[oauth2] Added test for resource owner password grant flow

elpaso · dakcarto · commit d259279d67ae · 2017-10-27T04:25:48.000-06:00
diff --git a/.ci/travis/linux/before_install.sh b/.ci/travis/linux/before_install.sh
@@ -15,3 +15,4 @@
 
 
 #pip3 install termcolor
+pip install psycopg2 numpy nose2 pyyaml mock future termcolor oauthlib
diff --git a/.ci/travis/macos/before_install.sh b/.ci/travis/macos/before_install.sh
@@ -27,7 +27,8 @@ pip3 install \
     pyyaml \
     mock \
     future \
-    termcolor
+    termcolor \
+    oauthlib
 
 brew install \
     qscintilla2 \
diff --git a/tests/src/python/CMakeLists.txt b/tests/src/python/CMakeLists.txt
@@ -229,6 +229,9 @@ IF (WITH_SERVER)
   ADD_PYTHON_TEST(PyQgsAuthManagerPasswordOWSTest test_authmanager_password_ows.py)
   ADD_PYTHON_TEST(PyQgsAuthManagerPKIOWSTest test_authmanager_pki_ows.py)
   ADD_PYTHON_TEST(PyQgsAuthManagerPKIPostgresTest test_authmanager_pki_postgres.py)
+  IF(WITH_OAUTH2_PLUGIN)
+    ADD_PYTHON_TEST(PyQgsAuthManagerOAuth2OWSTest test_authmanager_oauth2_ows.py)
+  ENDIF()
   ADD_PYTHON_TEST(PyQgsServerServices test_qgsserver_services.py)
   ADD_PYTHON_TEST(PyQgsServerModules test_qgsserver_modules.py)
   ADD_PYTHON_TEST(PyQgsServerRequest test_qgsserver_request.py)
diff --git a/tests/src/python/qgis_wrapped_server.py b/tests/src/python/qgis_wrapped_server.py
@@ -1,10 +1,39 @@
+#!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
-QGIS Server HTTP wrapper
+QGIS Server HTTP wrapper for testing purposes
+================================================================================
 
 This script launches a QGIS Server listening on port 8081 or on the port
 specified on the environment variable QGIS_SERVER_PORT.
-QGIS_SERVER_HOST (defaults to 127.0.0.1)
+Hostname is set by environment variable QGIS_SERVER_HOST (defaults to 127.0.0.1)
+
+The server can be configured to support any of the following auth systems
+(mutually exclusive):
+
+  * PKI
+  * HTTP Basic
+  * OAuth2 (requires python package oauthlib, installable with:
+            with "pip install oauthlib")
+
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+SECURITY WARNING:
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+This script was developed for testing purposes and was not meant to be secure,
+please do not use in a production server any of the authentication systems
+implemented here.
+
+
+HTTPS
+--------------------------------------------------------------------------------
+
+HTTPS is automatically enabled for PKI and OAuth2
+
+
+HTTP Basic
+--------------------------------------------------------------------------------
 
 For testing purposes, HTTP Basic can be enabled by setting the following
 environment variables:
@@ -13,21 +42,61 @@
   * QGIS_SERVER_USERNAME (default ="username")
   * QGIS_SERVER_PASSWORD (default ="password")
 
+
+PKI
+--------------------------------------------------------------------------------
+
 PKI authentication with HTTPS can be enabled with:
 
   * QGIS_SERVER_PKI_CERTIFICATE (server certificate)
   * QGIS_SERVER_PKI_KEY (server private key)
   * QGIS_SERVER_PKI_AUTHORITY (root CA)
   * QGIS_SERVER_PKI_USERNAME (valid username)
 
- Sample run:
+
+OAuth2 Resource Owner Grant Flow
+--------------------------------------------------------------------------------
+
+OAuth2 Resource Owner Grant Flow with HTTPS can be enabled with:
+
+  * QGIS_SERVER_OAUTH2_AUTHORITY (no default)
+  * QGIS_SERVER_OAUTH2_KEY (server private key)
+  * QGIS_SERVER_OAUTH2_CERTIFICATE (server certificate)
+  * QGIS_SERVER_OAUTH2_USERNAME (default ="username")
+  * QGIS_SERVER_OAUTH2_PASSWORD (default ="password")
+  * QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN (default = 3600)
+
+Available endpoints:
+
+  - /token (returns a new access_token),
+            optionally specify an expiration time in seconds with ?ttl=<int>
+  - /refresh (returns a new access_token from a refresh token),
+             optionally specify an expiration time in seconds with ?ttl=<int>
+  - /result (check the Bearer token and returns a short sentence if it validates)
+
+
+Sample runs
+--------------------------------------------------------------------------------
+
+PKI:
 
