tests/openldap_mock/ldap_server_info.json

-{
-    "raw": {
-        "altServer": [],
-        "configContext": [
-            "cn=config"
-        ],
-        "entryDN": [
-            ""
-        ],
-        "namingContexts": [
-            "dc=example,dc=com"
-        ],
-        "objectClass": [
-            "top",
-            "OpenLDAProotDSE"
-        ],
-        "structuralObjectClass": [
-            "OpenLDAProotDSE"
-        ],
-        "subschemaSubentry": [
-            "cn=Subschema"
-        ],
-        "supportedCapabilities": [],
-        "supportedControl": [
-            "2.16.840.1.113730.3.4.18",
-            "2.16.840.1.113730.3.4.2",
-            "1.3.6.1.4.1.4203.1.10.1",
-            "1.3.6.1.1.22",
-            "1.2.840.113556.1.4.319",
-            "1.2.826.0.1.3344810.2.3",
-            "1.3.6.1.1.13.2",
-            "1.3.6.1.1.13.1",
-            "1.3.6.1.1.12"
-        ],
-        "supportedExtension": [
-            "1.3.6.1.4.1.1466.20037",
-            "1.3.6.1.4.1.4203.1.11.1",
-            "1.3.6.1.4.1.4203.1.11.3",
-            "1.3.6.1.1.8"
-        ],
-        "supportedFeatures": [
-            "1.3.6.1.1.14",
-            "1.3.6.1.4.1.4203.1.5.1",
-            "1.3.6.1.4.1.4203.1.5.2",
-            "1.3.6.1.4.1.4203.1.5.3",
-            "1.3.6.1.4.1.4203.1.5.4",
-            "1.3.6.1.4.1.4203.1.5.5"
-        ],
-        "supportedLDAPVersion": [
-            "3"
-        ],
-        "supportedSASLMechanisms": [
-            "DIGEST-MD5",
-            "CRAM-MD5",
-            "NTLM"
-        ],
-        "vendorName": [],
-        "vendorVersion": []
-    },
-    "type": "DsaInfo"
-}

tests/test_csrf.py

@@ -2,7 +2,7 @@ import unittest
 
 from flask import Flask, Blueprint, session, url_for
 
-from uffd.csrf import csrf_bp, csrf_protect
+from uffd.csrf import bp as csrf_bp, csrf_protect
 
