Merge branch 'release/0.5.8'

README.rst

@@ -4,7 +4,7 @@
  xl_auth
 =========
 
-OAuth2 authorization for LibrisXL, replacing BibDB counterpart.
+Authorization and OAuth2 provider for LibrisXL.
 
 .. image:: http://jenkins.smithmicro.io:8080/job/xl_auth-multibranch/job/master/lastBuild/badge/icon
     :target: http://jenkins.smithmicro.io:8080/job/xl_auth-multibranch/job/master/lastBuild/
@@ -175,14 +175,21 @@ Technology choices:
 DB Models
 ---------
 
-.. image:: https://user-images.githubusercontent.com/18367829/30987221-8a1834d2-a496-11e7-8a54-27f00a24da7d.png
-    :target: https://github.com/libris/xl_auth/pull/33
-    :alt: screen shot 2017-09-28 at 9 42 42 pm
+.. image:: https://user-images.githubusercontent.com/786326/32597885-5339ba5e-c538-11e7-8462-f365c8f9cbe1.png
+   :alt: screen shot 2017-11-09 at 10 23 47 am
 
 
 Changelog
 =========
 
+v. 0.5.8
+--------
+
+* Update internal links to reference users by ID instead of email
+  (`#25 <https://github.com/libris/xl_auth/issues/25>`_)
+* Refactored OAuth2 (internal) paths
+
+
 v. 0.5.7
 --------
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "xl_auth",
-  "version": "0.5.7",
+  "version": "0.5.8",
   "author": "National Library of Sweden",
   "license": "Apache-2.0",
   "description": "OAuth2 authorization for LibrisXL, replacing BibDB counterpart",

tests/end2end/test_oauth.py → tests/end2end/test_oauth_client_flow.py

@@ -9,8 +9,8 @@
 from flask import url_for
 
 from xl_auth import __version__
-from xl_auth.grant.models import Grant
-from xl_auth.token.models import Token
+from xl_auth.oauth.grant.models import Grant
+from xl_auth.oauth.token.models import Token
 
 from ..factories import PermissionFactory
 

tests/end2end/test_deleting_client.py → tests/end2end/test_oauth_deleting_client.py

@@ -6,7 +6,7 @@
 from flask import url_for
 from flask_babel import gettext as _
 
-from xl_auth.client.models import Client
+from xl_auth.oauth.client.models import Client
 
 
 def test_superuser_can_delete_existing_client(superuser, client, testapp):
@@ -22,13 +22,13 @@ def test_superuser_can_delete_existing_client(superuser, client, testapp):
     # Submits
     res = form.submit().follow()
     # Clicks Clients button
-    # res = res.click(href=url_for('client.home'))
+    # res = res.click(href=url_for('oauth.client.home'))
     # FIXME: No nav link yet
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('client.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.client.home'))) == []
 
-    res = testapp.get('/clients/')
+    res = testapp.get('/oauth/clients/')
     # Clicks Delete button on a client
-    res = res.click(href=url_for('client.delete', client_id=client.client_id)).follow()
+    res = res.click(href=url_for('oauth.client.delete', client_id=client.client_id)).follow()
     assert res.status_code == 200
     # Client was deleted, so number of clients are 1 less than initial state
     assert _('Successfully deleted OAuth2 Client "%(name)s".', name=name) in res
@@ -51,10 +51,10 @@ def test_user_cannot_delete_client(user, client, testapp):
     assert res.lxml.xpath("//a[contains(@text,'{0}')]".format(_('Clients'))) == []
 
     # Try to go there directly
-    testapp.get('/clients/', status=403)
+    testapp.get('/oauth/clients/', status=403)
 
     # Try to delete
-    testapp.delete(url_for('client.delete', client_id=client.client_id), status=403)
+    testapp.delete(url_for('oauth.client.delete', client_id=client.client_id), status=403)
 
     # Nothing was deleted
     assert len(Client.query.all()) == old_count

tests/end2end/test_editing_client.py → tests/end2end/test_oauth_editing_client.py

@@ -5,7 +5,7 @@
 
 from flask import url_for
 
-from xl_auth.client.models import Client
+from xl_auth.oauth.client.models import Client
 
 
 def test_superuser_can_edit_existing_client(superuser, client, testapp):
@@ -21,13 +21,13 @@ def test_superuser_can_edit_existing_client(superuser, client, testapp):
     res = form.submit().follow()
 
