Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • uffd/uffd
  • rixx/uffd
  • thies/uffd
  • leona/uffd
  • enbewe/uffd
  • strifel/uffd
  • thies/uffd-2
7 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 4840 additions and 74 deletions
tests/test_utils.py 0 → 100644
View file @ 98fe5690
from uffd.utils import nopad_b32decode, nopad_b32encode, nopad_urlsafe_b64decode, nopad_urlsafe_b64encode
from tests.utils import UffdTestCase
class TestUtils(UffdTestCase):
def test_nopad_b32(self):
for n in range(0, 32):
self.assertEqual(b'X'*n, nopad_b32decode(nopad_b32encode(b'X'*n)))
def test_nopad_b64(self):
for n in range(0, 32):
self.assertEqual(b'X'*n, nopad_urlsafe_b64decode(nopad_urlsafe_b64encode(b'X'*n)))
tests/utils.py
View file @ 98fe5690
import os
import tempfile
import shutil
import unittest
from flask import url_for
import flask_migrate
from uffd import create_app, db
from uffd.models import User, Group, Mail
def dump(basename, resp):
basename = basename.replace('.', '_').replace('/', '_')
......@@ -13,31 +15,153 @@ def dump(basename, resp):
return
os.makedirs(root, exist_ok=True)
path = os.path.join(root, basename+suffix)
with open(path, 'xb') as f:
with open(path, 'wb') as f:
f.write(resp.data)
class UffdTestCase(unittest.TestCase):
def db_flush():
db.session.rollback()
db.session.expire_all()
class AppTestCase(unittest.TestCase):
DISABLE_SQLITE_MEMORY_DB = False
def setUp(self):
self.dir = tempfile.mkdtemp()
# It would be far better to create a minimal app here, but since the
# session module depends on almost everything else, that is not really feasable
self.app = create_app({
config = {
'TESTING': True,
'DEBUG': True,
'SQLALCHEMY_DATABASE_URI': 'sqlite:///%s/db.sqlite'%self.dir,
'SQLALCHEMY_DATABASE_URI': 'sqlite:///:memory:',
'SECRET_KEY': 'DEBUGKEY',
'LDAP_SERVICE_MOCK': True,
})
'MAIL_SKIP_SEND': True,
'SELF_SIGNUP': True,
}
if self.DISABLE_SQLITE_MEMORY_DB:
try:
os.remove('/tmp/uffd-migration-test-db.sqlite3')
except FileNotFoundError:
pass
config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////tmp/uffd-migration-test-db.sqlite3'
if os.environ.get('TEST_WITH_MYSQL'):
import MySQLdb
conn = MySQLdb.connect(user='root', unix_socket='/var/run/mysqld/mysqld.sock')
cur = conn.cursor()
try:
cur.execute('DROP DATABASE uffd_tests')
except:
pass
cur.execute('CREATE DATABASE uffd_tests CHARACTER SET utf8mb4 COLLATE utf8mb4_nopad_bin')
conn.close()
config['SQLALCHEMY_DATABASE_URI'] = 'mysql+mysqldb:///uffd_tests?unix_socket=/var/run/mysqld/mysqld.sock&charset=utf8mb4'
self.app = create_app(config)
self.setUpApp()
def setUpApp(self):
pass
def tearDown(self):
if self.DISABLE_SQLITE_MEMORY_DB:
try:
os.remove('/tmp/uffd-migration-test-db.sqlite3')
except FileNotFoundError:
pass
class MigrationTestCase(AppTestCase):
DISABLE_SQLITE_MEMORY_DB = True
REVISION = None
def setUp(self):
super().setUp()
self.request_context = self.app.test_request_context()
self.request_context.__enter__()
if self.REVISION:
flask_migrate.upgrade(revision=self.REVISION + '-1')
def upgrade(self, revision='+1'):
db.session.commit()
flask_migrate.upgrade(revision=revision)
def downgrade(self, revision='-1'):
db.session.commit()
flask_migrate.downgrade(revision=revision)
def tearDown(self):
db.session.rollback()
self.request_context.__exit__(None, None, None)
super().tearDown()
class ModelTestCase(AppTestCase):
def setUp(self):
super().setUp()
self.request_context = self.app.test_request_context()
self.request_context.__enter__()
db.create_all()
db.session.commit()
def tearDown(self):
db.session.rollback()
self.request_context.__exit__(None, None, None)
super().tearDown()
class UffdTestCase(AppTestCase):
def setUp(self):
super().setUp()
self.client = self.app.test_client()
self.client.__enter__()
# Just do some request so that we can use url_for
self.client.get(path='/')
db.create_all()
# This reflects the old LDAP example data
users_group = Group(name='users', unix_gid=20001, description='Base group for all users')
db.session.add(users_group)
access_group = Group(name='uffd_access', unix_gid=20002, description='Access to Single-Sign-On and Selfservice')
db.session.add(access_group)
admin_group = Group(name='uffd_admin', unix_gid=20003, description='Admin access to uffd')
db.session.add(admin_group)
testuser = User(loginname='testuser', unix_uid=10000, password='userpassword', primary_email_address='test@example.com', displayname='Test User', groups=[users_group, access_group])
db.session.add(testuser)
testadmin = User(loginname='testadmin', unix_uid=10001, password='adminpassword', primary_email_address='admin@example.com', displayname='Test Admin', groups=[users_group, access_group, admin_group])
db.session.add(testadmin)
testmail = Mail(uid='test', receivers=['test1@example.com', 'test2@example.com'], destinations=['testuser@mail.example.com'])
db.session.add(testmail)
self.setUpDB()
db.session.commit()
def setUpApp(self):
def setUpDB(self):
pass
def tearDown(self):
self.client.__exit__(None, None, None)
shutil.rmtree(self.dir)
super().tearDown()
def get_user(self):
return User.query.filter_by(loginname='testuser').one_or_none()
def get_admin(self):
return User.query.filter_by(loginname='testadmin').one_or_none()
def get_admin_group(self):
return Group.query.filter_by(name='uffd_admin').one_or_none()
def get_access_group(self):
return Group.query.filter_by(name='uffd_access').one_or_none()
def get_users_group(self):
return Group.query.filter_by(name='users').one_or_none()
def get_mail(self):
return Mail.query.filter_by(uid='test').one_or_none()
def login_as(self, user, ref=None):
# It is currently not possible to login while already logged in as another
# user, so make sure that we are not logged in first
self.client.get(path=url_for('session.logout'), follow_redirects=True)
loginname = None
password = None
if user == 'user':
loginname = 'testuser'
password = 'userpassword'
elif user == 'admin':
loginname = 'testadmin'
password = 'adminpassword'
return self.client.post(path=url_for('session.login', ref=ref),
data={'loginname': loginname, 'password': password}, follow_redirects=True)
tests/views/__init__.py 0 → 100644
View file @ 98fe5690
tests/views/test_api.py 0 → 100644
View file @ 98fe5690
import base64
from flask import url_for
from uffd.password_hash import PlaintextPasswordHash
from uffd.remailer import remailer
from uffd.database import db
from uffd.models import APIClient, Service, User, RemailerMode
from uffd.views.api import apikey_required
from tests.utils import UffdTestCase, db_flush
def basic_auth(username, password):
return ('Authorization', 'Basic ' + base64.b64encode(f'{username}:{password}'.encode()).decode())
class TestAPIAuth(UffdTestCase):
def setUpApp(self):
@self.app.route('/test/endpoint1')
@apikey_required()
def testendpoint1():
return 'OK', 200
@self.app.route('/test/endpoint2')
@apikey_required('users')
def testendpoint2():
return 'OK', 200
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test1'), auth_username='test1', auth_password='testsecret1', perm_users=True))
db.session.add(APIClient(service=Service(name='test2'), auth_username='test2', auth_password='testsecret2'))
def test_basic(self):
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test1', 'testsecret1')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.get(path=url_for('testendpoint2'), headers=[basic_auth('test1', 'testsecret1')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
def test_basic_invalid_credentials(self):
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test-none', 'testsecret-none')], follow_redirects=True)
self.assertEqual(r.status_code, 401)
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test1', 'testsecret2')], follow_redirects=True)
self.assertEqual(r.status_code, 401)
def test_basic_missing_scope(self):
r = self.client.get(path=url_for('testendpoint2'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
self.assertEqual(r.status_code, 403)
def test_no_auth(self):
r = self.client.get(path=url_for('testendpoint1'), follow_redirects=True)
self.assertEqual(r.status_code, 401)
def test_auth_password_rehash(self):
db.session.add(APIClient(service=Service(name='test3'), auth_username='test3', auth_password=PlaintextPasswordHash.from_password('testsecret3')))
db.session.commit()
self.assertIsInstance(APIClient.query.filter_by(auth_username='test3').one().auth_password, PlaintextPasswordHash)
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test3', 'testsecret3')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
api_client = APIClient.query.filter_by(auth_username='test3').one()
self.assertIsInstance(api_client.auth_password, APIClient.auth_password.method_cls)
self.assertTrue(api_client.auth_password.verify('testsecret3'))
r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test3', 'testsecret3')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
class TestAPIGetmails(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_mail_aliases=True))
def test_lookup(self):
r = self.client.get(path=url_for('api.getmails', receive_address='test1@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
r = self.client.get(path=url_for('api.getmails', receive_address='test2@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
def test_lookup_notfound(self):
r = self.client.get(path=url_for('api.getmails', receive_address='test3@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_lookup_case_folding(self):
r = self.client.get(path=url_for('api.getmails', receive_address='Test1@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
class TestAPICheckPassword(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_checkpassword=True))
def test(self):
r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json['loginname'], 'testuser')
def test_password_rehash(self):
self.get_user().password = PlaintextPasswordHash.from_password('userpassword')
db.session.commit()
self.assertIsInstance(self.get_user().password, PlaintextPasswordHash)
db_flush()
r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json['loginname'], 'testuser')
self.assertIsInstance(self.get_user().password, User.password.method_cls)
self.assertTrue(self.get_user().password.verify('userpassword'))
def test_wrong_password(self):
r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'wrongpassword'}, headers=[basic_auth('test', 'test')])
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, None)
def test_deactivated(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, None)
class TestAPIGetusers(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_users=True))
def fix_result(self, result):
result.sort(key=lambda user: user['id'])
for user in result:
user['groups'].sort()
return result
def test_all(self):
r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
def test_id(self):
r = self.client.get(path=url_for('api.getusers', id=10000), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
])
def test_id_empty(self):
r = self.client.get(path=url_for('api.getusers', id=0), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_with_remailer(self):
service = Service.query.filter_by(name='test').one()
service.remailer_mode = RemailerMode.ENABLED_V1
db.session.commit()
user = self.get_user()
self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
r = self.client.get(path=url_for('api.getusers', id=10000), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
service = Service.query.filter_by(name='test').one()
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test User', 'email': remailer.build_v1_address(service.id, user.id), 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
])
def test_loginname(self):
r = self.client.get(path=url_for('api.getusers', loginname='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
])
def test_loginname_empty(self):
r = self.client.get(path=url_for('api.getusers', loginname='notauser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_email(self):
r = self.client.get(path=url_for('api.getusers', email='admin@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
def test_email_with_remailer(self):
service = Service.query.filter_by(name='test').one()
service.remailer_mode = RemailerMode.ENABLED_V1
db.session.commit()
user = self.get_admin()
self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
r = self.client.get(path=url_for('api.getusers', email=remailer.build_v1_address(service.id, user.id)), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
service = Service.query.filter_by(name='test').one()
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test Admin', 'email': remailer.build_v1_address(service.id, user.id), 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
def test_email_empty(self):
r = self.client.get(path=url_for('api.getusers', email='foo@bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_group(self):
r = self.client.get(path=url_for('api.getusers', group='uffd_admin'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
def test_group_empty(self):
r = self.client.get(path=url_for('api.getusers', group='notagroup'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_deactivated(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
Service.query.filter_by(name='test').first().hide_deactivated_users = True
db.session.commit()
r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
])
class TestAPIGetgroups(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_users=True))
def fix_result(self, result):
result.sort(key=lambda group: group['id'])
for group in result:
group['members'].sort()
return result
def test_all(self):
r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
])
def test_all_deactivated_members(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
])
Service.query.filter_by(name='test').first().hide_deactivated_users = True
db.session.commit()
r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20001, 'members': ['testadmin'], 'name': 'users'},
{'id': 20002, 'members': ['testadmin'], 'name': 'uffd_access'},
{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
])
def test_id(self):
r = self.client.get(path=url_for('api.getgroups', id=20002), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
])
def test_id_empty(self):
r = self.client.get(path=url_for('api.getgroups', id=0), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_name(self):
r = self.client.get(path=url_for('api.getgroups', name='uffd_admin'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
])
def test_name_empty(self):
r = self.client.get(path=url_for('api.getgroups', name='notagroup'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_member(self):
r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
])
def test_member_empty(self):
r = self.client.get(path=url_for('api.getgroups', member='notauser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, [])
def test_member_deactivated(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [
{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
])
Service.query.filter_by(name='test').first().hide_deactivated_users = True
db.session.commit()
r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.fix_result(r.json), [])
class TestAPIRemailerResolve(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_remailer=True))
db.session.add(Service(name='service1'))
db.session.add(Service(name='service2', remailer_mode=RemailerMode.ENABLED_V1))
def test(self):
self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
service = Service.query.filter_by(name='service2').one()
r = self.client.get(path=url_for('api.resolve_remailer', orig_address=remailer.build_v1_address(service.id, self.get_user().id)), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, {'address': self.get_user().primary_email.address})
r = self.client.get(path=url_for('api.resolve_remailer', orig_address='foo@bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.json, {'address': None})
def test_invalid(self):
r = self.client.get(path=url_for('api.resolve_remailer', orig_address=['foo', 'bar']), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 400)
r = self.client.get(path=url_for('api.resolve_remailer'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 400)
r = self.client.get(path=url_for('api.resolve_remailer', foo='bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
self.assertEqual(r.status_code, 400)
class TestAPIMetricsPrometheus(UffdTestCase):
def setUpDB(self):
db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_metrics=True))
def test(self):
r = self.client.get(path=url_for('api.prometheus_metrics'), headers=[basic_auth('test', 'test')])
self.assertEqual(r.status_code, 200)
self.assertTrue("uffd_version_info" in r.data.decode())
tests/views/test_invite.py 0 → 100644
View file @ 98fe5690
import datetime
from flask import url_for, current_app
from uffd.database import db
from uffd.models import Invite, InviteGrant, InviteSignup, Role, RoleGroup
from tests.utils import dump, UffdTestCase, db_flush
class TestInviteAdminViews(UffdTestCase):
def setUpApp(self):
self.app.config['SELF_SIGNUP'] = False
self.app.last_mail = None
def test_index(self):
