CognitoIDP - allow respond_to_auth_challenge without Auth-header (#5133)

2022-05-13 19:45:05 +00:00 · 2022-05-13 19:45:05 +00:00 · 0e3ac26068
commit 0e3ac26068
parent 32b662c896
3 changed files with 96 additions and 2 deletions
--- a/moto/cognitoidp/models.py
+++ b/moto/cognitoidp/models.py
@ -1834,6 +1834,14 @@ class GlobalCognitoIdpBackend(CognitoIdpBackend):
        backend = self._find_backend_by_access_token(access_token)
        return backend.get_user(access_token)

+    def respond_to_auth_challenge(
+        self, session, client_id, challenge_name, challenge_responses
+    ):
+        backend = self._find_backend_for_clientid(client_id)
+        return backend.respond_to_auth_challenge(
+            session, client_id, challenge_name, challenge_responses
+        )
+

 cognitoidp_backends = BackendDict(CognitoIdpBackend, "cognito-idp")
 cognitoidp_backends["global"] = GlobalCognitoIdpBackend("global")
--- a/moto/cognitoidp/responses.py
+++ b/moto/cognitoidp/responses.py
@ -444,7 +444,7 @@ class CognitoIdpResponse(BaseResponse):
        client_id = self._get_param("ClientId")
        challenge_name = self._get_param("ChallengeName")
        challenge_responses = self._get_param("ChallengeResponses")
-        auth_result = cognitoidp_backends[self.region].respond_to_auth_challenge(
+        auth_result = cognitoidp_backends["global"].respond_to_auth_challenge(
            session, client_id, challenge_name, challenge_responses
        )

--- a/tests/test_cognitoidp/test_server.py
+++ b/tests/test_cognitoidp/test_server.py
@ -2,7 +2,7 @@ import json
 import moto.server as server


-def test_sign_up_method_without_authentication():
+def test_sign_up_user_without_authentication():
    backend = server.create_backend_app("cognito-idp")
    test_client = backend.test_client()

@ -94,3 +94,89 @@ def test_sign_up_method_without_authentication():
    data.should.have.key("UserPoolId").equals(user_pool_id)
    data.should.have.key("Username").equals("test@gmail.com")
    data.should.have.key("UserStatus").equals("CONFIRMED")
+
+
+def test_admin_create_user_without_authentication():
+    backend = server.create_backend_app("cognito-idp")
+    test_client = backend.test_client()
+
+    # Create User Pool
+    res = test_client.post(
+        "/",
+        data='{"PoolName": "test-pool"}',
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.CreateUserPool",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    user_pool_id = json.loads(res.data)["UserPool"]["Id"]
+
+    # Create User Pool Client
+    data = {
+        "UserPoolId": user_pool_id,
+        "ClientName": "some-client",
+        "GenerateSecret": False,
+        "ExplicitAuthFlows": ["ALLOW_USER_PASSWORD_AUTH"],
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.CreateUserPoolClient",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    client_id = json.loads(res.data)["UserPoolClient"]["ClientId"]
+
+    # Admin Create User
+    data = {
+        "UserPoolId": user_pool_id,
+        "Username": "test@gmail.com",
+        "TemporaryPassword": "12345678",
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.AdminCreateUser",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    res.status_code.should.equal(200)
+
+    # Initiate Auth
+    data = {
+        "ClientId": client_id,
+        "AuthFlow": "USER_PASSWORD_AUTH",
+        "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "12345678"},
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={"X-Amz-Target": "AWSCognitoIdentityProviderService.InitiateAuth"},
+    )
+    session = json.loads(res.data)["Session"]
+
+    # Respond to Auth Challenge
+    data = {
+        "ClientId": client_id,
+        "ChallengeName": "NEW_PASSWORD_REQUIRED",
+        "ChallengeResponses": {
+            "USERNAME": "test@gmail.com",
+            "NEW_PASSWORD": "abcdefgh",
+        },
+        "Session": session,
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.RespondToAuthChallenge"
+        },
+    )
+    res.status_code.should.equal(200)
+    response = json.loads(res.data)
+
+    response.should.have.key("AuthenticationResult")
+    response["AuthenticationResult"].should.have.key("IdToken")
+    response["AuthenticationResult"].should.have.key("AccessToken")