Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
import time
import unittest
from flask import url_for
# These imports are required, because otherwise we get circular imports?!
from uffd import ldap, user
from uffd.session.views import get_current_user, login_required, is_valid_session
from uffd import create_app, db
from utils import dump, UffdTestCase
class TestSession(UffdTestCase):
def setUpApp(self):
self.app.config['SESSION_LIFETIME_SECONDS'] = 2
@self.app.route('/test_login_required')
@login_required()
def test_login_required():
return 'SUCCESS', 200
@self.app.route('/test_group_required1')
@login_required(group='users')
def test_group_required1():
return 'SUCCESS', 200
@self.app.route('/test_group_required2')
@login_required(group='notagroup')
def test_group_required2():
return 'SUCCESS', 200
def setUp(self):
super().setUp()
self.assertFalse(is_valid_session())
def login(self):
self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'userpassword'}, follow_redirects=True)
self.assertTrue(is_valid_session())
def assertLogin(self):
self.assertTrue(is_valid_session())
self.assertEqual(self.client.get(path=url_for('test_login_required'),
follow_redirects=True).data, b'SUCCESS')
self.assertEqual(get_current_user().loginname, 'testuser')
def assertLogout(self):
self.assertFalse(is_valid_session())
self.assertNotEqual(self.client.get(path=url_for('test_login_required'),
follow_redirects=True).data, b'SUCCESS')
self.assertEqual(get_current_user(), None)
def test_login(self):
self.assertLogout()
r = self.client.get(path=url_for('session.login'), follow_redirects=True)
dump('login', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'userpassword'}, follow_redirects=True)
dump('login_post', r)
self.assertEqual(r.status_code, 200)
self.assertLogin()
def test_redirect(self):
r = self.client.post(path=url_for('session.login', ref=url_for('test_login_required')),
data={'loginname': 'testuser', 'password': 'userpassword'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.data, b'SUCCESS')
def test_wrong_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'wrongpassword'}, follow_redirects=True)
dump('login_wrong_password', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
def test_empty_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': ''}, follow_redirects=True)
dump('login_empty_password', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
def test_wrong_user(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'nouser', 'password': 'userpassword'}, follow_redirects=True)
dump('login_wrong_user', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
def test_empty_user(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': '', 'password': 'userpassword'}, follow_redirects=True)
dump('login_empty_user', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
def test_no_access(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testservice', 'password': 'servicepassword'}, follow_redirects=True)
dump('login_no_access', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
def test_group_required(self):
self.login()
self.assertEqual(self.client.get(path=url_for('test_group_required1'),
follow_redirects=True).data, b'SUCCESS')
self.assertNotEqual(self.client.get(path=url_for('test_group_required2'),
follow_redirects=True).data, b'SUCCESS')
def test_logout(self):
self.login()
r = self.client.get(path=url_for('session.logout'), follow_redirects=True)
dump('logout', r)
self.assertEqual(r.status_code, 200)
self.assertLogout()
@unittest.skip('See #29')
def test_timeout(self):
self.login()
time.sleep(3)
self.assertLogout()
def test_ratelimit(self):
for i in range(20):
self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'wrongpassword_%i'%i}, follow_redirects=True)
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'userpassword'}, follow_redirects=True)
dump('login_ratelimit', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(is_valid_session())
class TestSessionOL(TestSession):
use_openldap = True