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
valid_until_expired = datetime.datetime.utcnow() - datetime.timedelta(seconds=60)
user1 = self.get_user()
user2 = self.get_admin()
role1 = Role(name='testrole1')
db.session.add(role1)
role2 = Role(name='testrole2')
db.session.add(role2)
# All possible states
db.session.add(Invite(valid_until=valid_until, single_use=False, creator=self.get_admin()))
db.session.add(Invite(valid_until=valid_until, single_use=True, used=False, creator=self.get_admin()))
invite = Invite(valid_until=valid_until, single_use=True, used=True, creator=self.get_admin())
invite.signups = [InviteSignup(user=user1)]
db.session.add(invite)
db.session.add(Invite(valid_until=valid_until_expired, creator=self.get_admin()))
db.session.add(Invite(valid_until=valid_until, disabled=True, creator=self.get_admin()))
# Different permissions
db.session.add(Invite(valid_until=valid_until, allow_signup=True, creator=self.get_admin()))
db.session.add(Invite(valid_until=valid_until, allow_signup=False, creator=self.get_admin()))
db.session.add(Invite(valid_until=valid_until, allow_signup=True, roles=[role1], grants=[InviteGrant(user=user2)], creator=self.get_admin()))
db.session.add(Invite(valid_until=valid_until, allow_signup=False, roles=[role1, role2], creator=self.get_admin()))
db.session.commit()
self.login_as('admin')
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
dump('invite_index', r)
self.assertEqual(r.status_code, 200)
def test_index_empty(self):
self.login_as('admin')
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
dump('invite_index_empty', r)
self.assertEqual(r.status_code, 200)
def test_index_nologin(self):
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
dump('invite_index_nologin', r)
self.assertEqual(r.status_code, 200)
def test_index_noaccess(self):
self.login_as('user')
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
dump('invite_index_noaccess', r)
self.assertEqual(r.status_code, 403)
def test_index_signupperm(self):
current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite1 = Invite(valid_until=valid_until, allow_signup=True, creator=self.get_admin())
db.session.add(invite1)
invite2 = Invite(valid_until=valid_until, allow_signup=True, creator=self.get_user())
db.session.add(invite2)
invite3 = Invite(valid_until=valid_until, allow_signup=True)
db.session.add(invite3)
db.session.commit()
token1 = invite1.short_token
token2 = invite2.short_token
token3 = invite3.short_token
self.login_as('user')
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertNotIn(token1.encode(), r.data)
self.assertIn(token2.encode(), r.data)
self.assertNotIn(token3.encode(), r.data)
def test_index_rolemod(self):
role1 = Role(name='testrole1')
db.session.add(role1)
role2 = Role(name='testrole2', moderator_group=self.get_access_group())
db.session.add(role2)
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
db.session.add(Invite(valid_until=valid_until, roles=[role1]))
db.session.add(Invite(valid_until=valid_until, roles=[role2]))
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('invite.index'), follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertNotIn('testrole1'.encode(), r.data)
self.assertIn('testrole2'.encode(), r.data)
def test_new(self):
self.login_as('admin')
role = Role(name='testrole1')
db.session.add(role)
db.session.commit()
role_id = role.id
r = self.client.get(path=url_for('invite.new'), follow_redirects=True)
dump('invite_new', r)
self.assertEqual(r.status_code, 200)
valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
self.assertListEqual(Invite.query.all(), [])
r = self.client.post(path=url_for('invite.new_submit'),
data={'single-use': '1', 'valid-until': valid_until_input,
'allow-signup': '1', 'role-%d'%role_id: '1'}, follow_redirects=True)
dump('invite_new_submit', r)
invite = Invite.query.one()
role = Role.query.get(role_id)
self.assertTrue(invite.active)
self.assertTrue(invite.single_use)
self.assertTrue(invite.allow_signup)
self.assertListEqual(invite.roles, [role])
def test_new_noperm(self):
current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
self.login_as('user')
role = Role(name='testrole1')
db.session.add(role)
db.session.commit()
role_id = role.id
valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
r = self.client.post(path=url_for('invite.new_submit'),
data={'single-use': '1', 'valid-until': valid_until_input,
'allow-signup': '1', 'role-%d'%role_id: '1'}, follow_redirects=True)
dump('invite_new_noperm', r)
self.assertIsNone(Invite.query.first())
def test_new_empty(self):
current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
self.login_as('user')
valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
r = self.client.post(path=url_for('invite.new_submit'),
data={'single-use': '1', 'valid-until': valid_until_input,
'allow-signup': '0'}, follow_redirects=True)
dump('invite_new_empty', r)
self.assertIsNone(Invite.query.first())
def test_disable(self):
self.login_as('admin')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite = Invite(valid_until=valid_until, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertTrue(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.disable', invite_id=id), follow_redirects=True)
dump('invite_disable', r)
self.assertTrue(Invite.query.get(id).disabled)
def test_disable_own(self):
current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
self.login_as('user')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite = Invite(valid_until=valid_until, creator=self.get_user())
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertTrue(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.disable', invite_id=id), follow_redirects=True)
dump('invite_disable', r)
self.assertTrue(Invite.query.get(id).disabled)
def test_disable_rolemod(self):
self.login_as('user')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
role = Role(name='testrole', moderator_group=self.get_access_group())
db.session.add(role)
invite = Invite(valid_until=valid_until, creator=self.get_admin(), roles=[role])
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertTrue(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.disable', invite_id=id), follow_redirects=True)
self.assertTrue(Invite.query.get(id).disabled)
def test_disable_noperm(self):
self.login_as('user')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
db.session.add(Role(name='testrole1', moderator_group=self.get_access_group()))
role = Role(name='testrole2', moderator_group=self.get_admin_group())
db.session.add(role)
invite = Invite(valid_until=valid_until, creator=self.get_admin(), roles=[role])
db.session.add(invite)
db.session.commit()
id = invite.id
r = self.client.post(path=url_for('invite.disable', invite_id=id), follow_redirects=True)
self.assertFalse(Invite.query.get(id).disabled)
self.assertTrue(Invite.query.get(id).active)
def test_reset_disabled(self):
self.login_as('admin')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertFalse(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.reset', invite_id=id), follow_redirects=True)
dump('invite_reset_disabled', r)
self.assertTrue(Invite.query.get(id).active)
def test_reset_voided(self):
self.login_as('admin')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite = Invite(valid_until=valid_until, single_use=True, used=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertFalse(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.reset', invite_id=id), follow_redirects=True)
dump('invite_reset_voided', r)
self.assertTrue(Invite.query.get(id).active)
def test_reset_own(self):
current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
self.login_as('user')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_user())
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertFalse(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.reset', invite_id=id), follow_redirects=True)
dump('invite_reset_own', r)
self.assertTrue(Invite.query.get(id).active)
def test_reset_foreign(self):
self.login_as('user')
valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
role = Role(name='testrole', moderator_group=self.get_access_group())
db.session.add(role)
invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_admin(), roles=[role])
db.session.add(invite)
db.session.commit()
id = invite.id
self.assertFalse(Invite.query.get(id).active)
r = self.client.post(path=url_for('invite.reset', invite_id=id), follow_redirects=True)
self.assertFalse(Invite.query.get(id).active)
class TestInviteUseViews(UffdTestCase):
def setUpApp(self):
self.app.config['SELF_SIGNUP'] = False
self.app.last_mail = None
def test_use(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
db.session.add(invite)
db.session.commit()
token = invite.token
r = self.client.get(path=url_for('invite.use', invite_id=invite.id, token=token), follow_redirects=True)
dump('invite_use', r)
self.assertEqual(r.status_code, 200)
def test_use_loggedin(self):
self.login_as('user')
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
db.session.add(invite)
db.session.commit()
token = invite.token
r = self.client.get(path=url_for('invite.use', invite_id=invite.id, token=token), follow_redirects=True)
dump('invite_use_loggedin', r)
self.assertEqual(r.status_code, 200)
def test_use_inactive(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), disabled=True)
db.session.add(invite)
db.session.commit()
token = invite.token
r = self.client.get(path=url_for('invite.use', invite_id=invite.id, token=token), follow_redirects=True)
dump('invite_use_inactive', r)
self.assertEqual(r.status_code, 200)
# TODO: test cases for {logged in, not logged in} x (signup-only, grant-only, both, none?}
def test_grant(self):
user = self.get_user()
group0 = self.get_access_group()
role0 = Role(name='baserole', groups={group0: RoleGroup(group=group0)})
db.session.add(role0)
user.roles.append(role0)
user.update_groups()
group1 = self.get_admin_group()
role1 = Role(name='testrole1', groups={group1: RoleGroup(group=group1)})
db.session.add(role1)
role2 = Role(name='testrole2')
db.session.add(role2)
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role1, role2], creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
self.assertIn(role0, user.roles)
self.assertNotIn(role1, user.roles)
self.assertNotIn(role2, user.roles)
self.assertIn(group0, user.groups)
self.assertNotIn(group1, user.groups)
self.assertFalse(invite.used)
self.login_as('user')
r = self.client.post(path=url_for('invite.grant', invite_id=invite_id, token=token), follow_redirects=True)
dump('invite_grant', r)
self.assertEqual(r.status_code, 200)
db_flush()
invite = Invite.query.filter_by(token=token).first()
user = self.get_user()
self.assertTrue(invite.used)
self.assertIn('baserole', [role.name for role in user.roles])
self.assertIn('testrole1', [role.name for role in user.roles])
self.assertIn('testrole2', [role.name for role in user.roles])
self.assertIn(self.get_access_group(), user.groups)
self.assertIn(self.get_admin_group(), user.groups)
def test_grant_invalid_invite(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), disabled=True)
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
self.login_as('user')
r = self.client.post(path=url_for('invite.grant', invite_id=invite_id, token=token), follow_redirects=True)
dump('invite_grant_invalid_invite', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(Invite.query.filter_by(token=token).first().used)
def test_grant_no_roles(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60))
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
self.login_as('user')
r = self.client.post(path=url_for('invite.grant', invite_id=invite_id, token=token), follow_redirects=True)
dump('invite_grant_no_roles', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(Invite.query.filter_by(token=token).first().used)
def test_grant_no_new_roles(self):
user = self.get_user()
role = Role(name='testrole')
db.session.add(role)
user.roles.append(role)
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role])
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
self.login_as('user')
r = self.client.post(path=url_for('invite.grant', invite_id=invite_id, token=token), follow_redirects=True)
dump('invite_grant_no_new_roles', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(Invite.query.filter_by(token=token).first().used)
def test_signup(self):
baserole = Role(name='base', is_default=True)
baserole.groups[self.get_access_group()] = RoleGroup()
baserole.groups[self.get_users_group()] = RoleGroup()
db.session.add(baserole)
group = self.get_admin_group()
role1 = Role(name='testrole1', groups={group: RoleGroup(group=group)})
db.session.add(role1)
role2 = Role(name='testrole2')
db.session.add(role2)
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role1, role2], allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.get(path=url_for('invite.signup_start', invite_id=invite_id, token=token), follow_redirects=True)
dump('invite_signup_start', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('invite.signup_submit', token=token),
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
dump('invite_signup_submit', r)
self.assertEqual(r.status_code, 200)
signup = InviteSignup.query.one()
self.assertEqual(signup.loginname, 'newuser')
self.assertEqual(signup.displayname, 'New User')
self.assertEqual(signup.mail, 'test@example.com')
self.assertIn(signup.token, str(self.app.last_mail.get_content()))
self.assertTrue(signup.password.verify('notsecret'))
self.assertTrue(signup.validate()[0])
def test_signup_invalid_invite(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
r = self.client.get(path=url_for('invite.signup_start', invite_id=invite.id, token=invite.token), follow_redirects=True)
dump('invite_signup_invalid_invite', r)
self.assertEqual(r.status_code, 200)
def test_signup_nosignup(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
r = self.client.get(path=url_for('invite.signup_start', invite_id=invite.id, token=invite.token), follow_redirects=True)
dump('invite_signup_nosignup', r)
self.assertEqual(r.status_code, 200)
def test_signup_wrongpassword(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notthesame'}, follow_redirects=True)
dump('invite_signup_wrongpassword', r)
self.assertEqual(r.status_code, 200)
def test_signup_invalid(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
data={'loginname': '', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
dump('invite_signup_invalid', r)
self.assertEqual(r.status_code, 200)
def test_signup_mailerror(self):
self.app.config['MAIL_SKIP_SEND'] = 'fail'
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
dump('invite_signup_mailerror', r)
self.assertEqual(r.status_code, 200)
def test_signup_hostlimit(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
for i in range(20):
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite_id, token=token),
data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'test%d@example.com'%i,
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.app.last_mail = None
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite_id, token=token),
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
dump('invite_signup_hostlimit', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(InviteSignup.query.filter_by(loginname='newuser').all(), [])
self.assertIsNone(self.app.last_mail)
def test_signup_mailimit(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
for i in range(3):
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite_id, token=token),
data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.app.last_mail = None
r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite_id, token=token),
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
'password1': 'notsecret', 'password2': 'notsecret'}, follow_redirects=True)
dump('invite_signup_maillimit', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(InviteSignup.query.filter_by(loginname='newuser').all(), [])
self.assertIsNone(self.app.last_mail)
def test_signup_check(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'newuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'ok')
def test_signup_check_invalid(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': ''})
print(r.data)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'invalid')
def test_signup_check_exists(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'exists')
def test_signup_check_nosignup(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 403)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'error')
def test_signup_check_error(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 403)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'error')
def test_signup_check_ratelimited(self):
invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
db.session.add(invite)
db.session.commit()
invite_id = invite.id
token = invite.token
for i in range(20):
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
r = self.client.post(path=url_for('invite.signup_check', invite_id=invite_id, token=token), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'ratelimited')