 QGIS_SERVER_PKI_USERNAME=Gerardus QGIS_SERVER_PORT=47547 QGIS_SERVER_HOST=localhost \
     QGIS_SERVER_PKI_KEY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_key.pem \
     QGIS_SERVER_PKI_CERTIFICATE=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_cert.pem \
     QGIS_SERVER_PKI_AUTHORITY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/chains_subissuer-issuer-root_issuer2-root2.pem \
     python3 /home/$USER/dev/QGIS/tests/src/python/qgis_wrapped_server.py
 
+
+OAuth2:
+
+QGIS_SERVER_PORT=8443 \
+    QGIS_SERVER_HOST=localhost \
+    QGIS_SERVER_OAUTH2_AUTHORITY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/chain_subissuer-issuer-root.pem  \
+    QGIS_SERVER_OAUTH2_CERTIFICATE=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_cert.pem \
+    QGIS_SERVER_OAUTH2_KEY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_key.pem \
+    python3 /home/$USER/dev/QGIS/tests/src/python/qgis_wrapped_server.py
+
+
 .. note:: This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
@@ -49,42 +118,70 @@
 import sys
 import signal
 import ssl
+import copy
 import urllib.parse
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from qgis.core import QgsApplication
 from qgis.server import QgsServer, QgsServerRequest, QgsBufferServerRequest, QgsBufferServerResponse
 
 QGIS_SERVER_PORT = int(os.environ.get('QGIS_SERVER_PORT', '8081'))
 QGIS_SERVER_HOST = os.environ.get('QGIS_SERVER_HOST', '127.0.0.1')
+
+# HTTP Basic
+QGIS_SERVER_HTTP_BASIC_AUTH = os.environ.get('QGIS_SERVER_HTTP_BASIC_AUTH', False)
+QGIS_SERVER_USERNAME = os.environ.get('QGIS_SERVER_USERNAME', 'username')
+QGIS_SERVER_PASSWORD = os.environ.get('QGIS_SERVER_PASSWORD', 'password')
+
 # PKI authentication
 QGIS_SERVER_PKI_CERTIFICATE = os.environ.get('QGIS_SERVER_PKI_CERTIFICATE')
 QGIS_SERVER_PKI_KEY = os.environ.get('QGIS_SERVER_PKI_KEY')
 QGIS_SERVER_PKI_AUTHORITY = os.environ.get('QGIS_SERVER_PKI_AUTHORITY')
 QGIS_SERVER_PKI_USERNAME = os.environ.get('QGIS_SERVER_PKI_USERNAME')
 
-# Check if PKI - https is enabled
-https = (QGIS_SERVER_PKI_CERTIFICATE is not None and
-         os.path.isfile(QGIS_SERVER_PKI_CERTIFICATE) and
-         QGIS_SERVER_PKI_KEY is not None and
-         os.path.isfile(QGIS_SERVER_PKI_KEY) and
-         QGIS_SERVER_PKI_AUTHORITY is not None and
-         os.path.isfile(QGIS_SERVER_PKI_AUTHORITY) and
-         QGIS_SERVER_PKI_USERNAME)
+# OAuth2 authentication
+QGIS_SERVER_OAUTH2_CERTIFICATE = os.environ.get('QGIS_SERVER_OAUTH2_CERTIFICATE')
+QGIS_SERVER_OAUTH2_KEY = os.environ.get('QGIS_SERVER_OAUTH2_KEY')
+QGIS_SERVER_OAUTH2_AUTHORITY = os.environ.get('QGIS_SERVER_OAUTH2_AUTHORITY')
+QGIS_SERVER_OAUTH2_USERNAME = os.environ.get('QGIS_SERVER_OAUTH2_USERNAME', 'username')
+QGIS_SERVER_OAUTH2_PASSWORD = os.environ.get('QGIS_SERVER_OAUTH2_PASSWORD', 'password')
+QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN = os.environ.get('QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN', 3600)
+
+# Check if PKI is enabled
+QGIS_SERVER_PKI_AUTH = (
+    QGIS_SERVER_PKI_CERTIFICATE is not None and
+    os.path.isfile(QGIS_SERVER_PKI_CERTIFICATE) and
+    QGIS_SERVER_PKI_KEY is not None and
+    os.path.isfile(QGIS_SERVER_PKI_KEY) and
+    QGIS_SERVER_PKI_AUTHORITY is not None and
+    os.path.isfile(QGIS_SERVER_PKI_AUTHORITY) and
+    QGIS_SERVER_PKI_USERNAME)
+
+# Check if OAuth2 is enabled
+QGIS_SERVER_OAUTH2_AUTH = (
+    QGIS_SERVER_OAUTH2_CERTIFICATE is not None and
+    os.path.isfile(QGIS_SERVER_OAUTH2_CERTIFICATE) and
+    QGIS_SERVER_OAUTH2_KEY is not None and
+    os.path.isfile(QGIS_SERVER_OAUTH2_KEY) and
+    QGIS_SERVER_OAUTH2_AUTHORITY is not None and
+    os.path.isfile(QGIS_SERVER_OAUTH2_AUTHORITY) and
+    QGIS_SERVER_OAUTH2_USERNAME and QGIS_SERVER_OAUTH2_PASSWORD)
+
+HTTPS_ENABLED = QGIS_SERVER_PKI_AUTH or QGIS_SERVER_OAUTH2_AUTH
 