 uid_counter = 0
 

tests/test_mfa.py

-import unittest
-import datetime
-import time
-
-from flask import url_for, session, request
-
-# These imports are required, because otherwise we get circular imports?!
-from uffd import ldap, user
-
-from uffd.user.models import User
-from uffd.role.models import Role, RoleGroup
-from uffd.mfa.models import MFAMethod, MFAType, RecoveryCodeMethod, TOTPMethod, WebauthnMethod, _hotp
-from uffd import create_app, db
-
-from utils import dump, UffdTestCase
-
-class TestMfaPrimitives(unittest.TestCase):
-	def test_hotp(self):
-		self.assertEqual(_hotp(5555555, b'\xae\xa3T\x05\x89\xd6\xb76\xf61r\x92\xcc\xb5WZ\xe6)\x05q'), '458290')
-		self.assertEqual(_hotp(5555555, b'\xae\xa3T\x05\x89\xd6\xb76\xf61r\x92\xcc\xb5WZ\xe6)\x05q', digits=8), '20458290')
-		for digits in range(1, 10):
-			self.assertEqual(len(_hotp(1, b'abcd', digits=digits)), digits)
-		self.assertEqual(_hotp(1234, b''), '161024')
-		self.assertEqual(_hotp(0, b'\x04\x8fM\xcc\x7f\x82\x9c$a\x1b\xb3'), '279354')
-		self.assertEqual(_hotp(2**64-1, b'abcde'), '899292')
-
-def get_fido2_test_cred(self):
-	try:
-		from fido2.ctap2 import AttestedCredentialData
-	except ImportError:
-		self.skipTest('fido2 could not be imported')
-	# Example public key from webauthn spec 6.5.1.1
-	return AttestedCredentialData(bytes.fromhex('00000000000000000000000000000000'+'0040'+'053cbcc9d37a61d3bac87cdcc77ee326256def08ab15775d3a720332e4101d14fae95aeee3bc9698781812e143c0597dc6e180595683d501891e9dd030454c0a'+'A501020326200121582065eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d2258201e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c'))
-
-class TestMfaMethodModels(UffdTestCase):
-	def test_common_attributes(self):
-		method = MFAMethod(user=self.get_user(), name='testname')
-		self.assertTrue(method.created <= datetime.datetime.now())
-		self.assertEqual(method.name, 'testname')
-		self.assertEqual(method.user.loginname, 'testuser')
-		method.user = self.get_admin()
-		self.assertEqual(method.user.loginname, 'testadmin')
-
-	def test_recovery_code_method(self):
-		method = RecoveryCodeMethod(user=self.get_user())
-		db.session.add(method)
-		db.session.commit()
-		db.session = db.create_scoped_session() # Ensure the next query does not return the cached method object
-		_method = RecoveryCodeMethod.query.get(method.id)
-		self.assertFalse(hasattr(_method, 'code'))
-		self.assertFalse(_method.verify(''))
-		self.assertFalse(_method.verify('A'*8))
-		self.assertTrue(_method.verify(method.code))
-
-	def test_totp_method_attributes(self):
-		method = TOTPMethod(user=self.get_user(), name='testname')
-		self.assertEqual(method.name, 'testname')
-		# Restore method with key parameter
-		_method = TOTPMethod(user=self.get_user(), key=method.key, name='testname')
-		self.assertEqual(_method.name, 'testname')
-		self.assertEqual(method.raw_key, _method.raw_key)
-		self.assertEqual(method.issuer, _method.issuer)
-		self.assertEqual(method.accountname, _method.accountname)
-		self.assertEqual(method.key_uri, _method.key_uri)
-		db.session.add(method)
-		db.session.commit()
-		db.session = db.create_scoped_session() # Ensure the next query does not return the cached method object
-		# Restore method from db
-		_method = TOTPMethod.query.get(method.id)
-		self.assertEqual(_method.name, 'testname')
-		self.assertEqual(method.raw_key, _method.raw_key)
-		self.assertEqual(method.issuer, _method.issuer)
-		self.assertEqual(method.accountname, _method.accountname)
-		self.assertEqual(method.key_uri, _method.key_uri)
-
-	def test_totp_method_verify(self):
-		method = TOTPMethod(user=self.get_user())
-		counter = int(time.time()/30)
-		self.assertFalse(method.verify(''))
-		self.assertFalse(method.verify(_hotp(counter-2, method.raw_key)))
-		self.assertTrue(method.verify(_hotp(counter, method.raw_key)))
-		self.assertFalse(method.verify(_hotp(counter+2, method.raw_key)))
-
-	def test_webauthn_method(self):
-		data = get_fido2_test_cred(self)
-		method = WebauthnMethod(user=self.get_user(), cred=data, name='testname')
-		self.assertEqual(method.name, 'testname')
-		db.session.add(method)
-		db.session.commit()
-		db.session = db.create_scoped_session() # Ensure the next query does not return the cached method object
-		_method = WebauthnMethod.query.get(method.id)
-		self.assertEqual(_method.name, 'testname')
-		self.assertEqual(bytes(method.cred), bytes(_method.cred))
-		self.assertEqual(data.credential_id, _method.cred.credential_id)
-		self.assertEqual(data.public_key, _method.cred.public_key)
-		# We only test (de-)serialization here, as everything else is currently implemented in the views
-
-class TestMfaViews(UffdTestCase):
-	def setUp(self):
-		super().setUp()
-		db.session.add(RecoveryCodeMethod(user=self.get_admin()))
-		db.session.add(TOTPMethod(user=self.get_admin(), name='Admin Phone'))
-		# We don't want to skip all tests only because fido2 is not installed!
-		#db.session.add(WebauthnMethod(user=get_testadmin(), cred=get_fido2_test_cred(self), name='Admin FIDO2 dongle'))
-		db.session.commit()
-
-	def add_recovery_codes(self, count=10):
-		user = self.get_user()
-		for _ in range(count):
-			db.session.add(RecoveryCodeMethod(user=user))
-		db.session.commit()
-
-	def add_totp(self):
-		db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
-		db.session.commit()
-
-	def add_webauthn(self):
-		db.session.add(WebauthnMethod(user=self.get_user(), cred=get_fido2_test_cred(self), name='My FIDO2 dongle'))
-		db.session.commit()
-
-	def test_setup_disabled(self):