tests/test_mail.py tests/views/test_mail.py
View file @ 98fe5690
import datetime
import time
import unittest
from flask import url_for, session
from flask import url_for
# These imports are required, because otherwise we get circular imports?!
from uffd import ldap, user
from uffd.database import db
from uffd.models import Mail
from uffd.ldap import get_conn
from uffd.mail.models import Mail
from uffd import create_app, db
from utils import dump, UffdTestCase
def get_mail():
return Mail.from_ldap_dn('uid=test,ou=postfix,dc=example,dc=com')
from tests.utils import dump, UffdTestCase
class TestMailViews(UffdTestCase):
def setUp(self):
super().setUp()
self.client.post(path=url_for('session.login'),
data={'loginname': 'testadmin', 'password': 'adminpassword'}, follow_redirects=True)
self.login_as('admin')
def test_index(self):
r = self.client.get(path=url_for('mail.index'), follow_redirects=True)
......@@ -27,15 +18,15 @@ class TestMailViews(UffdTestCase):
self.assertEqual(r.status_code, 200)
def test_index_empty(self):
conn = get_conn()
conn.delete(get_mail().dn)
self.assertIsNone(get_mail())
db.session.delete(self.get_mail())
db.session.commit()
self.assertIsNone(self.get_mail())
r = self.client.get(path=url_for('mail.index'), follow_redirects=True)
dump('mail_index_empty', r)
self.assertEqual(r.status_code, 200)
def test_show(self):
r = self.client.get(path=url_for('mail.show', uid=get_mail().uid), follow_redirects=True)
r = self.client.get(path=url_for('mail.show', mai_id=self.get_mail().id), follow_redirects=True)
dump('mail_show', r)
self.assertEqual(r.status_code, 200)
......@@ -45,17 +36,17 @@ class TestMailViews(UffdTestCase):
self.assertEqual(r.status_code, 200)
def test_update(self):
m = get_mail()
m = self.get_mail()
self.assertIsNotNone(m)
self.assertEqual(m.uid, 'test')
self.assertEqual(sorted(m.receivers), ['test1@example.com', 'test2@example.com'])
self.assertEqual(sorted(m.destinations), ['testuser@mail.example.com'])
r = self.client.post(path=url_for('mail.update', uid=m.uid),
r = self.client.post(path=url_for('mail.update', mail_id=m.id),
data={'mail-uid': 'test1', 'mail-receivers': 'foo@bar.com\ntest@bar.com',
'mail-destinations': 'testuser@mail.example.com\ntestadmin@mail.example.com'}, follow_redirects=True)
dump('mail_update', r)
self.assertEqual(r.status_code, 200)
m = get_mail()
m = self.get_mail()
self.assertIsNotNone(m)
self.assertEqual(m.uid, 'test')
self.assertEqual(sorted(m.receivers), ['foo@bar.com', 'test@bar.com'])
......@@ -67,26 +58,27 @@ class TestMailViews(UffdTestCase):
'mail-destinations': 'testuser@mail.example.com\ntestadmin@mail.example.com'}, follow_redirects=True)
dump('mail_create', r)
self.assertEqual(r.status_code, 200)
m = Mail.from_ldap_dn('uid=test1,ou=postfix,dc=example,dc=com')
m = Mail.query.filter_by(uid='test1').one()
self.assertEqual(m.uid, 'test1')
self.assertEqual(sorted(m.receivers), ['foo@bar.com', 'test@bar.com'])
self.assertEqual(sorted(m.destinations), ['testadmin@mail.example.com', 'testuser@mail.example.com'])
@unittest.skip('We do not catch DB errors at the moment!') # TODO
def test_create_error(self):
r = self.client.post(path=url_for('mail.update'),
data={'mail-uid': 'test', 'mail-receivers': 'foo@bar.com\ntest@bar.com',
'mail-destinations': 'testuser@mail.example.com\ntestadmin@mail.example.com'}, follow_redirects=True)
dump('mail_create_error', r)
self.assertEqual(r.status_code, 200)
m = get_mail()
m = self.get_mail()
self.assertIsNotNone(m)
self.assertEqual(m.uid, 'test')
self.assertEqual(sorted(m.receivers), ['test1@example.com', 'test2@example.com'])
self.assertEqual(sorted(m.destinations), ['testuser@mail.example.com'])
def test_delete(self):
self.assertIsNotNone(get_mail())
r = self.client.get(path=url_for('mail.delete', uid=get_mail().uid), follow_redirects=True)
self.assertIsNotNone(self.get_mail())
r = self.client.get(path=url_for('mail.delete', mail_id=self.get_mail().id), follow_redirects=True)
dump('mail_delete', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(get_mail())
self.assertIsNone(self.get_mail())
tests/views/test_oauth2.py 0 → 100644
View file @ 98fe5690
import unittest
from urllib.parse import urlparse, parse_qs
import jwt
from flask import url_for, session
from uffd.database import db
from uffd.password_hash import PlaintextPasswordHash
from uffd.remailer import remailer
from uffd.models import DeviceLoginConfirmation, Service, OAuth2Client, OAuth2DeviceLoginInitiation, RemailerMode, OAuth2Key, Session
from tests.utils import dump, UffdTestCase
from tests.models.test_oauth2 import TEST_JWK
class TestViews(UffdTestCase):
def setUpDB(self):
db.session.add(OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2']))
db.session.add(OAuth2Client(service=Service(name='test1', access_group=self.get_admin_group()), client_id='test1', client_secret='testsecret1', redirect_uris=['http://localhost:5008/callback']))
def assert_authorization(self, r, mail=None):
while True:
if r.status_code != 302 or r.location.startswith('http://localhost:5009/callback'):
break
r = self.client.get(r.location, follow_redirects=False)
self.assertEqual(r.status_code, 302)
self.assertTrue(r.location.startswith('http://localhost:5009/callback'))
args = parse_qs(urlparse(r.location).query)
self.assertEqual(args['state'], ['teststate'])
code = args['code'][0]
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['token_type'], 'Bearer')
self.assertEqual(r.json['scope'], 'profile')
token = r.json['access_token']
r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
user = self.get_user()
self.assertEqual(r.json['id'], user.unix_uid)
self.assertEqual(r.json['name'], user.displayname)
self.assertEqual(r.json['nickname'], user.loginname)
self.assertEqual(r.json['email'], mail or user.primary_email.address)
self.assertTrue(r.json.get('groups'))
def test_authorization(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assert_authorization(r)
def test_authorization_with_remailer(self):
self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
service = Service.query.filter_by(name='test').one()
service.remailer_mode = RemailerMode.ENABLED_V1
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
service = Service.query.filter_by(name='test').one()
self.assert_authorization(r, mail=remailer.build_v1_address(service.id, self.get_user().id))
def test_authorization_client_secret_rehash(self):
OAuth2Client.query.delete()
db.session.add(OAuth2Client(service=Service(name='rehash_test', limit_access=False), client_id='test', client_secret=PlaintextPasswordHash.from_password('testsecret'), redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2']))
db.session.commit()
self.assertIsInstance(OAuth2Client.query.filter_by(client_id='test').one().client_secret, PlaintextPasswordHash)
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assert_authorization(r)
oauth2_client = OAuth2Client.query.filter_by(client_id='test').one()
self.assertIsInstance(oauth2_client.client_secret, OAuth2Client.client_secret.method_cls)
self.assertTrue(oauth2_client.client_secret.verify('testsecret'))
def test_authorization_without_redirect_uri(self):
client = OAuth2Client.query.filter_by(client_id='test').one()
client.redirect_uris.remove('http://localhost:5009/callback2')
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', scope='profile'), follow_redirects=False)
self.assert_authorization(r)
def test_authorization_without_scope(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback'), follow_redirects=False)
self.assert_authorization(r)
# Regression test for #115 (OAuth2 authorize endpoint rejects empty scope parameter)
def test_authorization_empty_scope(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', scope='', redirect_uri='http://localhost:5009/callback'), follow_redirects=False)
self.assert_authorization(r)
def test_authorization_access_denied(self):
client = OAuth2Client.query.filter_by(client_id='test').one()
client.service.limit_access = True
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assertEqual(r.status_code, 403)
dump('oauth2_authorization_access_denied', r)
def test_authorization_invalid_scope(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='invalid'), follow_redirects=False)
self.assertEqual(r.status_code, 400)
dump('oauth2_authorization_invalid_scope', r)
def test_authorization_missing_client_id(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assertEqual(r.status_code, 400)
dump('oauth2_authorization_missing_client_id', r)
def test_authorization_invalid_client_id(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='invalid_client_id', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assertEqual(r.status_code, 400)
dump('oauth2_authorization_invalid_client_id', r)
def test_authorization_missing_response_type(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assertEqual(r.status_code, 400)
dump('oauth2_authorization_missing_response_type', r)
def test_authorization_invalid_response_type(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='token', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
self.assertEqual(r.status_code, 400)
dump('oauth2_authorization_invalid_response_type', r)
def test_authorization_devicelogin_start(self):
ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
r = self.client.get(path=url_for('session.devicelogin_start', ref=ref), follow_redirects=True)
# check response
initiation = OAuth2DeviceLoginInitiation.query.filter_by(id=session['devicelogin_id'], secret=session['devicelogin_secret']).one()
self.assertEqual(r.status_code, 200)
self.assertFalse(initiation.expired)
self.assertEqual(initiation.client.client_id, 'test')
self.assertIsNotNone(initiation.description)
def test_authorization_devicelogin_auth(self):
with self.client.session_transaction() as _session:
initiation = OAuth2DeviceLoginInitiation(client=OAuth2Client.query.filter_by(client_id='test').one())
db.session.add(initiation)
confirmation = DeviceLoginConfirmation(initiation=initiation, session=Session(user=self.get_user()))
db.session.add(confirmation)
db.session.commit()
_session['devicelogin_id'] = initiation.id
_session['devicelogin_secret'] = initiation.secret
code = confirmation.code
self.client.get(path='/')
ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
r = self.client.post(path=url_for('session.devicelogin_submit', ref=ref), data={'confirmation-code': code}, follow_redirects=False)
self.assert_authorization(r)
def test_authorization_devicelogin_auth_deactivated(self):
with self.client.session_transaction() as _session:
initiation = OAuth2DeviceLoginInitiation(client=OAuth2Client.query.filter_by(client_id='test').one())
db.session.add(initiation)
confirmation = DeviceLoginConfirmation(initiation=initiation, session=Session(user=self.get_user()))
db.session.add(confirmation)
db.session.commit()
_session['devicelogin_id'] = initiation.id
_session['devicelogin_secret'] = initiation.secret
code = confirmation.code
self.client.get(path='/')
self.get_user().is_deactivated = True
db.session.commit()
ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
r = self.client.post(path=url_for('session.devicelogin_submit', ref=ref), data={'confirmation-code': code}, follow_redirects=True)
self.assertIn(b'Device login failed', r.data)
def get_auth_code(self):
self.login_as('user')
r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
while True:
if r.status_code != 302 or r.location.startswith('http://localhost:5009/callback'):
break
r = self.client.get(r.location, follow_redirects=False)
self.assertEqual(r.status_code, 302)
self.assertTrue(r.location.startswith('http://localhost:5009/callback'))
args = parse_qs(urlparse(r.location).query)
self.assertEqual(args['state'], ['teststate'])
return args['code'][0]
def test_token_urlsecret(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['token_type'], 'Bearer')
self.assertEqual(r.json['scope'], 'profile')
# Regression test for #114 (OAuth2 token endpoint does not support Basic-Auth)
def test_token_basicauth(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback'},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['token_type'], 'Bearer')
self.assertEqual(r.json['scope'], 'profile')
def test_token_invalid_code(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': 'abcdef', 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 400)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['error'], 'invalid_grant')
def test_token_code_invalidation(self):
code = self.get_auth_code()
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback'},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback'},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
self.assertEqual(r.status_code, 400)
self.assertEqual(r.json['error'], 'invalid_grant')
def test_token_invalid_client(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'invalid_client', 'client_secret': 'invalid_client_secret'}, follow_redirects=True)
self.assertEqual(r.status_code, 401)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['error'], 'invalid_client')
def test_token_unauthorized_client(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test'}, follow_redirects=True)
self.assertEqual(r.status_code, 401)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['error'], 'invalid_client')
def test_token_unsupported_grant_type(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'password', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 400)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['error'], 'unsupported_grant_type')
def test_token_deactivated_user(self):
code = self.get_auth_code()
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
self.assertEqual(r.status_code, 400)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['error'], 'invalid_grant')
def test_userinfo_invalid_access_token(self):
token = 'invalidtoken'
r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
self.assertEqual(r.status_code, 401)
def test_userinfo_deactivated_user(self):
r = self.client.post(path=url_for('oauth2.token'),
data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
token = r.json['access_token']
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
self.assertEqual(r.status_code, 401)
class TestOIDCConfigurationProfile(UffdTestCase):
def setUpDB(self):
db.session.add(OAuth2Key(**TEST_JWK))
def test_discover_spec(self):
ISSUER = 'https://sso.example.com'
r = self.client.get(base_url=ISSUER, path='/.well-known/openid-configuration')