     # Clicks Clients button
-    # res = res.click(href=url_for('client.home'))
+    # res = res.click(href=url_for('oauth.client.home'))
     # FIXME: No nav link yet
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('client.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.client.home'))) == []
 
-    res = testapp.get('/clients/')
+    res = testapp.get('/oauth/clients/')
     # Clicks Edit Client button
-    res = res.click(href=url_for('client.edit', client_id=client.client_id))
+    res = res.click(href=url_for('oauth.client.edit', client_id=client.client_id))
 
     # Fills out the form
     form = res.forms['editForm']
@@ -60,10 +60,10 @@ def test_user_cannot_edit_existing_client(user, client, testapp):
     res = form.submit().follow()
 
     # No Client home button for regular users
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('client.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.client.home'))) == []
 
     # Try to go there directly
-    testapp.get('/clients/', status=403)
+    testapp.get('/oauth/clients/', status=403)
 
     # Try to go directly to edit
-    testapp.get(url_for('client.edit', client_id=client.client_id), status=403)
+    testapp.get(url_for('oauth.client.edit', client_id=client.client_id), status=403)

tests/end2end/test_listing_grant.py → tests/end2end/test_oauth_listing_grant.py

@@ -18,15 +18,13 @@ def test_superuser_can_list_existing_grant(superuser, grant, testapp):
     res = form.submit().follow()
 
     # Clicks Grant button
-    # res = res.click(href=url_for('grant.home'))
+    # res = res.click(href=url_for('oauth.grant.home'))
     # FIXME: No nav link yet
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('grant.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.grant.home'))) == []
 
-    res = testapp.get('/grants/')
+    res = testapp.get('/oauth/grants/')
 
     # The grant is listed under existing grants
-    # grant.id shows up twice, once alone in a cell, once in a delete link
-    assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(grant.id))) == 2
     assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(grant.user.email))) == 1
     assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(grant.client.name))) == 1
 
@@ -43,7 +41,7 @@ def test_user_cannot_list_existing_grant(user, testapp):
     res = form.submit().follow()
 
     # No Grant home link for regular users
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('grant.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.grant.home'))) == []
 
     # Try to go there directly
-    testapp.get(url_for('grant.home'), status=403)
+    testapp.get(url_for('oauth.grant.home'), status=403)

tests/end2end/test_listing_token.py → tests/end2end/test_oauth_listing_token.py

@@ -18,15 +18,13 @@ def test_superuser_can_list_existing_token(superuser, token, testapp):
     res = form.submit().follow()
 
     # Clicks Token button
-    # res = res.click(href=url_for('token.home'))
+    # res = res.click(href=url_for('oauth.token.home'))
     # FIXME: No nav link yet
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('token.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.token.home'))) == []
 
-    res = testapp.get('/tokens/')
+    res = testapp.get('/oauth/tokens/')
 
     # The token is listed under existing tokens
-    # token.id shows up twice, once alone in a cell, once in a delete link
-    assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(token.id))) == 2
     assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(token.user.email))) == 1
     assert len(res.lxml.xpath("//td[contains(., '{0}')]".format(token.client.name))) == 1
 
@@ -43,7 +41,7 @@ def test_user_cannot_list_existing_token(user, testapp):
     res = form.submit().follow()
 
     # No Token home link for regular users
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('token.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.token.home'))) == []
 
     # Try to go there directly
-    testapp.get(url_for('token.home'), status=403)
+    testapp.get(url_for('oauth.token.home'), status=403)

tests/end2end/test_registering_client.py → tests/end2end/test_oauth_registering_client.py

@@ -6,7 +6,7 @@
 from flask import url_for
 from flask_babel import gettext as _
 
-from xl_auth.client.models import Client
+from xl_auth.oauth.client.models import Client
 
 
 def test_superuser_can_register_new_client(superuser, testapp):
@@ -22,11 +22,11 @@ def test_superuser_can_register_new_client(superuser, testapp):
     res = form.submit().follow()
 
     # Clicks Clients button
-    # res = res.click(href=url_for('client.home'))
+    # res = res.click(href=url_for('oauth.client.home'))
     # FIXME: No nav link yet
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('client.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.client.home'))) == []
 