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.setup'), follow_redirects=True)
-		dump('mfa_setup_disabled', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_setup_recovery_codes(self):
-		self.login_as('user')
-		self.add_recovery_codes()
-		r = self.client.get(path=url_for('mfa.setup'), follow_redirects=True)
-		dump('mfa_setup_only_recovery_codes', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_setup_enabled(self):
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.add_totp()
-		self.add_webauthn()
-		r = self.client.get(path=url_for('mfa.setup'), follow_redirects=True)
-		dump('mfa_setup_enabled', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_setup_few_recovery_codes(self):
-		self.login_as('user')
-		self.add_totp()
-		self.add_recovery_codes(1)
-		r = self.client.get(path=url_for('mfa.setup'), follow_redirects=True)
-		dump('mfa_setup_few_recovery_codes', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_setup_no_recovery_codes(self):
-		self.login_as('user')
-		self.add_totp()
-		r = self.client.get(path=url_for('mfa.setup'), follow_redirects=True)
-		dump('mfa_setup_no_recovery_codes', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_disable(self):
-		baserole = Role(name='baserole', is_default=True)
-		db.session.add(baserole)
-		baserole.groups[self.get_access_group()] = RoleGroup()
-		db.session.commit()
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.add_totp()
-		admin_methods = len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all())
-		r = self.client.get(path=url_for('mfa.disable'), follow_redirects=True)
-		dump('mfa_disable', r)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.post(path=url_for('mfa.disable_confirm'), follow_redirects=True)
-		dump('mfa_disable_submit', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all()), admin_methods)
-
-	def test_disable_recovery_only(self):
-		baserole = Role(name='baserole', is_default=True)
-		db.session.add(baserole)
-		baserole.groups[self.get_access_group()] = RoleGroup()
-		db.session.commit()
-		self.login_as('user')
-		self.add_recovery_codes()
-		admin_methods = len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all())
-		self.assertNotEqual(len(MFAMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.get(path=url_for('mfa.disable'), follow_redirects=True)
-		dump('mfa_disable_recovery_only', r)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.post(path=url_for('mfa.disable_confirm'), follow_redirects=True)
-		dump('mfa_disable_recovery_only_submit', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all()), admin_methods)
-
-	def test_admin_disable(self):
-		for method in MFAMethod.query.filter_by(dn=self.get_admin().dn).all():
-			if not isinstance(method, RecoveryCodeMethod):
-				db.session.delete(method)
-		db.session.commit()
-		self.add_recovery_codes()
-		self.add_totp()
-		self.login_as('admin')
-		self.assertIsNotNone(request.user)
-		admin_methods = len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all())
-		r = self.client.get(path=url_for('mfa.admin_disable', uid=self.get_user().uid), follow_redirects=True)
-		dump('mfa_admin_disable', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=self.get_user().dn).all()), 0)
-		self.assertEqual(len(MFAMethod.query.filter_by(dn=self.get_admin().dn).all()), admin_methods)
-
-	def test_setup_recovery(self):
-		self.login_as('user')
-		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.post(path=url_for('mfa.setup_recovery'), follow_redirects=True)
-		dump('mfa_setup_recovery', r)
-		self.assertEqual(r.status_code, 200)
-		methods = RecoveryCodeMethod.query.filter_by(dn=request.user.dn).all()
-		self.assertNotEqual(len(methods), 0)
-		r = self.client.post(path=url_for('mfa.setup_recovery'), follow_redirects=True)
-		dump('mfa_setup_recovery_reset', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=methods[0].id).all()), 0)
-		self.assertNotEqual(len(methods), 0)
-
-	def test_setup_totp(self):
-		self.login_as('user')
-		self.add_recovery_codes()
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		dump('mfa_setup_totp', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertNotEqual(len(session.get('mfa_totp_key', '')), 0)
-
-	def test_setup_totp_without_recovery(self):
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		dump('mfa_setup_totp_without_recovery', r)
-		self.assertEqual(r.status_code, 200)
-
-	def test_setup_totp_finish(self):
-		baserole = Role(name='baserole', is_default=True)
-		db.session.add(baserole)
-		baserole.groups[self.get_access_group()] = RoleGroup()
-		db.session.commit()
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
-		code = _hotp(int(time.time()/30), method.raw_key)
-		r = self.client.post(path=url_for('mfa.setup_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
-		dump('mfa_setup_totp_finish', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 1)
-
-	def test_setup_totp_finish_without_recovery(self):
-		self.login_as('user')
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
-		code = _hotp(int(time.time()/30), method.raw_key)
-		r = self.client.post(path=url_for('mfa.setup_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
-		dump('mfa_setup_totp_finish_without_recovery', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-
-	def test_setup_totp_finish_wrong_code(self):
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
-		code = _hotp(int(time.time()/30), method.raw_key)
-		code = str(int(code[0])+1)[-1] + code[1:]
-		r = self.client.post(path=url_for('mfa.setup_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