# OIDC Discovery 1.0 section 4.2:
# > A successful response MUST use the 200 OK HTTP status code and return a
# > JSON object using the application/json content type that contains a set
# > of Claims as its members that are a subset of the Metadata values defined
# > in Section 3.
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertIsInstance(r.json, dict) # also validates JSON syntax
# OIDC Discovery 1.0 section 4.2:
# > Claims that return multiple values are represented as JSON arrays.
# > Claims with zero elements MUST be omitted from the response.
for key, value in r.json.items():
if isinstance(value, list):
self.assertNotEqual(len(value), 0)
# OIDC Discovery 1.0 section 3 (REQUIRED metadata values)
required_fields = {'issuer', 'authorization_endpoint', 'jwks_uri', 'response_types_supported', 'subject_types_supported', 'id_token_signing_alg_values_supported'}
if 'code' in r.json.get('response_types_supported', []):
required_fields.add('token_endpoint')
if 'authorization_code' in r.json.get('grant_types_supported', ['authorization_code', 'implicit']):
required_fields.add('token_endpoint')
for field in required_fields:
self.assertIn(field, r.json)
# OIDC Discovery 1.0 section 3 (metadata value types)
bool_fields = ('claims_parameter_supported', 'request_parameter_supported', 'request_uri_parameter_supported', 'require_request_uri_registration')
list_fields = ('scopes_supported', 'response_types_supported', 'response_modes_supported', 'grant_types_supported', 'acr_values_supported', 'subject_types_supported', 'id_token_signing_alg_values_supported', 'id_token_encryption_alg_values_supported', 'id_token_encryption_enc_values_supported', 'userinfo_signing_alg_values_supported', 'userinfo_encryption_alg_values_supported', 'userinfo_encryption_enc_values_supported', 'request_object_signing_alg_values_supported', 'request_object_encryption_alg_values_supported', 'request_object_encryption_enc_values_supported', 'token_endpoint_auth_methods_supported', 'token_endpoint_auth_signing_alg_values_supported', 'display_values_supported', 'claim_types_supported', 'claims_supported', 'claims_locales_supported', 'ui_locales_supported')
https_url_fields = ('issuer', 'authorization_endpoint', 'token_endpoint', 'userinfo_endpoint', 'jwks_uri', 'registration_endpoint')
url_fields = ('service_documentation', 'op_policy_uri', 'op_tos_uri')
for field in bool_fields:
if field in r.json:
self.assertIsInstance(r.json[field], bool)
for field in list_fields:
if field in r.json:
self.assertIsInstance(r.json[field], list)
for field in https_url_fields:
if field in r.json:
self.assertIsInstance(r.json[field], str)
self.assertTrue(r.json[field].lower().startswith('https://'))
for field in url_fields:
if field in r.json:
self.assertIsInstance(r.json[field], str)
self.assertTrue(r.json[field].lower().startswith('http'))
# OIDC Discovery 1.0 section 3 (MUSTs on metadata values except https scheme and jwks_uri)
self.assertEqual(r.json['issuer'], ISSUER)
if 'scopes_supported' in r.json:
self.assertIsInstance(r.json['scopes_supported'], list)
for item in r.json['scopes_supported']:
self.assertIsInstance(item, str)
self.assertRegex(item, r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
self.assertIn('openid', r.json['scopes_supported'])
self.assertIn('RS256', r.json['id_token_signing_alg_values_supported'])
if 'token_endpoint_auth_signing_alg_values_supported' in r.json:
self.assertNotIn('none', r.json['token_endpoint_auth_signing_alg_values_supported'])
# OIDC Discovery 1.0 section 3 (jwks_uri) and RFC7517
self.assertTrue(r.json['jwks_uri'].startswith(ISSUER)) # Not a requirement by spec, but technically neccessary for this test
r_jwks = self.client.get(base_url=ISSUER, path=r.json['jwks_uri'][len(ISSUER):])
self.assertEqual(r_jwks.status_code, 200)
# The jwks_uri SHOULD include a Cache-Control header in the response that contains a max-age directive ...
self.assertIn('Cache-Control', r_jwks.headers)
self.assertIsInstance(r_jwks.json, dict) # also validates JSON syntax
self.assertIn('keys', r_jwks.json)
self.assertIsInstance(r_jwks.json['keys'], list)
has_sign_keys = False
has_encrypt_keys = False
kids = set()
for key in r_jwks.json['keys']:
self.assertIn('kty', key)
self.assertIsInstance(key['kty'], str)
if 'use' in key:
self.assertIsInstance(key['use'], str)
if key['use'] == 'sig':
has_sign_keys = True
if key['use'] == 'enc':
has_enc_keys = True
if 'key_ops' in key:
self.assertIsInstance(key['key_ops'], list)
self.assertNotIn('use', key) # SHOULD
for value in key['key_ops']:
self.assertIsInstance(value, str)
self.assertEqual(key['key_ops'].count(value), 1)
# OIDC: "The JWK Set MUST NOT contain private or symmetric key values."
self.assertNotIn('decrypt', key['key_ops'])
self.assertNotIn('sign', key['key_ops'])
if 'verify' in key['key_ops']:
has_sign_keys = True
if 'encrypt' in key['key_ops']:
has_enc_keys = True
if 'alg' in key:
self.assertIsInstance(key['alg'], str)
if 'kid' in key:
self.assertIsInstance(key['kid'], str)
self.assertNotIn(key['kid'], kids) # SHOULD
kids.add(key['kid'])
# ignoring everything X.509 related
# TODO: Validate algorithm-specific part of JWK
if has_sign_keys and has_encrypt_keys:
for key in r_jwks.json['keys']:
self.assertIn('use', key)
class TestOIDCBasicProfile(UffdTestCase):
def setUpDB(self):
db.session.add(OAuth2Key(**TEST_JWK))
db.session.add(OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['https://service/callback']))
# Helper
def validate_claim_syntax(self, name, value):
# Strip language tag
if '#' in name:
name = name.split('#')[0]
str_claims = ('sub', 'name', 'given_name', 'family_name', 'middle_name', 'nickname', 'preferred_username', 'profile', 'picture', 'website', 'email', 'gender', 'birthdate', 'zoneinfo', 'locale', 'phone_number', 'acr')
if name in str_claims:
self.assertIsInstance(value, str)
if name in ('profile', 'picture', 'website'):
self.assertTrue(value.lower().startswith('http'))
if name in ('email_verified', 'phone_number_verified'):
self.assertIsInstance(value, bool)
if name in ('updated_at', 'auth_time'):
self.assertTrue(isinstance(value, int) or isinstance(value, float))
if name == 'address':
self.assertIsInstance(value, dict)
if name == 'amr':
self.assertIsInstance(value, list)
for item in value:
self.assertIsInstance(item, str)
def validate_id_token(self, id_token, nonce='testnonce', client_id='test'):
headers = jwt.get_unverified_header(id_token)
self.assertIn('kid', headers)
self.assertIsInstance(headers['kid'], str)
# This checks signature and exp
data = OAuth2Key.decode_jwt(id_token, options={'verify_aud': False})
self.assertIn('iss', data)
self.assertIsInstance(data['iss'], str)
self.assertIn('sub', data)
self.assertIn('aud', data)
self.assertIsInstance(data['aud'], str)
if client_id is not None:
self.assertEqual(data['aud'], client_id)
self.assertIn('iat', data)
self.assertTrue(isinstance(data['iat'], int) or isinstance(data['iat'], float))
if 'nonce' in data:
self.assertIsInstance(data['nonce'], str)
self.assertEqual(data.get('nonce'), nonce)
if 'azp' in data:
self.assertIsInstance(data['azp'], str)
for name, value in data.items():
self.validate_claim_syntax(name, value)
return data
def is_login_page(self, location):
url = urlparse(location)
return url.netloc in ('localhost', '') and url.path == url_for('session.login')
def is_callback(self, location):
return location.startswith('https://service/callback')
def do_auth_request(self, client_id='test', state='teststate', nonce='testnonce', redirect_uri='https://service/callback', scope='openid', follow_redirects=True, **kwargs):
r = self.client.get(path=url_for('oauth2.authorize', client_id=client_id, state=state, nonce=nonce, redirect_uri=redirect_uri, scope=scope, **kwargs), follow_redirects=False)
while follow_redirects and r.status_code == 302 and not self.is_login_page(r.location) and not self.is_callback(r.location):
r = self.client.get(path=r.location, follow_redirects=False)
return r
def do_login(self, r, loginname='testuser', password='userpassword'):
self.assertEqual(r.status_code, 302)
self.assertTrue(self.is_login_page(r.location))
self.client.get(path=url_for('session.logout'), follow_redirects=True)
args = parse_qs(urlparse(r.location).query)
r = self.client.post(path=url_for('session.login', ref=args['ref'][0]), data={'loginname': loginname, 'password': password}, follow_redirects=False)
while r.status_code == 302 and not self.is_login_page(r.location) and not self.is_callback(r.location):
r = self.client.get(path=r.location, follow_redirects=False)
return r
def validate_auth_response(self, r, state='teststate'):
self.assertEqual(r.status_code, 302)
self.assertTrue(self.is_callback(r.location))
args = parse_qs(urlparse(r.location).query)
for key in args:
self.assertNotIn(key, ('error', 'error_description', 'error_uri'))
self.assertEqual(len(args[key]), 1) # Not generally specified, but still a good check
if state is not None:
self.assertIn('state', args)
self.assertEqual(args['state'], [state])
else:
self.assertNotIn('state', args)
return {key: values[0] for key, values in args.items()}
def assert_auth_error(self, r, *errors, state='teststate'):
self.assertEqual(r.status_code, 302)
self.assertTrue(self.is_callback(r.location))
args = parse_qs(urlparse(r.location).query)
for key in args:
self.assertIn(key, ('error', 'error_description', 'error_uri', 'state'))
self.assertEqual(len(args[key]), 1)
self.assertIn('error', args)
if state is not None:
self.assertIn('state', args)
self.assertEqual(args['state'][0], state)
else:
self.assertNotIn('state', args)
if errors:
self.assertIn(args['error'][0], errors)
self.assertRegex(args['error'][0], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error_description' in args:
self.assertRegex(args['error_description'][0], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error_uri' in args:
self.assertRegex(args['error_uri'][0], r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
def do_token_request(self, client_id='test', client_secret='testsecret', redirect_uri='https://service/callback', **kwargs):
data = {'redirect_uri': redirect_uri, 'client_id': client_id, 'client_secret': client_secret}
data.update(kwargs)
return self.client.post(path=url_for('oauth2.token'), data=data, follow_redirects=True)
def validate_token_response(self, r, nonce='testnonce', client_id='test'):
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertIn('Cache-Control', r.headers)
self.assertEqual(r.headers['Cache-Control'].lower(), 'no-store')
for key in r.json:
self.assertNotIn(key, ('error', 'error_description', 'error_uri'))
self.assertIn('access_token', r.json)
self.assertIsInstance(r.json['access_token'], str)
self.assertIn('token_type', r.json)
self.assertIsInstance(r.json['token_type'], str)
# OIDC Core 1.0 section 3.1.3.3:
# > The OAuth 2.0 token_type response parameter value MUST be Bearer,
# > [...] unless another Token Type has been negotiated with the Client.
self.assertEqual(r.json['token_type'].lower(), 'bearer')
if 'expires_in' in r.json:
self.assertTrue(isinstance(r.json['expires_in'], int) or isinstance(data['expires_in'], float))
if 'refresh_token' in r.json:
self.assertIsInstance(r.json['refresh_token'], str)
if 'scope' in r.json:
self.assertIsInstance(r.json['scope'], str)
# scope = scope-token *( SP scope-token )
# scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
self.assertRegex(r.json['scope'], r'^[!#-\[\]-~]+( [!#-\[\]-~]+)*$')
# OIDC Core 1.0 section 3.1.3.3:
# > All Token Responses that contain tokens, secrets, or other sensitive
# > information MUST include the following HTTP response header fields and values:
# > Cache-Control: no-store
self.assertIn('id_token', r.json)
return self.validate_id_token(r.json['id_token'], nonce=nonce, client_id=client_id)
def assert_token_error(self, r, *errors):
self.assertEqual(r.content_type, 'application/json')
if r.json.get('error', '') == 'invalid_client':
self.assertEqual(r.status_code, 401)
else:
self.assertEqual(r.status_code, 400)
for key in r.json:
self.assertIn(key, ('error', 'error_description', 'error_uri'))
self.assertIn('error', r.json)
if errors:
self.assertIn(r.json['error'], errors)
self.assertRegex(r.json['error'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error_description' in r.json:
self.assertRegex(r.json['error_description'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error_uri' in r.json:
self.assertRegex(r.json['error_uri'], r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
def do_userinfo_request(self, access_token):
return self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
def validate_userinfo_response(self, r):
self.assertEqual(r.status_code, 200)
# We ignore everything related to encrypted/signed JWT userinfo here
self.assertEqual(r.content_type, 'application/json')
self.assertIn('sub', r.json)
for name, value in r.json.items():
self.validate_claim_syntax(name, value)
def assert_userinfo_error(self, r):
self.assertEqual(r.status_code, 401)
self.assertEqual(len(r.headers.getlist('WWW-Authenticate')), 1)
method, args = (r.headers['WWW-Authenticate'].split(' ', 1) + [''])[:2]
args = {item.split('=', 1)[0]: item.split('=', 1)[1].strip(' \n"') for item in args.split(',') if item.strip()}
if 'scope' in args:
self.assertRegex(args['scope'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error' in args:
self.assertRegex(args['error'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
if 'error_description' in args:
self.assertRegex(args['error_description'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
def test(self):
self.login_as('user')
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
r = self.do_userinfo_request(r.json['access_token'])
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
def test_notloggedin(self):
r = self.do_auth_request(response_type='code')
r = self.do_login(r)
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
def test_no_state(self):
self.login_as('user')
r = self.do_auth_request(response_type='code', state=None)
args = self.validate_auth_response(r, state=None)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
def test_no_nonce(self):
self.login_as('user')
r = self.do_auth_request(response_type='code', nonce=None)
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r, nonce=None)
self.assertEqual(id_token['sub'], '10000')
def test_redirect_uri(self):
self.login_as('user')
# No redirect_uri in auth request is fine if there is only one uri registered
r = self.do_auth_request(response_type='code', redirect_uri=None)
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri=None)
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
# If auth request has redirect_uri, it is required in token request
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri=None)
self.assert_token_error(r)
# If auth request has redirect_uri, it the redirect_uri in the token request must be the same
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri='https://foobar/callback')
self.assert_token_error(r)
# Invalid redirect_uri
r = self.do_auth_request(response_type='code', redirect_uri='http://foobar/callback')
self.assertEqual(r.status_code, 400) # No redirect!