 
 qgs_app = QgsApplication([], False)
 qgs_server = QgsServer()
 
 
-if os.environ.get('QGIS_SERVER_HTTP_BASIC_AUTH') is not None:
+if QGIS_SERVER_HTTP_BASIC_AUTH:
     from qgis.server import QgsServerFilter
     import base64
 
     class HTTPBasicFilter(QgsServerFilter):
 
         def responseComplete(self):
             handler = self.serverInterface().requestHandler()
-            auth = self.serverInterface().requestHandler().requestHeader('HTTP_AUTHORIZATION')
+            auth = handler.requestHeader('HTTP_AUTHORIZATION')
             if auth:
                 username, password = base64.b64decode(auth[6:]).split(b':')
                 if (username.decode('utf-8') == os.environ.get('QGIS_SERVER_USERNAME', 'username') and
@@ -100,6 +197,139 @@ def responseComplete(self):
     qgs_server.serverInterface().registerFilter(filter)
 
 
+if QGIS_SERVER_OAUTH2_AUTH:
+    from qgis.server import QgsServerFilter
+    from oauthlib.oauth2 import RequestValidator, LegacyApplicationServer
+    import base64
+    from datetime import datetime
+
+    # Naive token storage implementation
+    _tokens = {}
+
+    class SimpleValidator(RequestValidator):
+        """Validate username and password
+        Note: does not support scopes or client_id"""
+
+        def validate_client_id(self, client_id, request):
+            return True
+
+        def authenticate_client(self, request, *args, **kwargs):
+            """Wide open"""
+            request.client = type("Client", (), {'client_id': 'my_id'})
+            return True
+
+        def validate_user(self, username, password, client, request, *args, **kwargs):
+            if username == QGIS_SERVER_OAUTH2_USERNAME and password == QGIS_SERVER_OAUTH2_PASSWORD:
+                return True
+            return False
+
+        def validate_grant_type(self, client_id, grant_type, client, request, *args, **kwargs):
+            # Clients should only be allowed to use one type of grant.
+            return grant_type in ('password', 'refresh_token')
+
+        def get_default_scopes(self, client_id, request, *args, **kwargs):
+            # Scopes a client will authorize for if none are supplied in the
+            # authorization request.
+            return ('my_scope', )
+
+        def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+            """Wide open"""
+            return True
+
+        def save_bearer_token(self, token, request, *args, **kwargs):
+            # Remember to associate it with request.scopes, request.user and
+            # request.client. The two former will be set when you validate
+            # the authorization code. Don't forget to save both the
+            # access_token and the refresh_token and set expiration for the
+            # access_token to now + expires_in seconds.
+            _tokens[token['access_token']] = copy.copy(token)
+            _tokens[token['access_token']]['expiration'] = datetime.now().timestamp() + int(token['expires_in'])
+
+        def validate_bearer_token(self, token, scopes, request):
+            """Check the token"""
+            return token in _tokens and _tokens[token]['expiration'] > datetime.now().timestamp()
+
+        def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs):
+            """Ensure the Bearer token is valid and authorized access to scopes."""
+            for t in _tokens.values():
+                if t['refresh_token'] == refresh_token:
+                    return True
+            return False
+
+        def get_original_scopes(self, refresh_token, request, *args, **kwargs):
+            """Get the list of scopes associated with the refresh token."""
+            return []
+
+    validator = SimpleValidator()
+    oauth_server = LegacyApplicationServer(validator, token_expires_in=QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN)
+
+    class OAuth2Filter(QgsServerFilter):
+        """This filter provides testing endpoint for OAuth2 Resource Owner Grant Flow
+
+        Available endpoints:
+        - /token (returns a new access_token),
+                 optionally specify an expiration time in seconds with ?ttl=<int>
+        - /refresh (returns a new access_token from a refresh token),
+                 optionally specify an expiration time in seconds with ?ttl=<int>
+        - /result (check the Bearer token and returns a short sentence if it validates)