-		dump('mfa_setup_totp_finish_wrong_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-
-	def test_setup_totp_finish_empty_code(self):
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-		r = self.client.get(path=url_for('mfa.setup_totp', name='My TOTP Authenticator'), follow_redirects=True)
-		r = self.client.post(path=url_for('mfa.setup_totp_finish', name='My TOTP Authenticator'), data={'code': ''}, follow_redirects=True)
-		dump('mfa_setup_totp_finish_empty_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 0)
-
-	def test_delete_totp(self):
-		baserole = Role(name='baserole', is_default=True)
-		db.session.add(baserole)
-		baserole.groups[self.get_access_group()] = RoleGroup()
-		db.session.commit()
-		self.login_as('user')
-		self.add_recovery_codes()
-		self.add_totp()
-		method = TOTPMethod(request.user, name='test')
-		db.session.add(method)
-		db.session.commit()
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 2)
-		r = self.client.get(path=url_for('mfa.delete_totp', id=method.id), follow_redirects=True)
-		dump('mfa_delete_totp', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertEqual(len(TOTPMethod.query.filter_by(id=method.id).all()), 0)
-		self.assertEqual(len(TOTPMethod.query.filter_by(dn=request.user.dn).all()), 1)
-
-	# TODO: webauthn setup tests
-
-	def test_auth_integration(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		db.session.commit()
-		self.assertIsNone(request.user)
-		r = self.login_as('user')
-		dump('mfa_auth_redirected', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIn(b'/mfa/auth', r.data)
-		self.assertIsNone(request.user)
-		r = self.client.get(path=url_for('mfa.auth'), follow_redirects=False)
-		dump('mfa_auth', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-
-	def test_auth_disabled(self):
-		self.assertIsNone(request.user)
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth', ref='/redirecttarget'), follow_redirects=False)
-		self.assertEqual(r.status_code, 302)
-		self.assertTrue(r.location.endswith('/redirecttarget'))
-		self.assertIsNotNone(request.user)
-
-	def test_auth_recovery_only(self):
-		self.add_recovery_codes()
-		self.assertIsNone(request.user)
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth', ref='/redirecttarget'), follow_redirects=False)
-		self.assertEqual(r.status_code, 302)
-		self.assertTrue(r.location.endswith('/redirecttarget'))
-		self.assertIsNotNone(request.user)
-
-	def test_auth_recovery_code(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		method = RecoveryCodeMethod(user=self.get_user())
-		db.session.add(method)
-		db.session.commit()
-		method_id = method.id
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth'), follow_redirects=False)
-		dump('mfa_auth_recovery_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-		r = self.client.post(path=url_for('mfa.auth_finish', ref='/redirecttarget'), data={'code': method.code})
-		self.assertEqual(r.status_code, 302)
-		self.assertTrue(r.location.endswith('/redirecttarget'))
-		self.assertIsNotNone(request.user)
-		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=method_id).all()), 0)
-
-	def test_auth_totp_code(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		method = TOTPMethod(user=self.get_user(), name='testname')
-		raw_key = method.raw_key
-		db.session.add(method)
-		db.session.commit()
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth'), follow_redirects=False)
-		dump('mfa_auth_totp_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-		code = _hotp(int(time.time()/30), raw_key)
-		r = self.client.post(path=url_for('mfa.auth_finish'), data={'code': code}, follow_redirects=True)
-		dump('mfa_auth_totp_code_submit', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNotNone(request.user)
-
-	def test_auth_empty_code(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth'), follow_redirects=False)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-		r = self.client.post(path=url_for('mfa.auth_finish'), data={'code': ''}, follow_redirects=True)
-		dump('mfa_auth_empty_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-
-	def test_auth_invalid_code(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		method = TOTPMethod(user=self.get_user(), name='testname')
-		raw_key = method.raw_key
-		db.session.add(method)
-		db.session.commit()
-		self.login_as('user')
-		r = self.client.get(path=url_for('mfa.auth'), follow_redirects=False)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-		code = _hotp(int(time.time()/30), raw_key)
-		code = str(int(code[0])+1)[-1] + code[1:]
-		r = self.client.post(path=url_for('mfa.auth_finish'), data={'code': code}, follow_redirects=True)
-		dump('mfa_auth_invalid_code', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-
-	def test_auth_ratelimit(self):
-		self.add_recovery_codes()
-		self.add_totp()
-		method = TOTPMethod(user=self.get_user(), name='testname')
-		raw_key = method.raw_key
-		db.session.add(method)
-		db.session.commit()
-		self.login_as('user')
-		self.assertIsNone(request.user)
-		code = _hotp(int(time.time()/30), raw_key)
-		inv_code = str(int(code[0])+1)[-1] + code[1:]
-		for i in range(20):
-			r = self.client.post(path=url_for('mfa.auth_finish'), data={'code': inv_code}, follow_redirects=True)
-			self.assertEqual(r.status_code, 200)
-			self.assertIsNone(request.user)
-		r = self.client.post(path=url_for('mfa.auth_finish'), data={'code': code}, follow_redirects=True)
-		dump('mfa_auth_ratelimit', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIsNone(request.user)
-
-	# TODO: webauthn auth tests
-
-class TestMfaViewsOL(TestMfaViews):
-	use_openldap = True