# redirect_uri is required in auth request if there is more than a single uri registered
client = OAuth2Client.query.one()
client.redirect_uris.append('https://service/callback2')
db.session.commit()
r = self.do_auth_request(response_type='code', redirect_uri=None)
self.assertEqual(r.status_code, 400) # No redirect!
def test_auth_errors(self):
# Missing response_type
r = self.do_auth_request()
self.assert_auth_error(r, 'invalid_request')
# Invalid response_type
r = self.do_auth_request(response_type='foobar')
self.assert_auth_error(r, 'unsupported_response_type')
# Missing client_id
r = self.do_auth_request(response_type='code', client_id=None)
self.assertEqual(r.status_code, 400) # No redirect!
# Invalid client_id
r = self.do_auth_request(response_type='code', client_id='foobar')
self.assertEqual(r.status_code, 400) # No redirect!
# Duplicate parameter
r = self.do_auth_request(response_type='code', client_id=['test', 'foobar'])
self.assertEqual(r.status_code, 400) # No redirect!
def test_access_denied(self):
Service.query.one().limit_access = True
db.session.commit()
self.login_as('user')
r = self.do_auth_request(response_type='code')
self.assert_auth_error(r, 'access_denied')
def test_auth_request_uri(self):
self.login_as('user')
r = self.do_auth_request(response_type='code', request_uri='https://localhost/myrequest_uri')
self.assert_auth_error(r, 'request_uri_not_supported')
def test_auth_request_unsigned(self):
self.login_as('user')
request_params = {
'response_type': 'code',
'client_id': 'test',
'redirect_uri': 'http://service/callback',
'scope': 'openid',
'state': 'teststate',
'nonce': 'testnonce',
'claims': {
'userinfo': {
'name': None,
'email': {'essential': True},
'email_verified': {'essential': True},
},
'id_token': {
'email': None,
}
}
}
r = self.do_auth_request(response_type='code', request=jwt.encode(request_params, algorithm='none', key=None))
self.assert_auth_error(r, 'request_not_supported')
def test_token_client_auth(self):
self.login_as('user')
# Auth via body -> ACCEPT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.validate_token_response(r)
# Auth via header -> ACCEPT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.client.post(
path=url_for('oauth2.token'),
data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'code': args['code']},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
follow_redirects=True,
)
self.validate_token_response(r)
# Auth via header, but same client id also in body -> ACCEPT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.client.post(
path=url_for('oauth2.token'),
data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'test', 'code': args['code']},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
follow_redirects=True,
)
self.validate_token_response(r)
# Different client id in body and header -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.client.post(
path=url_for('oauth2.token'),
data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'XXXX', 'code': args['code']},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
follow_redirects=True,
)
self.assert_token_error(r, 'invalid_request')
# Duplicate client id in body -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=['test', 'XXXX'])
self.assert_token_error(r, 'invalid_request')
# Duplicate client secret in body -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_secret=['testsecret', 'XXXXX'])
self.assert_token_error(r, 'invalid_request')
# Client secret in body and header -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.client.post(
path=url_for('oauth2.token'),
data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'test', 'client_secret': 'testsecret', 'code': args['code']},
headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
follow_redirects=True,
)
self.assert_token_error(r, 'invalid_request')
# No secret -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_secret=None)
self.assert_token_error(r, 'invalid_client')
# No client id but secret -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=None)
self.assert_token_error(r, 'invalid_client')
# No client id and no secret -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=None, client_secret=None)
self.assert_token_error(r, 'invalid_client')
# Unknown client id -> REJECT
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id='XXXX')
self.assert_token_error(r, 'invalid_client')
def test_token_errors(self):
self.login_as('user')
# Missing grant_type parameter
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(code=args['code'])
self.assert_token_error(r, 'invalid_request')
# Missing code parameter
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code')
self.assert_token_error(r, 'invalid_request')
# redirect_uri behaviour is already tested in test_redirect_uri
# Invalid grant type
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='foobar', code=args['code'])
self.assert_token_error(r, 'unsupported_grant_type')
# Duplicate code parameter
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=[args['code'], 'XXXXX'])
self.assert_token_error(r, 'invalid_request')
# Invalid code parameter
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code='XXXXX')
self.assert_token_error(r, 'invalid_grant')
# Invalid code parameter
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'].split('-')[0]+'-XXXXX')
self.assert_token_error(r, 'invalid_grant')
# Code was issued to different client
db.session.add(OAuth2Client(service=Service(name='test2', limit_access=False), client_id='test2', client_secret='testsecret2', redirect_uris=['https://service2/callback']))
db.session.commit()
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id='test2', client_secret='testsecret2')
self.assert_token_error(r, 'invalid_grant')
def test_userinfo_auth(self):
self.login_as('user')
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.validate_token_response(r)
access_token = r.json['access_token']
# GET + Bearer
r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
# POST + Bearer
r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
# "Bearer" is case-insensitive
r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('authorization', 'bearer %s'%access_token)], follow_redirects=True)
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
# Invalid auth scheme
r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Basic dGVzdDp0ZXN0c2VjcmV0')], follow_redirects=True)
self.assert_userinfo_error(r)
# Invalid bearer token
r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s-XXXXX'%access_token.split('-')[0])], follow_redirects=True)
self.assert_userinfo_error(r)
r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer XXXXX')], follow_redirects=True)
self.assert_userinfo_error(r)
# POST + body
r = self.client.post(path=url_for('oauth2.userinfo'), data={'access_token': access_token}, follow_redirects=True)
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
# GET + query
r = self.client.get(path=url_for('oauth2.userinfo', access_token=access_token), follow_redirects=True)
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
# POST + Bearer + body -> REJECT
r = self.client.post(path=url_for('oauth2.userinfo'), data={'access_token': access_token}, headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
self.assert_userinfo_error(r)
# No auth -> REJECT
r = self.client.post(path=url_for('oauth2.userinfo'), follow_redirects=True)
self.assert_userinfo_error(r)
def test_scope(self):
self.login_as('user')
# Scope values used that are not understood by an implementation SHOULD be ignored.
r = self.do_auth_request(response_type='code', scope='openid profile email address phone groups foobar')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
r = self.do_userinfo_request(r.json['access_token'])
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
self.assertEqual(r.json['name'], 'Test User')
self.assertEqual(r.json['preferred_username'], 'testuser')
self.assertEqual(r.json['email'], 'test@example.com')
self.assertEqual(sorted(r.json['groups']), sorted(['users', 'uffd_access']))
def test_claims(self):
self.login_as('user')
# Scope values used that are not understood by an implementation SHOULD be ignored.
r = self.do_auth_request(response_type='code', claims='{"userinfo": {"name": {"essential": true}}, "id_token": {"preferred_username": {"essential": true}, "email": null}}')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
id_token = self.validate_token_response(r)
self.assertEqual(id_token['sub'], '10000')
self.assertEqual(id_token['preferred_username'], 'testuser')
self.assertEqual(id_token['email'], 'test@example.com')
self.assertNotIn('name', r.json)
r = self.do_userinfo_request(r.json['access_token'])
self.validate_userinfo_response(r)
self.assertEqual(r.json['sub'], '10000')
self.assertEqual(r.json['name'], 'Test User')
self.assertNotIn('email', r.json)
def test_prompt_none(self):
r = self.do_auth_request(response_type='code', prompt='none')
self.assert_auth_error(r, 'login_required')
self.login_as('user')
r = self.do_auth_request(response_type='code', prompt='none')
args = self.validate_auth_response(r)
self.assertIn('code', args)
# OIDC Core 1.0 section 3.1.2.1.:
# > If this parameter contains none with any other value, an error is returned.
r = self.do_auth_request(response_type='code', prompt='none login')
self.assert_auth_error(r)
@unittest.skip('prompt=login is not implemented') # MUST
def test_prompt_login(self):
self.login_as('user')
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
self.assertIn('code', args)
r = self.do_auth_request(response_type='code', prompt='login')
self.assertEqual(r.status_code, 302)
self.assertTrue(self.is_login_page(r.location))
# TODO: max_age
def test_sub_value(self):
# Via id_token_hint or claims.id_token.sub.value
self.login_as('user')
r = self.do_auth_request(response_type='code', prompt='none')
args = self.validate_auth_response(r)
r = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.validate_token_response(r)
id_token = r.json['id_token']
r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token)
args = self.validate_auth_response(r)
self.assertIn('code', args)
r = self.do_auth_request(response_type='code', prompt='none', id_token_hint='XXXXX')
self.assert_auth_error(r, 'invalid_request')
r = self.do_auth_request(response_type='code', prompt='none', claims='{"id_token": {"sub": {"value": "10000"}}}')
args = self.validate_auth_response(r)
r = self.do_auth_request(response_type='code', prompt='none', claims='{"id_token": {"sub": {"value": "10001"}}}')
self.assert_auth_error(r, 'login_required')
# sub value in id_token_hint and claims is the same -> Not ambiguous
r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token, claims='{"id_token": {"sub": {"value": "10000"}}}')
args = self.validate_auth_response(r)
self.assertIn('code', args)
# sub value in id_token_hint and claims differs -> Ambiguous
r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token, claims='{"id_token": {"sub": {"value": "10001"}}}')
self.assert_auth_error(r, 'invalid_request')
self.login_as('admin')
r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token)
self.assert_auth_error(r, 'login_required')
def test_code_reuse(self):
self.login_as('user')
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r1 = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.validate_token_response(r1)
r2 = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.assert_token_error(r2, 'invalid_grant')
@unittest.skip('Token revoking on reuse is not implemented') # SHOULD
def test_code_reuse_revoke(self):
self.login_as('user')
r = self.do_auth_request(response_type='code')
args = self.validate_auth_response(r)
r1 = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.validate_token_response(r1)
r2 = self.do_token_request(grant_type='authorization_code', code=args['code'])
self.assert_token_error(r2, 'invalid_grant')
r = self.do_userinfo_request(r1.json['access_token'])
self.assert_userinfo_error(r)