-    res = testapp.get('/clients/')
+    res = testapp.get('/oauth/clients/')
     # Clicks Register New Client button
     res = res.click(_('New Client'))
 
@@ -61,10 +61,10 @@ def test_user_cannot_register_client(user, collection, testapp):
     res = form.submit().follow()
 
     # No Client home button for regular users
-    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('client.home'))) == []
+    assert res.lxml.xpath("//a[contains(@href,'{0}')]".format(url_for('oauth.client.home'))) == []
 
     # Try to go there directly
-    testapp.get('/clients/', status=403)
+    testapp.get('/oauth/clients/', status=403)
 
     # Try to go directly to register
-    testapp.get('/clients/register/', status=403)
+    testapp.get('/oauth/clients/register/', status=403)

tests/end2end/test_editing_user.py → tests/end2end/test_user_editing.py

@@ -22,7 +22,7 @@ def test_superuser_can_administer_existing_user(superuser, testapp):
     # Clicks Users button.
     res = res.click(_('Users'))
     # Clicks Edit Details button.
-    res = res.click(href='/users/administer/' + superuser.email.replace('@', '%40'))
+    res = res.click(href='/users/administer/{0}'.format(superuser.id))
     # Fills out the form.
     form = res.forms['administerForm']
     form['username'] = superuser.email
@@ -61,7 +61,7 @@ def test_superuser_can_change_password_for_existing_user(superuser, testapp):
     # Clicks Users button.
     res = res.click(_('Users'))
     # Clicks Change Password button.
-    res = res.click(href='/users/change_password/' + superuser.email.replace('@', '%40'))
+    res = res.click(href='/users/change_password/{0}'.format(superuser.id))
     # Fills out the form.
     form = res.forms['changePasswordForm']
     form['username'] = superuser.email
@@ -88,7 +88,7 @@ def test_superuser_sees_error_message_if_username_is_changed_from_administer(sup
     # Submits.
     form.submit()
     # Goes to Edit Details page for current user.
-    res = testapp.get(url_for('user.administer', username=superuser.email))
+    res = testapp.get(url_for('user.administer', user_id=superuser.id))
     # Fills out form, and changes username/email.
     form = res.forms['administerForm']
     form['username'] = '[email protected]'
@@ -113,7 +113,7 @@ def test_superuser_sees_error_message_if_username_is_changed_from_change_passwor
     # Submits.
     form.submit()
     # Goes to Change Password page for current user.
-    res = testapp.get(url_for('user.change_password', username=superuser.email))
+    res = testapp.get(url_for('user.change_password', user_id=superuser.id))
     # Fills out form, and changes username/email.
     form = res.forms['changePasswordForm']
     form['username'] = '[email protected]'
@@ -136,7 +136,7 @@ def test_superuser_sees_error_message_if_full_name_is_missing_in_administer(supe
     # Submits.
     form.submit()
     # Goes to Edit Details page for current user.
-    res = testapp.get(url_for('user.administer', username=superuser.email))
+    res = testapp.get(url_for('user.administer', user_id=superuser.id))
     # Fills out form, but omits friendly_name.
     form = res.forms['administerForm']
     form['full_name'] = ''
@@ -146,7 +146,7 @@ def test_superuser_sees_error_message_if_full_name_is_missing_in_administer(supe
     assert '{} - {}'.format(_('Full name'), _('This field is required.')) in res
 
 
-def test_superuser_sees_error_message_if_username_does_not_exist(superuser, testapp):
+def test_superuser_sees_error_message_if_user_id_does_not_exist(superuser, testapp):
     """Show error when attempting Edit Details / Change Password on user that does not exist."""
     # Goes to homepage.
     res = testapp.get('/')
@@ -157,18 +157,18 @@ def test_superuser_sees_error_message_if_username_does_not_exist(superuser, test
     # Submits.
     form.submit()
     # Goes to Edit Details page for a made-up user.
-    res = testapp.get(url_for('user.administer', username='[email protected]')).follow()
+    last_user = User.query.all()[-1]
+    made_up_id = last_user.id + 1
+    res = testapp.get(url_for('user.administer', user_id=made_up_id)).follow()
     # Sees error message.
-    assert _('User "%(username)s" does not exist',
-             username='[email protected]') in res
+    assert _('User ID "%(user_id)s" does not exist', user_id=made_up_id) in res
     # Tries to open Change Password page for another made-up user.
-    res = testapp.get(url_for('user.administer', username='[email protected]')).follow()
+    res = testapp.get(url_for('user.change_password', user_id=made_up_id)).follow()
     # Sees error message.
-    assert _('User "%(username)s" does not exist',
-             username='[email protected]') in res
+    assert _('User ID "%(user_id)s" does not exist', user_id=made_up_id) in res
 