tests/test_ratelimit.py

-import time
+from uffd.models.ratelimit import get_addrkey, format_delay, Ratelimit
 
-from flask import Flask, Blueprint, session, url_for
-
-from uffd.ratelimit import get_addrkey, format_delay, Ratelimit, RatelimitEvent
-
-from utils import UffdTestCase
+from tests.utils import UffdTestCase
 
 class TestRatelimit(UffdTestCase):
 	def test_limiting(self):
@@ -48,19 +44,3 @@ class TestRatelimit(UffdTestCase):
 		self.assertIsInstance(format_delay(120), str)
 		self.assertIsInstance(format_delay(3600), str)
 		self.assertIsInstance(format_delay(4000), str)
-
-	def test_cleanup(self):
-		ratelimit = Ratelimit('test', 1, 1)
-		ratelimit.log('')
-		ratelimit.log('1')
-		ratelimit.log('2')
-		ratelimit.log('3')
-		ratelimit.log('4')
-		time.sleep(1)
-		ratelimit.log('5')
-		self.assertEqual(RatelimitEvent.query.filter(RatelimitEvent.name == 'test').count(), 6)
-		ratelimit.cleanup()
-		self.assertEqual(RatelimitEvent.query.filter(RatelimitEvent.name == 'test').count(), 1)
-		time.sleep(1)
-		ratelimit.cleanup()
-		self.assertEqual(RatelimitEvent.query.filter(RatelimitEvent.name == 'test').count(), 0)

