Merge remote-tracking branch 'upstream/develop' into stormpath-285

Author: dinkom

CHANGES.md

@@ -6,6 +6,8 @@ Version 2.5.2
 - Adding support for Stormpath Client API configuration.
 - Adding a pytest cleanup hook to ensure all Stormpath test resources are
   destroyed even if the user performs a keyboard interrupt during testing.
+- Adding tests for token revocation.
+- Adding support for OAuth2 Client Credentials flow.
 
 
 Version 2.5.1

stormpath/api_auth.py

@@ -693,6 +693,46 @@ def authenticate(self, username, password, account_store=None, url=None):
                                             )
 
 
+class ClientCredentialsGrantAuthenticator(Authenticator):
+    """
+    This class should authenticate using user's API ID and secret.
+    It gets authentication tokens for valid credentials.
+    """
+    def authenticate(self, client_id, client_secret, account_store=None, url=None):
+        if not url:
+            url = self.app.href + '/oauth/token'
+
+        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+
+        data = {
+            'grant_type': 'client_credentials',
+            'client_id': client_id,
+            'client_secret': client_secret
+        }
+
+        if account_store:
+            if isinstance(account_store, string_types):
+                data['accountStore'] = account_store
+            elif hasattr(account_store, 'href'):
+                data['accountStore'] = account_store.href
+            else:
+                raise TypeError('Unsupported type for account_store.')
+
+        try:
+            res = self.app._store.executor.request('POST', url, headers=headers, data=data)
+        except StormpathError:
+            return None
+
+        refresh_token = res['refresh_token'] if 'refresh_token' in res else None
+
+        return PasswordAuthenticationResult(
+            self.app,
+            res['stormpath_access_token_href'],
+            res['access_token'], res['expires_in'],
+            res['token_type'], refresh_token
+        )
+
+
 class JwtAuthenticator(Authenticator):
     """This class should authenticate using access token. It can
     validate token using Stormpath or local validation.

tests/live/test_api_auth.py

@@ -1316,6 +1316,78 @@ def test_authenticate_with_account_store_org_href_succeeds(self):
         self.assertEqual(claims.get('org'), self.org.href)
 
 
+class TestClientCredentialsGrantAuthenticator(ApiKeyBase):
+
+    def setUp(self):
+        super(TestClientCredentialsGrantAuthenticator, self).setUp()
+
+        self.username = self.get_random_name()
+        self.password = 'W00t123!' + self.username
+        _, self.acc = self.create_account(self.app.accounts,
+                                          username=self.username,
+                                          password=self.password)
+
+        self.user_api_key = self.acc.api_keys.create()
+
+        org_name = self.get_random_name()
+        org_name_key = org_name[:63]
+
+        self.org = self.client.tenant.organizations.create({
+            'name': org_name,
+            'name_key': org_name_key,
+        })
+        self.client.organization_account_store_mappings.create({
+            'account_store': self.dir,
+            'organization': self.org,
+        })
+        self.client.account_store_mappings.create({
+            'account_store': self.org,
+            'application': self.app,
+        })
+
+    def test_authenticate_succeeds(self):
+        authenticator = ClientCredentialsGrantAuthenticator(self.app)
+        result = authenticator.authenticate(self.user_api_key.id,
+                                            self.user_api_key.secret)
+
+        self.assertTrue(result.access_token)
+        self.assertFalse(result.refresh_token.token)
+        self.assertTrue(result.stormpath_access_token)
+        self.assertEqual(result.token_type, 'Bearer')
+        self.assertEqual(result.expires_in, 3600)
+        self.assertEqual(result.account.href, self.acc.href)
+
+    def test_authenticate_fails(self):
+        authenticator = ClientCredentialsGrantAuthenticator(self.app)
+        result = authenticator.authenticate('wrong id', 'wrong secret')
+
+        self.assertIsNone(result)
+
+    def test_authenticate_with_account_store_succeeds(self):
+        authenticator = ClientCredentialsGrantAuthenticator(self.app)
+        result = authenticator.authenticate(self.user_api_key.id,
+                                            self.user_api_key.secret,
+                                            account_store=self.dir)
+
+        self.assertTrue(result.access_token)
+        self.assertEqual(result.account.href, self.acc.href)
+        self.assertTrue('access_token' in result.access_token.to_json())
+        self.assertTrue(hasattr(result.stormpath_access_token, 'href'))
+        self.assertEqual(result.stormpath_access_token.account.href,
+                         self.acc.href)
+        self.assertEqual(result.token_type, 'Bearer')
+        self.assertEqual(result.expires_in, 3600)
+        self.assertEqual(result.account.href, self.acc.href)
+
+    def test_authenticate_with_account_store_fails(self):
+        authenticator = ClientCredentialsGrantAuthenticator(self.app)
+        result = authenticator.authenticate('wrong id',
+                                            'wrong secret',
+                                            account_store=self.dir)
+
+        self.assertIsNone(result)
+
+
 class TestJwtAuthenticator(ApiKeyBase):
     def setUp(self):
         super(TestJwtAuthenticator, self).setUp()
@@ -1602,3 +1674,29 @@ def test_authenticate_with_invalid_token_fails(self):
         result = authenticator.authenticate('invalid_token')
 
         self.assertIsNone(result)
+
+
+class TestTokenRevocation(ApiKeyBase):
+
+    def setUp(self):
+        super(TestTokenRevocation, self).setUp()
+
+        self.username = self.get_random_name()
+        self.password = 'W00t123!' + self.username
+        _, self.acc = self.create_account(self.app.accounts,
+                                          username=self.username,
+                                          password=self.password)
+
+    def test_revoke_token_succeeds(self):
+        authenticator = PasswordGrantAuthenticator(self.app)
+        result = authenticator.authenticate(self.username, self.password)
+
+        self.assertTrue(result.access_token)
+        self.assertEqual(result.account.href, self.acc.href)
+
+        acc_tokens = self.acc.access_tokens
+        self.assertEqual(len(acc_tokens.items), 1)
+
+        acc_tokens.items[0].delete()
+        acc_tokens.refresh()
+        self.assertEqual(len(acc_tokens.items), 0)

tests/live/test_custom_data.py

@@ -343,11 +343,16 @@ def test_custom_data_modification(self):
     def test_custom_data_search(self):
         self.dir.groups.create({'name': self.get_random_name() + 'group1', 'custom_data': CUSTOM_DATA})
         self.dir.groups.create({'name': self.get_random_name() + 'group2', 'custom_data': {'omg': 'noway'}})
+        self.dir.groups.create({'name': self.get_random_name() + 'group3', 'custom_data': {'omg': ['wow', 'cool']}})
 
         for group in self.dir.groups.search('customData.omg=noway'):
             self.assertTrue('group2' in group.name)
             self.assertEqual(group.custom_data['omg'], 'noway')
 
+        for gorup in self.dir.groups.earch('customData.omg=wow'):
+            self.assertTrue('group3' in group.name)
+            self.assertTrue(group.custom_data['omg'], ['wow', 'cool'])
+
 
 class TestTenantCustomData(SingleApplicationBase):