 
-def test_user_cannot_administer_existing_user(superuser, user, testapp):
+def test_user_cannot_administer_other_user(superuser, user, testapp):
     """Attempt to administer user details for an existing user."""
     # Goes to homepage.
     res = testapp.get('/')
@@ -190,8 +190,9 @@ def test_user_cannot_administer_existing_user(superuser, user, testapp):
     assert res.lxml.xpath("//a[contains(@text,'{0}')]".format(_('Change Password'))) == []
 
     # Try to go directly to edit
-    testapp.get('/users/administer/{0}'.format(superuser.email), status=403)
-    testapp.get('/users/edit_details/{0}'.format(superuser.email), status=403)
+    testapp.get('/users/administer/{0}'.format(superuser.id), status=403)
+    testapp.get('/users/edit_details/{0}'.format(superuser.id), status=403)
+    testapp.get('/users/change_password/{0}'.format(superuser.id), status=403)
 
 
 def test_user_can_edit_own_details(user, testapp):
@@ -208,8 +209,7 @@ def test_user_can_edit_own_details(user, testapp):
     old_name = user.full_name
 
     # Make sure we're on the profile page
-    assert len(res.lxml.xpath("//h1[contains(., '{0} {1}')]".format(_('Welcome'),
-                                                                    old_name))) == 1
+    assert len(res.lxml.xpath("//h1[contains(., '{0} {1}')]".format(_('Welcome'), old_name))) == 1
 
     # Click on 'Edit' button
     res = res.click(_('Edit'))
@@ -220,6 +220,5 @@ def test_user_can_edit_own_details(user, testapp):
     res = form.submit().follow()
 
     # Make sure name has been updated
-    assert len(res.lxml.xpath("//h1[contains(., '{0} {1}')]".format(_('Welcome'),
-                                                                    old_name))) == 0
+    assert len(res.lxml.xpath("//h1[contains(., '{0} {1}')]".format(_('Welcome'), old_name))) == 0
     assert len(res.lxml.xpath("//h1[contains(., '{0} New Name')]".format(_('Welcome')))) == 1

tests/factories.py

@@ -8,12 +8,12 @@
 from factory import LazyFunction, PostGenerationMethodCall, Sequence
 from factory.alchemy import SQLAlchemyModelFactory
 
-from xl_auth.client.models import Client
 from xl_auth.collection.models import Collection
 from xl_auth.database import db
-from xl_auth.grant.models import Grant
+from xl_auth.oauth.client.models import Client
+from xl_auth.oauth.grant.models import Grant
+from xl_auth.oauth.token.models import Token
 from xl_auth.permission.models import Permission
-from xl_auth.token.models import Token
 from xl_auth.user.models import User
 
 

tests/forms/test_client.py

@@ -9,7 +9,7 @@
 from flask_babel import gettext as _
 from wtforms.validators import ValidationError
 
-from xl_auth.client.forms import EditForm, RegisterForm
+from xl_auth.oauth.client.forms import EditForm, RegisterForm
 
 
 def test_user_cannot_register_client(user):

tests/models/test_client.py

@@ -5,7 +5,7 @@
 
 import pytest
 
-from xl_auth.client.models import Client
+from xl_auth.oauth.client.models import Client
 
 from ..factories import ClientFactory
 

tests/models/test_grant.py

@@ -5,7 +5,7 @@
 
 import pytest
 
-from xl_auth.grant.models import Grant
+from xl_auth.oauth.grant.models import Grant
 
 from ..factories import GrantFactory
 

tests/models/test_token.py

@@ -5,7 +5,7 @@
 
 import pytest
 
-from xl_auth.token.models import Token
+from xl_auth.oauth.token.models import Token
 
 from ..factories import TokenFactory