+        """
+
+        def responseComplete(self):
+
+            handler = self.serverInterface().requestHandler()
+
+            def _token(ttl):
+                """Common code for new and refresh token"""
+                handler.clear()
+                body = bytes(handler.data()).decode('utf8')
+                old_expires_in = oauth_server.default_token_type.expires_in
+                # Hacky way to dynamically set token expiration time
+                oauth_server.default_token_type.expires_in = ttl
+                headers, payload, code = oauth_server.create_token_response('/token', 'post', body, {})
+                oauth_server.default_token_type.expires_in = old_expires_in
+                for k, v in headers.items():
+                    handler.setResponseHeader(k, v)
+                handler.setStatusCode(code)
+                handler.appendBody(payload.encode('utf-8'))
+
+            # Token expiration
+            ttl = handler.parameterMap().get('TTL', QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN)
+            # Issue a new token
+            if handler.url().find('/token') != -1:
+                _token(ttl)
+                return
+
+            # Refresh token
+            if handler.url().find('/refresh') != -1:
+                _token(ttl)
+                return
+
+            # Check for valid token
+            auth = handler.requestHeader('HTTP_AUTHORIZATION')
+            if auth:
+                result, response = oauth_server.verify_request(handler.url(), 'post', '', {'Authorization': auth})
+                if result:
+                    # This is a test endpoint for OAuth2, it requires a valid token
+                    if handler.url().find('/result') != -1:
+                        handler.clear()
+                        handler.appendBody(b'Valid Token: enjoy OAuth2')
+                    # Standard flow
+                    return
+                else:
+                    # Wrong token, default response 401
+                    pass
+
+            # No auth ...
+            handler.clear()
+            handler.setStatusCode(401)
+            handler.setResponseHeader('Status', '401 Unauthorized')
+            handler.setResponseHeader('WWW-Authenticate', 'Bearer realm="QGIS Server"')
+            handler.appendBody(b'Invalid Token: Authorization required.')
+
+    filter = OAuth2Filter(qgs_server.serverInterface())
+    qgs_server.serverInterface().registerFilter(filter)
+
+
 class Handler(BaseHTTPRequestHandler):
 
     def do_GET(self, post_body=None):
@@ -130,16 +360,29 @@ def do_POST(self):
 
 if __name__ == '__main__':
     server = HTTPServer((QGIS_SERVER_HOST, QGIS_SERVER_PORT), Handler)
-    if https:
-        server.socket = ssl.wrap_socket(server.socket,
-                                        certfile=QGIS_SERVER_PKI_CERTIFICATE,
-                                        keyfile=QGIS_SERVER_PKI_KEY,
-                                        ca_certs=QGIS_SERVER_PKI_AUTHORITY,
-                                        cert_reqs=ssl.CERT_REQUIRED,
-                                        server_side=True,
-                                        ssl_version=ssl.PROTOCOL_TLSv1)
+    # HTTPS is enabled if any of PKI or OAuth2 are enabled too
+    if HTTPS_ENABLED:
+        if QGIS_SERVER_OAUTH2_AUTH:
+            server.socket = ssl.wrap_socket(
+                server.socket,
+                certfile=QGIS_SERVER_OAUTH2_CERTIFICATE,
+                ca_certs=QGIS_SERVER_OAUTH2_AUTHORITY,
+                keyfile=QGIS_SERVER_OAUTH2_KEY,
+                server_side=True,
+                #cert_reqs=ssl.CERT_REQUIRED,  # No certs for OAuth2
+                ssl_version=ssl.PROTOCOL_TLSv1)
+        else:
+            server.socket = ssl.wrap_socket(
+                server.socket,
+                certfile=QGIS_SERVER_PKI_CERTIFICATE,
+                keyfile=QGIS_SERVER_PKI_KEY,
+                ca_certs=QGIS_SERVER_PKI_AUTHORITY,
+                cert_reqs=ssl.CERT_REQUIRED,
+                server_side=True,
+                ssl_version=ssl.PROTOCOL_TLSv1)
+
     print('Starting server on %s://%s:%s, use <Ctrl-C> to stop' %
-          ('https' if https else 'http', QGIS_SERVER_HOST, server.server_port), flush=True)
+          ('https' if HTTPS_ENABLED else 'http', QGIS_SERVER_HOST, server.server_port), flush=True)
 