tests/test_remailer.py

+from uffd.remailer import remailer
+
+from tests.utils import UffdTestCase
+
+USER_ID = 1234
+SERVICE1_ID = 4223
+SERVICE2_ID = 3242
+ADDR_V1_S1 = 'v1-WzQyMjMsMTIzNF0.MeO6bHGTgIyPvvq2r3xriokLMCU@remailer.example.com'
+ADDR_V1_S2 = 'v1-WzMyNDIsMTIzNF0.p2a_RkJc0oHBc9u4_S8G9METflA@remailer.example.com'
+ADDR_V2_S1 = 'v2-lm2demrtfqytemzulu-ghr3u3drsoaizd567k3k67dlrkeqwmbf@remailer.example.com'
+ADDR_V2_S2 = 'v2-lmztenbsfqytemzulu-u5tl6rscltjidqlt3o4p2lyg6targ7sq@remailer.example.com'
+
+class TestRemailer(UffdTestCase):
+	def test_is_remailer_domain(self):
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		self.assertTrue(remailer.is_remailer_domain('remailer.example.com'))
+		self.assertTrue(remailer.is_remailer_domain('REMAILER.EXAMPLE.COM'))
+		self.assertTrue(remailer.is_remailer_domain(' remailer.example.com '))
+		self.assertFalse(remailer.is_remailer_domain('other.remailer.example.com'))
+		self.assertFalse(remailer.is_remailer_domain('example.com'))
+		self.app.config['REMAILER_OLD_DOMAINS'] = [' OTHER.remailer.example.com ']
+		self.assertTrue(remailer.is_remailer_domain(' OTHER.remailer.example.com '))
+		self.assertTrue(remailer.is_remailer_domain('remailer.example.com'))
+		self.assertTrue(remailer.is_remailer_domain('other.remailer.example.com'))
+		self.assertFalse(remailer.is_remailer_domain('example.com'))
+
+	def test_build_v1_address(self):
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		self.assertEqual(remailer.build_v1_address(SERVICE1_ID, USER_ID), ADDR_V1_S1)
+		self.assertEqual(remailer.build_v1_address(SERVICE2_ID, USER_ID), ADDR_V1_S2)
+		long_addr = remailer.build_v1_address(1000, 1000000)
+		self.assertLessEqual(len(long_addr.split('@')[0]), 64)
+		self.assertLessEqual(len(long_addr), 256)
+		self.app.config['REMAILER_OLD_DOMAINS'] = ['old.remailer.example.com']
+		self.assertEqual(remailer.build_v1_address(SERVICE1_ID, USER_ID), ADDR_V1_S1)
+		self.app.config['REMAILER_SECRET_KEY'] = self.app.config['SECRET_KEY']
+		self.assertEqual(remailer.build_v1_address(SERVICE1_ID, USER_ID), ADDR_V1_S1)
+		self.app.config['REMAILER_SECRET_KEY'] = 'REMAILER-DEBUGKEY'
+		self.assertNotEqual(remailer.build_v1_address(SERVICE1_ID, USER_ID), ADDR_V1_S1)
+
+	def test_build_v2_address(self):
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		self.assertEqual(remailer.build_v2_address(SERVICE1_ID, USER_ID), ADDR_V2_S1)
+		self.assertEqual(remailer.build_v2_address(SERVICE2_ID, USER_ID), ADDR_V2_S2)
+		long_addr = remailer.build_v2_address(1000, 1000000)
+		self.assertLessEqual(len(long_addr.split('@')[0]), 64)
+		self.assertLessEqual(len(long_addr), 256)
+		self.app.config['REMAILER_OLD_DOMAINS'] = ['old.remailer.example.com']
+		self.assertEqual(remailer.build_v2_address(SERVICE1_ID, USER_ID), ADDR_V2_S1)
+		self.app.config['REMAILER_SECRET_KEY'] = self.app.config['SECRET_KEY']
+		self.assertEqual(remailer.build_v2_address(SERVICE1_ID, USER_ID), ADDR_V2_S1)
+		self.app.config['REMAILER_SECRET_KEY'] = 'REMAILER-DEBUGKEY'
+		self.assertNotEqual(remailer.build_v2_address(SERVICE1_ID, USER_ID), ADDR_V2_S1)
+
+	def test_parse_address(self):
+		# REMAILER_DOMAIN behaviour
+		self.app.config['REMAILER_DOMAIN'] = None
+		self.assertIsNone(remailer.parse_address(ADDR_V1_S2))
+		self.assertIsNone(remailer.parse_address(ADDR_V2_S2))
+		self.assertIsNone(remailer.parse_address('foo@example.com'))
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		self.assertEqual(remailer.parse_address(ADDR_V1_S2), (SERVICE2_ID, USER_ID))
+		self.assertEqual(remailer.parse_address(ADDR_V2_S2), (SERVICE2_ID, USER_ID))
+		self.assertIsNone(remailer.parse_address('foo@example.com'))
+		self.assertIsNone(remailer.parse_address('foo@remailer.example.com'))
+		self.assertIsNone(remailer.parse_address('v1-foo@remailer.example.com'))
+		self.assertIsNone(remailer.parse_address('v2-foo@remailer.example.com'))
+		self.assertIsNone(remailer.parse_address('v2-foo-bar@remailer.example.com'))
+		self.app.config['REMAILER_DOMAIN'] = 'new-remailer.example.com'
+		self.assertIsNone(remailer.parse_address(ADDR_V1_S2))
+		self.assertIsNone(remailer.parse_address(ADDR_V2_S2))
+		self.app.config['REMAILER_OLD_DOMAINS'] = ['remailer.example.com']
+		self.assertEqual(remailer.parse_address(ADDR_V1_S2), (SERVICE2_ID, USER_ID))
+		self.assertEqual(remailer.parse_address(ADDR_V2_S2), (SERVICE2_ID, USER_ID))
+		# REMAILER_SECRET_KEY behaviour
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		self.app.config['REMAILER_OLD_DOMAINS'] = []
+		self.assertEqual(remailer.parse_address(ADDR_V1_S2), (SERVICE2_ID, USER_ID))
+		self.assertEqual(remailer.parse_address(ADDR_V2_S2), (SERVICE2_ID, USER_ID))
+		self.app.config['REMAILER_SECRET_KEY'] = self.app.config['SECRET_KEY']
+		self.assertEqual(remailer.parse_address(ADDR_V1_S2), (SERVICE2_ID, USER_ID))
+		self.assertEqual(remailer.parse_address(ADDR_V2_S2), (SERVICE2_ID, USER_ID))
+		self.app.config['REMAILER_SECRET_KEY'] = 'REMAILER-DEBUGKEY'
+		self.assertIsNone(remailer.parse_address(ADDR_V1_S2))
+		self.assertIsNone(remailer.parse_address(ADDR_V2_S2))