tests/test_role.py tests/views/test_role.py
View file @ 98fe5690
import datetime
import time
from flask import url_for
from flask import url_for, session
from uffd.database import db
from uffd.models import User, Role, RoleGroup
# These imports are required, because otherwise we get circular imports?!
from uffd import ldap, user
from uffd.user.models import Group
from uffd.role.models import Role
from uffd import create_app, db
from utils import dump, UffdTestCase
from tests.utils import dump, UffdTestCase
class TestRoleViews(UffdTestCase):
def setUp(self):
super().setUp()
self.client.post(path=url_for('session.login'),
data={'loginname': 'testadmin', 'password': 'adminpassword'}, follow_redirects=True)
self.login_as('admin')
def test_index(self):
db.session.add(Role('base', 'Base role description'))
db.session.add(Role('test1', 'Test1 role description'))
db.session.add(Role(name='base', description='Base role description'))
db.session.add(Role(name='test1', description='Test1 role description'))
db.session.commit()
r = self.client.get(path=url_for('role.index'), follow_redirects=True)
dump('role_index', r)
......@@ -32,7 +24,7 @@ class TestRoleViews(UffdTestCase):
self.assertEqual(r.status_code, 200)
def test_show(self):
role = Role('base', 'Base role description')
role = Role(name='base', description='Base role description')
db.session.add(role)
db.session.commit()
r = self.client.get(path=url_for('role.show', roleid=role.id), follow_redirects=True)
......@@ -40,35 +32,34 @@ class TestRoleViews(UffdTestCase):
self.assertEqual(r.status_code, 200)
def test_new(self):
r = self.client.get(path=url_for('role.show'), follow_redirects=True)
r = self.client.get(path=url_for('role.new'), follow_redirects=True)
dump('role_new', r)
self.assertEqual(r.status_code, 200)
def test_update(self):
role = Role('base', 'Base role description')
role = Role(name='base', description='Base role description')
db.session.add(role)
db.session.commit()
role.add_group(Group.from_ldap_dn('cn=uffd_admin,ou=groups,dc=example,dc=com'))
role.groups[self.get_admin_group()] = RoleGroup()
db.session.commit()
self.assertEqual(role.name, 'base')
self.assertEqual(role.description, 'Base role description')
self.assertEqual(role.group_dns(), ['cn=uffd_admin,ou=groups,dc=example,dc=com'])
self.assertSetEqual(set(role.groups), {self.get_admin_group()})
r = self.client.post(path=url_for('role.update', roleid=role.id),
data={'name': 'base1', 'description': 'Base role description1', 'group-20001': '1', 'group-20002': '1'},
data={'name': 'base1', 'description': 'Base role description1', 'moderator-group': '', 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
follow_redirects=True)
dump('role_update', r)
self.assertEqual(r.status_code, 200)
role = Role.query.get(role.id)
self.assertEqual(role.name, 'base1')
self.assertEqual(role.description, 'Base role description1')
self.assertEqual(sorted(role.group_dns()), ['cn=uffd_access,ou=groups,dc=example,dc=com',
'cn=users,ou=groups,dc=example,dc=com'])
# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
# TODO: verify that group memberships are updated
def test_create(self):
self.assertIsNone(Role.query.filter_by(name='base').first())
r = self.client.post(path=url_for('role.update'),
data={'name': 'base', 'description': 'Base role description', 'group-20001': '1', 'group-20002': '1'},
data={'name': 'base', 'description': 'Base role description', 'moderator-group': '', 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
follow_redirects=True)
dump('role_create', r)
self.assertEqual(r.status_code, 200)
......@@ -76,12 +67,25 @@ class TestRoleViews(UffdTestCase):
self.assertIsNotNone(role)
self.assertEqual(role.name, 'base')
self.assertEqual(role.description, 'Base role description')
self.assertEqual(sorted(role.group_dns()), ['cn=uffd_access,ou=groups,dc=example,dc=com',
'cn=users,ou=groups,dc=example,dc=com'])
self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
def test_create_with_moderator_group(self):
self.assertIsNone(Role.query.filter_by(name='base').first())
r = self.client.post(path=url_for('role.update'),
data={'name': 'base', 'description': 'Base role description', 'moderator-group': self.get_admin_group().id, 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
follow_redirects=True)
self.assertEqual(r.status_code, 200)
role = Role.query.filter_by(name='base').first()
self.assertIsNotNone(role)
self.assertEqual(role.name, 'base')
self.assertEqual(role.description, 'Base role description')
self.assertEqual(role.moderator_group.name, 'uffd_admin')
self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
def test_delete(self):
role = Role('base', 'Base role description')
role = Role(name='base', description='Base role description')
db.session.add(role)
db.session.commit()
role_id = role.id
......@@ -91,3 +95,59 @@ class TestRoleViews(UffdTestCase):
self.assertEqual(r.status_code, 200)
self.assertIsNone(Role.query.get(role_id))
# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
def test_set_default(self):
db.session.add(User(loginname='service', is_service_user=True, primary_email_address='service@example.com', displayname='Service'))
db.session.commit()
role = Role(name='test')
db.session.add(role)
role.groups[self.get_admin_group()] = RoleGroup()
user1 = self.get_user()
user2 = self.get_admin()
service_user = User.query.filter_by(loginname='service').one_or_none()
self.assertSetEqual(set(self.get_user().roles_effective), set())
self.assertSetEqual(set(self.get_admin().roles_effective), set())
self.assertSetEqual(set(service_user.roles_effective), set())
role.members.append(self.get_user())
role.members.append(service_user)
self.assertSetEqual(set(self.get_user().roles_effective), {role})
self.assertSetEqual(set(self.get_admin().roles_effective), set())
self.assertSetEqual(set(service_user.roles_effective), {role})
db.session.commit()
role_id = role.id
self.assertSetEqual(set(role.members), {self.get_user(), service_user})
r = self.client.get(path=url_for('role.set_default', roleid=role.id), follow_redirects=True)
dump('role_set_default', r)
self.assertEqual(r.status_code, 200)
role = Role.query.get(role_id)
service_user = User.query.filter_by(loginname='service').one_or_none()
self.assertSetEqual(set(role.members), {service_user})
self.assertSetEqual(set(self.get_user().roles_effective), {role})
self.assertSetEqual(set(self.get_admin().roles_effective), {role})
def test_unset_default(self):
admin_role = Role(name='admin', is_default=True)
db.session.add(admin_role)
admin_role.groups[self.get_admin_group()] = RoleGroup()
db.session.add(User(loginname='service', is_service_user=True, primary_email_address='service@example.com', displayname='Service'))
db.session.commit()
role = Role(name='test', is_default=True)
db.session.add(role)
service_user = User.query.filter_by(loginname='service').one_or_none()
role.members.append(service_user)
self.assertSetEqual(set(self.get_user().roles_effective), {role, admin_role})
self.assertSetEqual(set(self.get_admin().roles_effective), {role, admin_role})
self.assertSetEqual(set(service_user.roles_effective), {role})
db.session.commit()
role_id = role.id
admin_role_id = admin_role.id
self.assertSetEqual(set(role.members), {service_user})
r = self.client.get(path=url_for('role.unset_default', roleid=role.id), follow_redirects=True)
dump('role_unset_default', r)
self.assertEqual(r.status_code, 200)
role = Role.query.get(role_id)
admin_role = Role.query.get(admin_role_id)
service_user = User.query.filter_by(loginname='service').one_or_none()
self.assertSetEqual(set(role.members), {service_user})
self.assertSetEqual(set(self.get_user().roles_effective), {admin_role})
self.assertSetEqual(set(self.get_admin().roles_effective), {admin_role})
tests/views/test_rolemod.py 0 → 100644
View file @ 98fe5690
from flask import url_for
from uffd.database import db
from uffd.models import Role, RoleGroup
from tests.utils import dump, UffdTestCase
class TestRolemodViewsLoggedOut(UffdTestCase):
def test_acl_nologin(self):
r = self.client.get(path=url_for('rolemod.index'), follow_redirects=True)
dump('rolemod_acl_nologin', r)
self.assertEqual(r.status_code, 200)
def test_index(self):
db.session.add(Role(name='test_role_1', moderator_group=self.get_access_group()))
db.session.add(Role(name='test_role_2', moderator_group=self.get_admin_group()))
db.session.add(Role(name='test_role_3'))
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('rolemod.index'), follow_redirects=True)
dump('rolemod_index', r)
self.assertEqual(r.status_code, 200)
self.assertIn('test_role_1'.encode(), r.data)
self.assertNotIn('test_role_2'.encode(), r.data)
self.assertNotIn('test_role_3'.encode(), r.data)
class TestRolemodViews(UffdTestCase):
def setUp(self):
super().setUp()
self.login_as('user')
def test_acl_notmod(self):
db.session.add(Role(name='test', moderator_group=self.get_admin_group()))
db.session.commit()
r = self.client.get(path=url_for('rolemod.index'), follow_redirects=True)
dump('rolemod_acl_notmod', r)
self.assertEqual(r.status_code, 403)
def test_show(self):
role = Role(name='test', moderator_group=self.get_access_group())
db.session.add(role)
role.members.append(self.get_admin())
db.session.commit()
r = self.client.get(path=url_for('rolemod.show', role_id=role.id), follow_redirects=True)
dump('rolemod_show', r)
self.assertEqual(r.status_code, 200)
def test_show_empty(self):
role = Role(name='test', moderator_group=self.get_access_group())
db.session.add(role)
db.session.commit()
r = self.client.get(path=url_for('rolemod.show', role_id=role.id), follow_redirects=True)
dump('rolemod_show_empty', r)
self.assertEqual(r.status_code, 200)
def test_show_noperm(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test', moderator_group=self.get_admin_group())
db.session.add(role)
db.session.commit()
r = self.client.get(path=url_for('rolemod.show', role_id=role.id), follow_redirects=True)
dump('rolemod_show_noperm', r)
self.assertEqual(r.status_code, 403)
def test_show_nomod(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test')
db.session.add(role)
db.session.commit()
r = self.client.get(path=url_for('rolemod.show', role_id=role.id), follow_redirects=True)
dump('rolemod_show_nomod', r)
self.assertEqual(r.status_code, 403)
def test_update(self):
role = Role(name='test', description='old_description', moderator_group=self.get_access_group())
db.session.add(role)
db.session.commit()
r = self.client.post(path=url_for('rolemod.update', role_id=role.id), data={'description': 'new_description'}, follow_redirects=True)
dump('rolemod_update', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(Role.query.get(role.id).description, 'new_description')
def test_update_descr_too_long(self):
role = Role(name='test', description='old_description', moderator_group=self.get_access_group())
db.session.add(role)
db.session.commit()
r = self.client.post(path=url_for('rolemod.update', role_id=role.id), data={'description': 'long_description'*300}, follow_redirects=True)
dump('rolemod_update_descr_too_long', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(Role.query.get(role.id).description, 'old_description')
def test_update_noperm(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test', description='old_description', moderator_group=self.get_admin_group())
db.session.add(role)
db.session.commit()
r = self.client.post(path=url_for('rolemod.update', role_id=role.id), data={'description': 'new_description'}, follow_redirects=True)
dump('rolemod_update_noperm', r)
self.assertEqual(r.status_code, 403)
self.assertEqual(Role.query.get(role.id).description, 'old_description')
def test_update_nomod(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test', description='old_description')
db.session.add(role)
db.session.commit()
r = self.client.post(path=url_for('rolemod.update', role_id=role.id), data={'description': 'new_description'}, follow_redirects=True)
dump('rolemod_update_nomod', r)
self.assertEqual(r.status_code, 403)
self.assertEqual(Role.query.get(role.id).description, 'old_description')
def test_delete_member(self):
role = Role(name='test', moderator_group=self.get_access_group())
role.groups[self.get_admin_group()] = RoleGroup()
db.session.add(role)
role.members.append(self.get_admin())
db.session.commit()
role.update_member_groups()
db.session.commit()
user = self.get_admin()
group = self.get_admin_group()
self.assertTrue(user in group.members)
role = Role.query.get(role.id)
self.assertTrue(user in role.members)
r = self.client.get(path=url_for('rolemod.delete_member', role_id=role.id, member_id=user.id), follow_redirects=True)
dump('rolemod_delete_member', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_admin()
group = self.get_admin_group()
self.assertFalse(user_updated in group.members)
role = Role.query.get(role.id)
self.assertFalse(user_updated in role.members)
def test_delete_member_nomember(self):
role = Role(name='test', moderator_group=self.get_access_group())
role.groups[self.get_admin_group()] = RoleGroup()
db.session.add(role)
db.session.commit()
user = self.get_admin()
r = self.client.get(path=url_for('rolemod.delete_member', role_id=role.id, member_id=user.id), follow_redirects=True)
dump('rolemod_delete_member_nomember', r)
self.assertEqual(r.status_code, 200)
def test_delete_member_noperm(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test', moderator_group=self.get_admin_group())
db.session.add(role)
role.members.append(self.get_admin())
db.session.commit()
user = self.get_admin()
role = Role.query.get(role.id)
self.assertTrue(user in role.members)
r = self.client.get(path=url_for('rolemod.delete_member', role_id=role.id, member_id=user.id), follow_redirects=True)
dump('rolemod_delete_member_noperm', r)
self.assertEqual(r.status_code, 403)
user_updated = self.get_admin()
role = Role.query.get(role.id)
self.assertTrue(user_updated in role.members)
def test_delete_member_nomod(self):
# Make sure we pass the blueprint-wide acl check
db.session.add(Role(name='other_role', moderator_group=self.get_access_group()))
role = Role(name='test')
db.session.add(role)
role.members.append(self.get_admin())
db.session.commit()
user = self.get_admin()
role = Role.query.get(role.id)
self.assertTrue(user in role.members)
r = self.client.get(path=url_for('rolemod.delete_member', role_id=role.id, member_id=user.id), follow_redirects=True)
dump('rolemod_delete_member_nomod', r)
self.assertEqual(r.status_code, 403)
user_updated = self.get_admin()
role = Role.query.get(role.id)
self.assertTrue(user_updated in role.members)
tests/views/test_selfservice.py 0 → 100644
View file @ 98fe5690
import datetime
import re
import time
from flask import url_for, request, session
from uffd.database import db
from uffd.models import PasswordToken, UserEmail, Role, RoleGroup, Service, ServiceUser, FeatureFlag, MFAMethod, RecoveryCodeMethod, TOTPMethod, WebauthnMethod
from uffd.models.mfa import _hotp
from tests.utils import dump, UffdTestCase, db_flush
class TestSelfservice(UffdTestCase):
def test_index(self):
self.login_as('user')
r = self.client.get(path=url_for('selfservice.index'))
dump('selfservice_index', r)
self.assertEqual(r.status_code, 200)
user = request.user
self.assertIn(user.displayname.encode(), r.data)
self.assertIn(user.loginname.encode(), r.data)
self.assertIn(user.primary_email.address.encode(), r.data)
def test_update_displayname(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.update_profile'),
data={'displayname': 'New Display Name'},
follow_redirects=True)
dump('update_displayname', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertEqual(user.displayname, 'New Display Name')
def test_update_displayname_invalid(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.update_profile'),
data={'displayname': ''},
follow_redirects=True)
dump('update_displayname_invalid', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertNotEqual(user.displayname, '')
def test_add_email(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.add_email'),
data={'address': 'new@example.com'},
follow_redirects=True)
dump('selfservice_add_email', r)
self.assertEqual(r.status_code, 200)
self.assertIn('new@example.com', self.app.last_mail['To'])
m = re.search(r'/email/([0-9]+)/verify/(.*)', str(self.app.last_mail.get_content()))
email_id, secret = m.groups()
email = UserEmail.query.get(email_id)
self.assertEqual(email.user.id, request.user.id)
self.assertEqual(email.address, 'new@example.com')
self.assertFalse(email.verified)
self.assertFalse(email.verification_expired)
self.assertTrue(email.verification_secret.verify(secret))
def test_add_email_duplicate(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.add_email'),