     def signal_handler(signal, frame):
         global qgs_app
diff --git a/tests/src/python/test_authmanager_oauth2_ows.py b/tests/src/python/test_authmanager_oauth2_ows.py

Original file line number	Diff line number	Diff line change
`@@ -15,3 +15,4 @@`
`15`	`15`
`16`	`16`
`17`	`17`	`#pip3 install termcolor`
	`18`	`+pip install psycopg2 numpy nose2 pyyaml mock future termcolor oauthlib`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,273 @@ @@
 +# -*- coding: utf-8 -*-
 +"""
 +Tests for auth manager WMS/WFS using QGIS Server through OAuth2
 +enabled qgis_wrapped_server.py.
++
 +This is an integration test for QGIS Desktop Auth Manager WFS and WMS provider
 +and QGIS Server WFS/WMS that check if QGIS can use a stored auth manager auth
 +configuration to access an OAuth2 Resource Owner Grant Flow protected endpoint.
++
++
 +From build dir, run: ctest -R PyQgsAuthManagerOAuth2OWSTest -V
++
 +.. note:: This program is free software; you can redistribute it and/or modify
 +it under the terms of the GNU General Public License as published by
 +the Free Software Foundation; either version 2 of the License, or
 +(at your option) any later version.
 +"""
 +import os
 +import sys
 +import re
 +import subprocess
 +import tempfile
 +import urllib
 +import stat
 +import json
 +import time
 +import random
++
 +__author__ = 'Alessandro Pasotti'
 +__date__ = '20/04/2017'
 +__copyright__ = 'Copyright 2017, The QGIS Project'
 +# This will get replaced with a git SHA1 when you do a git archive
 +__revision__ = '$Format:%H$'
++
 +from shutil import rmtree
++
 +from utilities import unitTestDataPath, waitServer
 +from qgis.core import (
 +    QgsAuthManager,
 +    QgsAuthMethodConfig,
 +    QgsVectorLayer,
 +    QgsRasterLayer,
 +)
++
 +from qgis.PyQt.QtNetwork import QSslCertificate
++
 +from qgis.testing import (
 +    start_app,
 +    unittest,
 +)
++
 +try:
 +    QGIS_SERVER_ENDPOINT_PORT = os.environ['QGIS_SERVER_ENDPOINT_PORT']
 +except:
 +    QGIS_SERVER_ENDPOINT_PORT = '0'  # Auto
++
++
 +QGIS_AUTH_DB_DIR_PATH = tempfile.mkdtemp()
++
 +os.environ['QGIS_AUTH_DB_DIR_PATH'] = QGIS_AUTH_DB_DIR_PATH
++
 +qgis_app = start_app()
++
++
 +def setup_oauth(username, password, token_uri, refresh_token_uri='', authcfg_id='oauth-2', authcfg_name='OAuth2 test configuration'):
 +    """Setup oauth configuration to access OAuth API,
 +    return authcfg_id on success, None on failure
 +    """
 +    cfgjson = {
 +        "accessMethod": 0,
 +        "apiKey": "",
 +        "clientId": "",
 +        "clientSecret": "",
 +        "configType": 1,
 +        "grantFlow": 2,
 +        "password": password,
 +        "persistToken": False,
 +        "redirectPort": '7070',
 +        "redirectUrl": "",
 +        "refreshTokenUrl": refresh_token_uri,
 +        "requestTimeout": '30',
 +        "requestUrl": "",
 +        "scope": "",
 +        "state": "",
 +        "tokenUrl": token_uri,
 +        "username": username,
 +        "version": 1
 +    }
++
 +    if authcfg_id not in QgsAuthManager.instance().availableAuthMethodConfigs():
 +        authConfig = QgsAuthMethodConfig('OAuth2')
 +        authConfig.setId(authcfg_id)
 +        authConfig.setName(authcfg_name)
 +        authConfig.setConfig('oauth2config', json.dumps(cfgjson))
 +        if QgsAuthManager.instance().storeAuthenticationConfig(authConfig):
 +            return authcfg_id
 +    else:
 +        authConfig = QgsAuthMethodConfig()
 +        QgsAuthManager.instance().loadAuthenticationConfig(authcfg_id, authConfig, True)
 +        authConfig.setName(authcfg_name)
 +        authConfig.setConfig('oauth2config', json.dumps(cfgjson))
 +        if QgsAuthManager.instance().updateAuthenticationConfig(authConfig):
