error'] == 'invalid_client'
|
|
1235 |
assert 'client authentication failed' in response.json['error_description']
|
|
1236 |
response = app.post(token_url, params=params, status=400)
|
|
1237 |
assert response.json['error'] == 'invalid_request'
|
|
1238 |
assert 'reached rate limitation' in response.json['error_description']
|
1249 |
1239 |
|
1250 |
1240 |
|
1251 |
1241 |
def test_credentials_grant_ratelimitation_valid_client(
|
1252 |
|
app, oidc_client, admin, simple_user, oidc_settings):
|
|
1242 |
app, oidc_client, admin, simple_user, oidc_settings, freezer):
|
|
1243 |
freezer.move_to('2020-01-01')
|
|
1244 |
|
1253 |
1245 |
cache.clear()
|
1254 |
1246 |
oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
|
1255 |
1247 |
oidc_client.save()
|
... | ... | |
1261 |
1253 |
'username': simple_user.username,
|
1262 |
1254 |
'password': simple_user.username,
|
1263 |
1255 |
}
|
1264 |
|
attempts = 0
|
1265 |
|
dummy_post = RequestFactory().post('/dummy')
|
1266 |
|
while attempts < 1000:
|
1267 |
|
before = now()
|
1268 |
|
attempts += 1
|
1269 |
|
ratelimited = is_ratelimited(
|
1270 |
|
request=dummy_post, group='test-ro-cred-grant', increment=True,
|
1271 |
|
key=lambda x, y: oidc_client.client_id,
|
1272 |
|
rate=oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT)
|
1273 |
|
if ratelimited:
|
1274 |
|
response = app.post(token_url, params=params, status=400)
|
1275 |
|
assert response.json['error'] == 'invalid_request'
|
1276 |
|
assert 'reached rate limitation' in response.json['error_description']
|
1277 |
|
break
|
1278 |
|
else:
|
1279 |
|
response = app.post(token_url, params=params)
|
1280 |
|
if not ratelimited:
|
1281 |
|
assert 0
|
|
1256 |
for i in range(int(oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT.split('/')[0])):
|
|
1257 |
app.post(token_url, params=params)
|
|
1258 |
response = app.post(token_url, params=params, status=400)
|
|
1259 |
assert response.json['error'] == 'invalid_request'
|
|
1260 |
assert 'reached rate limitation' in response.json['error_description']
|
1282 |
1261 |
|
1283 |
1262 |
|
1284 |
1263 |
def test_credentials_grant_retrytimout(
|
1285 |
1264 |
app, oidc_client, admin, simple_user, settings, freezer):
|
|
1265 |
freezer.move_to('2020-01-01')
|
|
1266 |
|
1286 |
1267 |
cache.clear()
|
1287 |
1268 |
settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION = 2
|
1288 |
1269 |
oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
|
... | ... | |
1304 |
1285 |
assert 'too many attempts with erroneous RO password' in response.json['error_description']
|
1305 |
1286 |
|
1306 |
1287 |
# freeze some time after backoff delay expiration
|
1307 |
|
today = datetime.date.today()
|
1308 |
|
dayafter = today + datetime.timedelta(days=2)
|
1309 |
|
freezer.move_to(dayafter.strftime('%Y-%m-%d'))
|
|
1288 |
freezer.move_to(datetime.timedelta(days=2))
|
1310 |
1289 |
|
1311 |
1290 |
# obtain a successful login
|
1312 |
1291 |
params['password'] = simple_user.username
|
1313 |
|
-
|