tests/test_services.py

-import datetime
-import unittest
-
-from flask import url_for
-
-# These imports are required, because otherwise we get circular imports?!
-from uffd import ldap, user
-
-from utils import dump, UffdTestCase
-
-class TestServices(UffdTestCase):
-	def setUpApp(self):
-		self.app.config['SERVICES'] = [
-			{
-				'title': 'Service Title',
-				'subtitle': 'Service Subtitle',
-				'description': 'Short description of the service as plain text',
-				'url': 'https://example.com/',
-				'logo_url': '/static/fairy-dust-color.png',
-				'required_group': 'users',
-				'permission_levels': [
-					{'name': 'Moderator', 'required_group': 'moderators'},
-					{'name': 'Admin', 'required_group': 'uffd_admin'},
-				],
-				'confidential': True,
-				'groups': [
-					{'name': 'Group "crew_crew"', 'required_group': 'users'},
-					{'name': 'Group "crew_logistik"', 'required_group': 'uffd_admin'},
-				],
-				'infos': [
-					{'title': 'Documentation', 'html': '<p>Some information about the service as html</p>', 'required_group': 'users'},
-				],
-				'links': [
-					{'title': 'Link to an external site', 'url': '#', 'required_group': 'users'},
-				],
-			},
-			{
-				'title': 'Minimal Service Title',
-			}
-		]
-		self.app.config['SERVICES_PUBLIC'] = True
-
-	def test_index(self):
-		r = self.client.get(path=url_for('services.index'))
-		dump('services_index_public', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertNotIn(b'https://example.com/', r.data)
-		self.login_as('user')
-		r = self.client.get(path=url_for('services.index'))
-		dump('services_index', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIn(b'https://example.com/', r.data)
-

tests/test_utils.py

+from uffd.utils import nopad_b32decode, nopad_b32encode, nopad_urlsafe_b64decode, nopad_urlsafe_b64encode
+
+from tests.utils import UffdTestCase
+
+class TestUtils(UffdTestCase):
+	def test_nopad_b32(self):
+		for n in range(0, 32):
+			self.assertEqual(b'X'*n, nopad_b32decode(nopad_b32encode(b'X'*n)))
+
+	def test_nopad_b64(self):
+		for n in range(0, 32):
+			self.assertEqual(b'X'*n, nopad_urlsafe_b64decode(nopad_urlsafe_b64encode(b'X'*n)))