 +            return authcfg_id
 +    return None
++
++
 +class TestAuthManager(unittest.TestCase):
++
 +    @classmethod
 +    def setUpAuth(cls):
 +        """Run before all tests and set up authentication"""
 +        authm = QgsAuthManager.instance()
 +        assert (authm.setMasterPassword('masterpassword', True))
 +        cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
 +        assert os.path.isfile(cls.sslrootcert_path)
 +        os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
++
 +        cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
 +        assert cls.sslrootcert is not None
 +        authm.storeCertAuthorities(cls.sslrootcert)
 +        authm.rebuildCaCertsCache()
 +        authm.rebuildTrustedCaCertsCache()
++
 +        cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem')
 +        cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem')
 +        cls.server_rootcert = cls.sslrootcert_path
 +        os.chmod(cls.server_cert, stat.S_IRUSR)
 +        os.chmod(cls.server_key, stat.S_IRUSR)
 +        os.chmod(cls.server_rootcert, stat.S_IRUSR)
++
 +        os.environ['QGIS_SERVER_HOST'] = cls.hostname
 +        os.environ['QGIS_SERVER_PORT'] = str(cls.port)
 +        os.environ['QGIS_SERVER_OAUTH2_KEY'] = cls.server_key
 +        os.environ['QGIS_SERVER_OAUTH2_CERTIFICATE'] = cls.server_cert
 +        os.environ['QGIS_SERVER_OAUTH2_USERNAME'] = cls.username
 +        os.environ['QGIS_SERVER_OAUTH2_PASSWORD'] = cls.password
 +        os.environ['QGIS_SERVER_OAUTH2_AUTHORITY'] = cls.server_rootcert
 +        # Set default token expiration to 2 seconds, note that this can be
 +        # also controlled when issuing token requests by adding ttl=<int>
 +        # to the query string
 +        os.environ['QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN'] = '2'
++
 +    @classmethod
 +    def setUpClass(cls):
 +        """Run before all tests:
 +        Creates an auth configuration"""
 +        cls.port = QGIS_SERVER_ENDPOINT_PORT
 +        # Clean env just to be sure
 +        env_vars = ['QUERY_STRING', 'QGIS_PROJECT_FILE']
 +        for ev in env_vars:
 +            try:
 +                del os.environ[ev]
 +            except KeyError:
 +                pass
 +        cls.testdata_path = unitTestDataPath('qgis_server')
 +        cls.certsdata_path = os.path.join(unitTestDataPath('auth_system'), 'certs_keys')
 +        cls.project_path = os.path.join(cls.testdata_path, "test_project.qgs")
 +        # cls.hostname = 'localhost'
 +        cls.protocol = 'https'
 +        cls.hostname = '127.0.0.1'
 +        cls.username = 'username'
 +        cls.password = 'password'
 +        cls.setUpAuth()
++
 +        server_path = os.path.join(os.path.dirname(os.path.realpath(__file__)),
 +                                   'qgis_wrapped_server.py')
 +        cls.server = subprocess.Popen([sys.executable, server_path],
 +                                      env=os.environ, stdout=subprocess.PIPE)
 +        line = cls.server.stdout.readline()
 +        cls.port = int(re.findall(b':(\d+)', line)[0])
 +        assert cls.port != 0
++
 +        # We need a valid port before we setup the oauth configuration
 +        cls.token_uri = '%s://%s:%s/token' % (cls.protocol, cls.hostname, cls.port)
 +        cls.refresh_token_uri = '%s://%s:%s/refresh' % (cls.protocol, cls.hostname, cls.port)
 +        # Need a random authcfg or the cache will bites us back!
 +        cls.authcfg_id = setup_oauth(cls.username, cls.password, cls.token_uri, cls.refresh_token_uri, str(random.randint(0, 10000000)))
 +        # This is to test wrong credentials
