Do not create refresh tokens for apps with implicit grant type.

Signed-off-by: Yunfan Zhang <yz322@duke.edu>

awx/api/serializers.py

@@ -1093,7 +1093,7 @@ class UserAuthorizedTokenSerializer(BaseOAuth2TokenSerializer):
         )
         obj = super(UserAuthorizedTokenSerializer, self).create(validated_data)
         obj.save()
-        if obj.application is not None:
+        if obj.application and obj.application.authorization_grant_type != 'implicit':
             RefreshToken.objects.create(
                 user=current_user,
                 token=generate_token(),
@@ -1116,7 +1116,7 @@ class OAuth2TokenSerializer(BaseOAuth2TokenSerializer):
         if obj.application and obj.application.user:
             obj.user = obj.application.user
         obj.save()
-        if obj.application is not None:
+        if obj.application and obj.application.authorization_grant_type != 'implicit':
             RefreshToken.objects.create(
                 user=current_user,
                 token=generate_token(),

awx/main/tests/functional/api/test_oauth.py

@@ -4,6 +4,7 @@ import json
 
 from django.db import connection
 from django.test.utils import override_settings
+from django.test import Client
 
 from awx.main.utils.encryption import decrypt_value, get_encryption_key
 from awx.api.versioning import reverse, drf_reverse
@@ -174,6 +175,27 @@ def test_oauth_token_create(oauth_application, get, post, admin):
     assert response.data['summary_fields']['tokens']['results'][0] == {
         'id': token.pk, 'scope': token.scope, 'token': '************'
     }
+    # If the application is implicit grant type, no new refresb tokens should be created.
+    # The following tests check for that.
+    oauth_application.authorization_grant_type = 'implicit'
+    oauth_application.save()
+    token_count = RefreshToken.objects.count()
+    response = post(
+        reverse('api:o_auth2_token_list'),
+        {'scope': 'read', 'application': oauth_application.pk}, admin, expect=201
+    )
+    assert response.data['refresh_token'] is None
+    response = post(
+        reverse('api:user_authorized_token_list', kwargs={'pk': admin.pk}),
+        {'scope': 'read', 'application': oauth_application.pk}, admin, expect=201
+    )
+    assert response.data['refresh_token'] is None
+    response = post(
+        reverse('api:application_o_auth2_token_list', kwargs={'pk': oauth_application.pk}),
+        {'scope': 'read'}, admin, expect=201
+    )
+    assert response.data['refresh_token'] is None
+    assert token_count == RefreshToken.objects.count()
 
 
 @pytest.mark.django_db
@@ -268,3 +290,27 @@ def test_refresh_accesstoken(oauth_application, post, get, delete, admin):
     assert RefreshToken.objects.get(token=new_refresh_token) != 0
     refresh_token = RefreshToken.objects.get(token=refresh_token)
     assert refresh_token.revoked
+
+
+@pytest.mark.django_db
+def test_implicit_authorization(oauth_application, admin):
+    oauth_application.client_type = 'confidential'
+    oauth_application.authorization_grant_type = 'implicit'
+    oauth_application.redirect_uris = 'http://test.com'
+    oauth_application.save()
+    data = {
+        'response_type': 'token',
+        'client_id': oauth_application.client_id,
+        'client_secret': oauth_application.client_secret,
+        'scope': 'read',
+        'redirect_uri': 'http://test.com', 
+        'allow': True
+    }
+
+    request_client = Client()
+    request_client.force_login(admin, 'django.contrib.auth.backends.ModelBackend')
+    refresh_token_count = RefreshToken.objects.count()
+    response = request_client.post(drf_reverse('api:authorize'), data)
+    assert 'http://test.com' in response.url and 'access_token' in response.url
+    # Make sure no refresh token is created for app with implicit grant type.
+    assert refresh_token_count == RefreshToken.objects.count()

awx/main/tests/functional/test_named_url.py

@@ -5,10 +5,10 @@ from django.core.exceptions import ImproperlyConfigured
 from awx.api.versioning import reverse
 from awx.main.middleware import URLModificationMiddleware
 from awx.main.models import * # noqa
+from awx.conf import settings_registry
 
 
-@pytest.fixture(scope='function', autouse=True)
+def setup_module(module):
-def init_url_modification_middleware():
     # In real-world scenario, named url graph structure is populated by __init__
     # of URLModificationMiddleware. The way Django bootstraps ensures the initialization
     # will happen *once and only once*, while the number of initialization is uncontrollable
@@ -20,6 +20,12 @@ def init_url_modification_middleware():
         pass
 
 
+def teardown_module(module):
+    # settings_registry will be persistent states unless we explicitly clean them up. 
+    settings_registry.unregister('NAMED_URL_FORMATS')
+    settings_registry.unregister('NAMED_URL_GRAPH_NODES')
+
+
 @pytest.mark.django_db
 def test_user(get, admin_user):
     test_user = User.objects.create(username='test_user', password='test_user', is_superuser=False)