data={'address': 'test@example.com'},
follow_redirects=True)
dump('selfservice_add_email_duplicate', r)
self.assertFalse(hasattr(self.app, 'last_mail'))
self.assertEqual(len(self.get_user().all_emails), 1)
self.assertEqual(UserEmail.query.filter_by(user=None).all(), [])
def test_verify_email(self):
self.login_as('user')
email = UserEmail(user=self.get_user(), address='new@example.com')
secret = email.start_verification()
db.session.add(email)
db.session.commit()
email_id = email.id
r = self.client.get(path=url_for('selfservice.verify_email', email_id=email_id, secret=secret), follow_redirects=True)
dump('selfservice_verify_email', r)
self.assertEqual(r.status_code, 200)
email = UserEmail.query.get(email_id)
self.assertTrue(email.verified)
self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
def test_verify_email_notfound(self):
self.login_as('user')
r = self.client.get(path=url_for('selfservice.verify_email', email_id=2342, secret='invalidsecret'), follow_redirects=True)
dump('selfservice_verify_email_notfound', r)
def test_verify_email_wrong_user(self):
self.login_as('user')
email = UserEmail(user=self.get_admin(), address='new@example.com')
secret = email.start_verification()
db.session.add(email)
db.session.commit()
r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
dump('selfservice_verify_email_wrong_user', r)
self.assertFalse(email.verified)
def test_verify_email_wrong_secret(self):
self.login_as('user')
email = UserEmail(user=self.get_user(), address='new@example.com')
secret = email.start_verification()
db.session.add(email)
db.session.commit()
r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret='invalidsecret'), follow_redirects=True)
dump('selfservice_verify_email_wrong_secret', r)
self.assertFalse(email.verified)
def test_verify_email_expired(self):
self.login_as('user')
email = UserEmail(user=self.get_user(), address='new@example.com')
secret = email.start_verification()
email.verification_expires = datetime.datetime.utcnow() - datetime.timedelta(days=1)
db.session.add(email)
db.session.commit()
r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
dump('selfservice_verify_email_expired', r)
self.assertFalse(email.verified)
def test_verify_email_legacy(self):
self.login_as('user')
email = UserEmail(
user=self.get_user(),
address='new@example.com',
verification_legacy_id=1337,
_verification_secret='{PLAIN}ZgvsUs2bZjr9Whpy1la7Q0PHbhjmpXtNdH1mCmDbQP7',
verification_expires=datetime.datetime.utcnow()+datetime.timedelta(days=1)
)
db.session.add(email)
db.session.commit()
email_id = email.id
r = self.client.get(path=f'/self/token/mail_verification/1337/ZgvsUs2bZjr9Whpy1la7Q0PHbhjmpXtNdH1mCmDbQP7', follow_redirects=True)
dump('selfservice_verify_email_legacy', r)
self.assertEqual(r.status_code, 200)
email = UserEmail.query.get(email_id)
self.assertTrue(email.verified)
self.assertEqual(self.get_user().primary_email, email)
def test_verify_email_duplicate_strict_uniqueness(self):
FeatureFlag.unique_email_addresses.enable()
db.session.commit()
self.login_as('user')
email = UserEmail(user=self.get_user(), address='admin@example.com')
secret = email.start_verification()
db.session.add(email)
db.session.commit()
email_id = email.id
r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
dump('selfservice_verify_email_duplicate_strict_uniqueness', r)
email = UserEmail.query.get(email_id)
self.assertFalse(email.verified)
def test_retry_email_verification(self):
self.login_as('user')
email = UserEmail(user=self.get_user(), address='new@example.com')
old_secret = email.start_verification()
db.session.add(email)
db.session.commit()
r = self.client.get(path=url_for('selfservice.retry_email_verification', email_id=email.id), follow_redirects=True)
dump('selfservice_retry_email_verification', r)
self.assertEqual(r.status_code, 200)
self.assertIn('new@example.com', self.app.last_mail['To'])
m = re.search(r'/email/([0-9]+)/verify/(.*)', str(self.app.last_mail.get_content()))
email_id, secret = m.groups()
email = UserEmail.query.get(email_id)
self.assertEqual(email.user.id, request.user.id)
self.assertEqual(email.address, 'new@example.com')
self.assertFalse(email.verified)
self.assertFalse(email.verification_expired)
self.assertTrue(email.verification_secret.verify(secret))
self.assertFalse(email.verification_secret.verify(old_secret))
def test_delete_email(self):
self.login_as('user')
email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
db.session.add(email)
self.get_user().recovery_email = email
db.session.commit()
r = self.client.post(path=url_for('selfservice.delete_email', email_id=email.id), follow_redirects=True)
dump('selfservice_delete_email', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(UserEmail.query.filter_by(address='new@example.com').first())
self.assertIsNone(self.get_user().recovery_email)
self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
def test_delete_email_invalid(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.delete_email', email_id=2324), follow_redirects=True)
self.assertEqual(r.status_code, 404)
def test_delete_email_primary(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.delete_email', email_id=request.user.primary_email.id), follow_redirects=True)
dump('selfservice_delete_email_primary', r)
self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
def test_update_email_preferences(self):
self.login_as('user')
user_id = self.get_user().id
email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
db.session.add(email)
service = Service(name='service', enable_email_preferences=True, limit_access=False)
db.session.add(service)
db.session.commit()
email_id = email.id
service_id = service.id
old_email_id = self.get_user().primary_email.id
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(email_id), 'recovery_email': 'primary'},
follow_redirects=True)
dump('selfservice_update_email_preferences', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.get_user().primary_email.id, email.id)
self.assertIsNone(self.get_user().recovery_email)
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(old_email_id), 'recovery_email': str(email_id)},
follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(self.get_user().primary_email.id, old_email_id)
self.assertEqual(self.get_user().recovery_email.id, email_id)
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': 'primary'},
follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertIsNone(ServiceUser.query.get((service_id, user_id)).service_email)
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': str(email_id)},
follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(ServiceUser.query.get((service_id, user_id)).service_email.id, email_id)
def test_update_email_preferences_unverified(self):
self.login_as('user')
user_id = self.get_user().id
email = UserEmail(user=self.get_user(), address='new@example.com')
db.session.add(email)
service = Service(name='service', enable_email_preferences=True, limit_access=False)
db.session.add(service)
db.session.commit()
email_id = email.id
service_id = service.id
old_email_id = self.get_user().primary_email.id
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(email_id), 'recovery_email': 'primary'},
follow_redirects=True)
with self.app.test_request_context():
self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(old_email_id), 'recovery_email': str(email_id)},
follow_redirects=True)
with self.app.test_request_context():
self.assertIsNone(self.get_user().recovery_email)
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': str(email_id)},
follow_redirects=True)
with self.app.test_request_context():
self.assertIsNone(ServiceUser.query.get((service_id, user_id)).service_email)
def test_update_email_preferences_invalid(self):
self.login_as('user')
user_id = self.get_user().id
email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
db.session.add(email)
service = Service(name='service', enable_email_preferences=True, limit_access=False)
db.session.add(service)
db.session.commit()
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(email.id), 'recovery_email': '2342'},
follow_redirects=True)
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': str(email.id), 'recovery_email': 'primary', f'service_{service_id}_email': '2342'},
follow_redirects=True)
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': 'primary', 'recovery_email': 'primary'},
follow_redirects=True)
with self.assertRaises(Exception):
r = self.client.post(path=url_for('selfservice.update_email_preferences'),
data={'primary_email': '2342', 'recovery_email': 'primary'},
follow_redirects=True)
def test_change_password(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.change_password'),
data={'password1': 'newpassword', 'password2': 'newpassword'},
follow_redirects=True)
dump('change_password', r)
self.assertEqual(r.status_code, 200)
self.assertTrue(self.get_user().password.verify('newpassword'))
def test_change_password_invalid(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.change_password'),
data={'password1': 'shortpw', 'password2': 'shortpw'},
follow_redirects=True)
dump('change_password_invalid', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertFalse(user.password.verify('shortpw'))
self.assertTrue(user.password.verify('userpassword'))
# Regression test for #100 (login not possible if password contains character disallowed by SASLprep)
def test_change_password_samlprep_invalid(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.change_password'),
data={'password1': 'shortpw\n', 'password2': 'shortpw\n'},
follow_redirects=True)
dump('change_password_samlprep_invalid', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertFalse(user.password.verify('shortpw\n'))
self.assertTrue(user.password.verify('userpassword'))
def test_change_password_mismatch(self):
self.login_as('user')
r = self.client.post(path=url_for('selfservice.change_password'),
data={'password1': 'newpassword1', 'password2': 'newpassword2'},
follow_redirects=True)
dump('change_password_mismatch', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertFalse(user.password.verify('newpassword1'))
self.assertFalse(user.password.verify('newpassword2'))
self.assertTrue(user.password.verify('userpassword'))
def test_leave_role(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
role1 = Role(name='testrole1')
role2 = Role(name='testrole2')
db.session.add(role1)
db.session.add(role2)
self.get_user().roles = [role1, role2]
db.session.commit()
roleid = role1.id
self.login_as('user')
r = self.client.post(path=url_for('selfservice.leave_role', roleid=roleid), follow_redirects=True)
dump('leave_role', r)
self.assertEqual(r.status_code, 200)
_user = self.get_user()
self.assertEqual(len(_user.roles), 1)
self.assertEqual(list(_user.roles)[0].name, 'testrole2')
def test_forgot_password(self):
user = self.get_user()
r = self.client.get(path=url_for('selfservice.forgot_password'))
dump('forgot_password', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
r = self.client.post(path=url_for('selfservice.forgot_password'),
data={'loginname': user.loginname, 'mail': user.primary_email.address}, follow_redirects=True)
dump('forgot_password_submit', r)
self.assertEqual(r.status_code, 200)
token = PasswordToken.query.filter(PasswordToken.user == user).first()
self.assertIsNotNone(token)
self.assertIn(token.token, str(self.app.last_mail.get_content()))
def test_forgot_password_wrong_user(self):
user = self.get_user()
r = self.client.get(path=url_for('selfservice.forgot_password'))
self.assertEqual(r.status_code, 200)
user = self.get_user()
r = self.client.post(path=url_for('selfservice.forgot_password'),
data={'loginname': 'not_a_user', 'mail': user.primary_email.address}, follow_redirects=True)
dump('forgot_password_submit_wrong_user', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(hasattr(self.app, 'last_mail'))
self.assertEqual(len(PasswordToken.query.all()), 0)
def test_forgot_password_wrong_email(self):
user = self.get_user()
r = self.client.get(path=url_for('selfservice.forgot_password'), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('selfservice.forgot_password'),
data={'loginname': user.loginname, 'mail': 'not_an_email@example.com'}, follow_redirects=True)
dump('forgot_password_submit_wrong_email', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(hasattr(self.app, 'last_mail'))
self.assertEqual(len(PasswordToken.query.all()), 0)
# Regression test for #31
def test_forgot_password_invalid_user(self):
r = self.client.post(path=url_for('selfservice.forgot_password'),
data={'loginname': '=', 'mail': 'test@example.com'}, follow_redirects=True)
dump('forgot_password_submit_invalid_user', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(hasattr(self.app, 'last_mail'))
self.assertEqual(len(PasswordToken.query.all()), 0)
def test_forgot_password_wrong_user(self):
user = self.get_user()
r = self.client.get(path=url_for('selfservice.forgot_password'))
self.assertEqual(r.status_code, 200)
user = self.get_user()
user.is_deactivated = True
db.session.commit()
r = self.client.post(path=url_for('selfservice.forgot_password'),
data={'loginname': user.loginname, 'mail': user.primary_email.address}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertFalse(hasattr(self.app, 'last_mail'))
self.assertEqual(len(PasswordToken.query.all()), 0)
def test_token_password(self):
user = self.get_user()
token = PasswordToken(user=user)
db.session.add(token)
db.session.commit()
self.assertFalse(token.expired)
r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
dump('token_password', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
dump('token_password_submit', r)
self.assertEqual(r.status_code, 200)
self.assertTrue(self.get_user().password.verify('newpassword'))
def test_token_password_emptydb(self):
user = self.get_user()
r = self.client.get(path=url_for('selfservice.token_password', token_id=1, token='A'*128), follow_redirects=True)
dump('token_password_emptydb', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
r = self.client.post(path=url_for('selfservice.token_password', token_id=1, token='A'*128),
data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
dump('token_password_emptydb_submit', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
self.assertTrue(self.get_user().password.verify('userpassword'))
def test_token_password_invalid(self):
user = self.get_user()
token = PasswordToken(user=user)
db.session.add(token)
db.session.commit()
r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token='A'*128), follow_redirects=True)
dump('token_password_invalid', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token='A'*128),
data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
dump('token_password_invalid_submit', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
self.assertTrue(self.get_user().password.verify('userpassword'))
def test_token_password_expired(self):
user = self.get_user()
token = PasswordToken(user=user, created=(datetime.datetime.utcnow() - datetime.timedelta(days=10)))
db.session.add(token)
db.session.commit()
self.assertTrue(token.expired)
r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
dump('token_password_invalid_expired', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
dump('token_password_invalid_expired_submit', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'Link invalid or expired', r.data)
self.assertTrue(self.get_user().password.verify('userpassword'))
def test_token_password_different_passwords(self):
user = self.get_user()
token = PasswordToken(user=user)
db.session.add(token)
db.session.commit()
r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
data={'password1': 'newpassword', 'password2': 'differentpassword'}, follow_redirects=True)
dump('token_password_different_passwords_submit', r)
self.assertEqual(r.status_code, 200)
self.assertTrue(self.get_user().password.verify('userpassword'))
def get_fido2_test_cred(self):
try:
from uffd.fido2_compat import AttestedCredentialData
except ImportError:
self.skipTest('fido2 could not be imported')
# Example public key from webauthn spec 6.5.1.1
return AttestedCredentialData(bytes.fromhex('00000000000000000000000000000000'+'0040'+'053cbcc9d37a61d3bac87cdcc77ee326256def08ab15775d3a720332e4101d14fae95aeee3bc9698781812e143c0597dc6e180595683d501891e9dd030454c0a'+'A501020326200121582065eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d2258201e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c'))
class TestMfaViews(UffdTestCase):
def setUp(self):
super().setUp()
db.session.add(RecoveryCodeMethod(user=self.get_admin()))
db.session.add(TOTPMethod(user=self.get_admin(), name='Admin Phone'))