 +        cls.wrong_authcfg_id = setup_oauth('wrong', 'wrong', cls.token_uri, cls.refresh_token_uri, str(random.randint(0, 10000000)))
 +        # Get the authentication configuration instance:
 +        cls.auth_config = QgsAuthManager.instance().availableAuthMethodConfigs()[cls.authcfg_id]
 +        assert cls.auth_config.isValid()
++
 +        # Wait for the server process to start
 +        assert waitServer('%s://%s:%s' % (cls.protocol, cls.hostname, cls.port)), "Server is not responding! %s://%s:%s" % (cls.protocol, cls.hostname, cls.port)
++
 +    @classmethod
 +    def tearDownClass(cls):
 +        """Run after all tests"""
 +        cls.server.kill()
 +        rmtree(QGIS_AUTH_DB_DIR_PATH)
 +        del cls.server
++
 +    def setUp(self):
 +        """Run before each test."""
 +        pass
++
 +    def tearDown(self):
 +        """Run after each test."""
 +        pass
++
 +    @classmethod
 +    def _getWFSLayer(cls, type_name, layer_name=None, authcfg=None):
 +        """
 +        WFS layer factory
 +        """
 +        if layer_name is None:
 +            layer_name = 'wfs_' + type_name
 +        parms = {
 +            'srsname': 'EPSG:4326',
 +            'typename': type_name,
 +            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
 +            'version': 'auto',
 +            'table': '',
 +        }
 +        if authcfg is not None:
 +            parms.update({'authcfg': authcfg})
 +        uri = ' '.join([("%s='%s'" % (k, v)) for k, v in list(parms.items())])
 +        wfs_layer = QgsVectorLayer(uri, layer_name, 'WFS')
 +        return wfs_layer
++
 +    @classmethod
 +    def _getWMSLayer(cls, layers, layer_name=None, authcfg=None):
 +        """
 +        WMS layer factory
 +        """
 +        if layer_name is None:
 +            layer_name = 'wms_' + layers.replace(',', '')
 +        parms = {
 +            'crs': 'EPSG:4326',
 +            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
 +            'format': 'image/png',
 +            # This is needed because of a really weird implementation in QGIS Server, that
 +            # replaces _ in the the real layer name with spaces
 +            'layers': urllib.parse.quote(layers.replace('_', ' ')),
 +            'styles': '',
 +            'version': 'auto',
 +            # 'sql': '',
 +        }
 +        if authcfg is not None:
 +            parms.update({'authcfg': authcfg})
 +        uri = '&'.join([("%s=%s" % (k, v.replace('=', '%3D'))) for k, v in list(parms.items())])
 +        wms_layer = QgsRasterLayer(uri, layer_name, 'wms')
 +        return wms_layer
++
 +    def testNoAuthAccess(self):
 +        """
 +        Access the protected layer with no credentials
 +        """
 +        wms_layer = self._getWMSLayer('testlayer_èé')
 +        self.assertFalse(wms_layer.isValid())
++
 +    def testInvalidAuthAccess(self):
 +        """
 +        Access the protected layer with wrong credentials
 +        """
 +        wms_layer = self._getWMSLayer('testlayer_èé', authcfg=self.wrong_authcfg_id)
 +        self.assertFalse(wms_layer.isValid())
++
 +    def testValidAuthAccess(self):
 +        """
 +        Access the protected layer with valid credentials
 +        Note: cannot test invalid access WFS in a separate test  because
 +              it would fail the subsequent (valid) calls due to cached connections
 +        """
 +        wfs_layer = self._getWFSLayer('testlayer_èé', authcfg=self.auth_config.id())
 +        self.assertTrue(wfs_layer.isValid())
 +        wms_layer = self._getWMSLayer('testlayer_èé', authcfg=self.auth_config.id())
 +        self.assertTrue(wms_layer.isValid())
++
++
 +if __name__ == '__main__':
 +    unittest.main()