Add more tests for origin validators

Author: akanstantsinau

oauth2_provider/validators.py

@@ -34,11 +34,11 @@ def __call__(self, value):
 class AllowedURIValidator(URIValidator):
     def __init__(self, schemes, name, allow_path=False, allow_query=False, allow_fragments=False):
         """
-        :params schemes: List of allowed schemes. E.g.: ["https"]
-        :params name: Name of the validater URI required for validation message. E.g.: "Origin"
-        :params allow_path: If URI can contain path part
-        :params allow_query: If URI can contain query part
-        :params allow_fragments: If URI can contain fragments part
+        :param schemes: List of allowed schemes. E.g.: ["https"]
+        :param name: Name of the validated URI. It is required for validation message. E.g.: "Origin"
+        :param allow_path: If URI can contain path part
+        :param allow_query: If URI can contain query part
+        :param allow_fragments: If URI can contain fragments part
         """
         super().__init__(schemes=schemes)
         self.name = name
@@ -50,12 +50,12 @@ def __call__(self, value):
         super().__call__(value)
         value = force_str(value)
         scheme, netloc, path, query, fragment = urlsplit(value)
-        if path and not self.allow_path:
-            raise ValidationError("{} URIs must not contain path".format(self.name))
         if query and not self.allow_query:
             raise ValidationError("{} URIs must not contain query".format(self.name))
         if fragment and not self.allow_fragments:
             raise ValidationError("{} URIs must not contain fragments".format(self.name))
+        if path and not self.allow_path:
+            raise ValidationError("{} URIs must not contain path".format(self.name))
 
 
 ##

tests/conftest.py

@@ -124,6 +124,18 @@ def public_application():
     )
 
 
+@pytest.fixture
+def cors_application():
+    return Application.objects.create(
+        name="Test CORS Application",
+        client_type=Application.CLIENT_CONFIDENTIAL,
+        authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+        algorithm=Application.RS256_ALGORITHM,
+        client_secret=CLEARTEXT_SECRET,
+        allowed_origins="https://example.com http://example.com",
+    )
+
+
 @pytest.fixture
 def logged_in_client(test_user):
     from django.test.client import Client

tests/presets.py

@@ -57,3 +57,11 @@
     "READ_SCOPE": "read",
     "WRITE_SCOPE": "write",
 }
+
+ALLOWED_SCHEMES_DEFAULT = {
+    "ALLOWED_SCHEMES": ["https"],
+}
+
+ALLOWED_SCHEMES_HTTP = {
+    "ALLOWED_SCHEMES": ["https", "http"],
+}

tests/test_models.py

@@ -594,3 +594,19 @@ def test_application_clean(oauth2_settings, application):
     assert "Enter a valid URL" in str(exc.value)
     application.allowed_origins = "https://example.com"
     application.clean()
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.ALLOWED_SCHEMES_DEFAULT)
+def test_application_origin_allowed_default_https(oauth2_settings, cors_application):
+    """Test that http schemes are not allowed because ALLOWED_SCHEMES allows only https"""
+    assert cors_application.origin_allowed("https://example.com")
+    assert not cors_application.origin_allowed("http://example.com")
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.ALLOWED_SCHEMES_HTTP)
+def test_application_origin_allowed_http(oauth2_settings, cors_application):
+    """Test that http schemes are allowed because http was added to ALLOWED_SCHEMES"""
+    assert cors_application.origin_allowed("https://example.com")
+    assert cors_application.origin_allowed("http://example.com")