# We don't want to skip all tests only because fido2 is not installed!
#db.session.add(WebauthnMethod(user=get_testadmin(), cred=get_fido2_test_cred(self), name='Admin FIDO2 dongle'))
db.session.commit()
def add_recovery_codes(self, count=10):
user = self.get_user()
for _ in range(count):
db.session.add(RecoveryCodeMethod(user=user))
db.session.commit()
def add_totp(self):
db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
db.session.commit()
def add_webauthn(self):
db.session.add(WebauthnMethod(user=self.get_user(), cred=get_fido2_test_cred(self), name='My FIDO2 dongle'))
db.session.commit()
def test_setup_disabled(self):
self.login_as('user')
r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
dump('mfa_setup_disabled', r)
self.assertEqual(r.status_code, 200)
def test_setup_recovery_codes(self):
self.login_as('user')
self.add_recovery_codes()
r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
dump('mfa_setup_only_recovery_codes', r)
self.assertEqual(r.status_code, 200)
def test_setup_enabled(self):
self.login_as('user')
self.add_recovery_codes()
self.add_totp()
self.add_webauthn()
r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
dump('mfa_setup_enabled', r)
self.assertEqual(r.status_code, 200)
def test_setup_few_recovery_codes(self):
self.login_as('user')
self.add_totp()
self.add_recovery_codes(1)
r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
dump('mfa_setup_few_recovery_codes', r)
self.assertEqual(r.status_code, 200)
def test_setup_no_recovery_codes(self):
self.login_as('user')
self.add_totp()
r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
dump('mfa_setup_no_recovery_codes', r)
self.assertEqual(r.status_code, 200)
def test_disable(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
self.login_as('user')
self.add_recovery_codes()
self.add_totp()
admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
r = self.client.get(path=url_for('selfservice.disable_mfa'), follow_redirects=True)
dump('mfa_disable', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('selfservice.disable_mfa_confirm'), follow_redirects=True)
dump('mfa_disable_submit', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
def test_disable_recovery_only(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
self.login_as('user')
self.add_recovery_codes()
admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
self.assertNotEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.get(path=url_for('selfservice.disable_mfa'), follow_redirects=True)
dump('mfa_disable_recovery_only', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('selfservice.disable_mfa_confirm'), follow_redirects=True)
dump('mfa_disable_recovery_only_submit', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
def test_setup_recovery(self):
self.login_as('user')
self.assertEqual(len(RecoveryCodeMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.post(path=url_for('selfservice.setup_mfa_recovery'), follow_redirects=True)
dump('mfa_setup_recovery', r)
self.assertEqual(r.status_code, 200)
methods = RecoveryCodeMethod.query.filter_by(user=request.user).all()
self.assertNotEqual(len(methods), 0)
r = self.client.post(path=url_for('selfservice.setup_mfa_recovery'), follow_redirects=True)
dump('mfa_setup_recovery_reset', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=methods[0].id).all()), 0)
self.assertNotEqual(len(methods), 0)
def test_setup_totp(self):
self.login_as('user')
self.add_recovery_codes()
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
dump('mfa_setup_totp', r)
self.assertEqual(r.status_code, 200)
self.assertNotEqual(len(session.get('mfa_totp_key', '')), 0)
def test_setup_totp_without_recovery(self):
self.login_as('user')
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
dump('mfa_setup_totp_without_recovery', r)
self.assertEqual(r.status_code, 200)
def test_setup_totp_finish(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
self.login_as('user')
self.add_recovery_codes()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
code = _hotp(int(time.time()/30), method.raw_key)
r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
dump('mfa_setup_totp_finish', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 1)
def test_setup_totp_finish_without_recovery(self):
self.login_as('user')
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
code = _hotp(int(time.time()/30), method.raw_key)
r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
dump('mfa_setup_totp_finish_without_recovery', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
def test_setup_totp_finish_wrong_code(self):
self.login_as('user')
self.add_recovery_codes()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
code = _hotp(int(time.time()/30), method.raw_key)
code = str(int(code[0])+1)[-1] + code[1:]
r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
dump('mfa_setup_totp_finish_wrong_code', r)
self.assertEqual(r.status_code, 200)
db_flush()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
def test_setup_totp_finish_empty_code(self):
self.login_as('user')
self.add_recovery_codes()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': ''}, follow_redirects=True)
dump('mfa_setup_totp_finish_empty_code', r)
self.assertEqual(r.status_code, 200)
db_flush()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
def test_delete_totp(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
self.login_as('user')
self.add_recovery_codes()
self.add_totp()
method = TOTPMethod(request.user, name='test')
db.session.add(method)
db.session.commit()
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 2)
r = self.client.get(path=url_for('selfservice.delete_mfa_totp', id=method.id), follow_redirects=True)
dump('mfa_delete_totp', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(TOTPMethod.query.filter_by(id=method.id).all()), 0)
self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 1)
# TODO: webauthn setup tests
tests/views/test_services.py 0 → 100644
View file @ 98fe5690
from flask import url_for
from uffd.database import db
from uffd.models import Service, ServiceUser, OAuth2Client, APIClient, RemailerMode
from tests.utils import dump, UffdTestCase
class TestServices(UffdTestCase):
def setUpApp(self):
self.app.config['SERVICES'] = [
{
'title': 'Service Title',
'subtitle': 'Service Subtitle',
'description': 'Short description of the service as plain text',
'url': 'https://example.com/',
'logo_url': '/static/fairy-dust-color.png',
'required_group': 'users',
'permission_levels': [
{'name': 'Moderator', 'required_group': 'moderators'},
{'name': 'Admin', 'required_group': 'uffd_admin'},
],
'confidential': True,
'groups': [
{'name': 'Group "crew_crew"', 'required_group': 'users'},
{'name': 'Group "crew_logistik"', 'required_group': 'uffd_admin'},
],
'infos': [
{'title': 'Documentation', 'html': '<p>Some information about the service as html</p>', 'required_group': 'users'},
],
'links': [
{'title': 'Link to an external site', 'url': '#', 'required_group': 'users'},
],
},
{
'title': 'Minimal Service Title',
}
]
self.app.config['SERVICES_PUBLIC'] = True
def test_overview(self):
r = self.client.get(path=url_for('service.overview'))
dump('service_overview_guest', r)
self.assertEqual(r.status_code, 200)
self.assertNotIn(b'https://example.com/', r.data)
self.login_as('user')
r = self.client.get(path=url_for('service.overview'))
dump('service_overview_user', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'https://example.com/', r.data)
def test_overview_disabled(self):
self.app.config['SERVICES'] = []
# Should return login page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_disabled_guest', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'name="password"', r.data)
self.login_as('user')
# Should return access denied page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_disabled_user', r)
self.assertEqual(r.status_code, 403)
self.login_as('admin')
# Should return (empty) overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_disabled_admin', r)
self.assertEqual(r.status_code, 200)
def test_overview_nonpublic(self):
self.app.config['SERVICES_PUBLIC'] = False
# Should return login page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_nonpublic_guest', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'name="password"', r.data)
self.login_as('user')
# Should return overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_nonpublic_user', r)
self.assertEqual(r.status_code, 200)
self.login_as('admin')
# Should return overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_nonpublic_admin', r)
self.assertEqual(r.status_code, 200)
def test_overview_public(self):
# Should return overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_public_guest', r)
self.assertEqual(r.status_code, 200)
self.login_as('user')
# Should return overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_public_user', r)
self.assertEqual(r.status_code, 200)
self.login_as('admin')
# Should return overview page
r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
dump('service_overview_public_admin', r)
self.assertEqual(r.status_code, 200)
class TestServiceAdminViews(UffdTestCase):
def setUpDB(self):
db.session.add(Service(
name='test1',
oauth2_clients=[OAuth2Client(client_id='test1_oauth2_client1', client_secret='test'), OAuth2Client(client_id='test1_oauth2_client2', client_secret='test')],
api_clients=[APIClient(auth_username='test1_api_client1', auth_password='test'), APIClient(auth_username='test1_api_client2', auth_password='test')],
))
db.session.add(Service(name='test2'))
db.session.add(Service(name='test3'))
db.session.commit()
self.service_id = Service.query.filter_by(name='test1').one().id
def test_index(self):
self.login_as('admin')
r = self.client.get(path=url_for('service.index'), follow_redirects=True)
dump('service_index', r)
self.assertEqual(r.status_code, 200)
def test_show(self):
self.login_as('admin')
r = self.client.get(path=url_for('service.show', id=self.service_id), follow_redirects=True)
dump('service_show', r)
self.assertEqual(r.status_code, 200)
def test_new(self):
self.login_as('admin')
r = self.client.get(path=url_for('service.show'), follow_redirects=True)
dump('service_new', r)
self.assertEqual(r.status_code, 200)
def test_new_submit(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit'),
follow_redirects=True,
data={
'name': 'new-service',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
dump('service_new_submit', r)
self.assertEqual(r.status_code, 200)
service = Service.query.filter_by(name='new-service').one_or_none()
self.assertIsNotNone(service)
self.assertEqual(service.limit_access, True)
self.assertEqual(service.access_group, None)
self.assertEqual(service.remailer_mode, RemailerMode.DISABLED)
self.assertEqual(service.enable_email_preferences, False)
def test_edit(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'new-name',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
dump('service_edit_submit', r)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.name, 'new-name')
self.assertEqual(service.limit_access, True)
self.assertEqual(service.access_group, None)
self.assertEqual(service.remailer_mode, RemailerMode.DISABLED)
self.assertEqual(service.enable_email_preferences, False)
self.assertEqual(service.hide_deactivated_users, False)
def test_edit_access_all(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': 'all',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.limit_access, False)
self.assertEqual(service.access_group, None)
def test_edit_access_group(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': str(self.get_users_group().id),
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.limit_access, True)
self.assertEqual(service.access_group, self.get_users_group())
def test_edit_hide_deactivated_users(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
'hide_deactivated_users': '1',
},
)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.hide_deactivated_users, True)
def test_edit_email_preferences(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
'enable_email_preferences': '1',
},
)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.enable_email_preferences, True)
def test_edit_remailer_mode(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'ENABLED_V2',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
self.assertEqual(r.status_code, 200)
service = Service.query.get(self.service_id)
self.assertEqual(service.remailer_mode, RemailerMode.ENABLED_V2)
def test_edit_remailer_overwrite_enable(self):
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': 'testuser, testadmin',
},
)
self.assertEqual(r.status_code, 200)
service_user1 = ServiceUser.query.get((self.service_id, self.get_user().id))
service_user2 = ServiceUser.query.get((self.service_id, self.get_admin().id))
self.assertEqual(service_user1.remailer_overwrite_mode, RemailerMode.ENABLED_V2)
self.assertEqual(service_user2.remailer_overwrite_mode, RemailerMode.ENABLED_V2)
self.assertEqual(
set(ServiceUser.query.filter(
ServiceUser.service_id == self.service_id,
ServiceUser.remailer_overwrite_mode != None
).all()),
{service_user1, service_user2}
)
def test_edit_remailer_overwrite_change(self):
service_user = ServiceUser.query.get((self.service_id, self.get_user().id))
service_user.remailer_overwrite_mode = RemailerMode.ENABLED_V2
db.session.commit()
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V1',
'remailer-overwrite-users': ', testadmin',
},
)
self.assertEqual(r.status_code, 200)
service_user = ServiceUser.query.get((self.service_id, self.get_admin().id))
self.assertEqual(service_user.remailer_overwrite_mode, RemailerMode.ENABLED_V1)
self.assertEqual(
ServiceUser.query.filter(
ServiceUser.service_id == self.service_id,
ServiceUser.remailer_overwrite_mode != None
).all(),
[service_user]
)
def test_edit_remailer_overwrite_disable(self):
service_user = ServiceUser.query.get((self.service_id, self.get_user().id))
service_user.remailer_overwrite_mode = RemailerMode.ENABLED_V2
db.session.commit()
self.login_as('admin')
r = self.client.post(
path=url_for('service.edit_submit', id=self.service_id),
follow_redirects=True,
data={
'name': 'test1',
'access-group': '',
'remailer-mode': 'DISABLED',
'remailer-overwrite-mode': 'ENABLED_V2',
'remailer-overwrite-users': '',
},
)
self.assertEqual(r.status_code, 200)
self.assertEqual(
ServiceUser.query.filter(
ServiceUser.service_id == self.service_id,
ServiceUser.remailer_overwrite_mode != None
).all(),
[]
)
def test_delete(self):
self.login_as('admin')
r = self.client.get(path=url_for('service.delete', id=self.service_id), follow_redirects=True)
dump('service_delete', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(Service.query.get(self.service_id))
tests/views/test_session.py 0 → 100644
View file @ 98fe5690
import time
import unittest
from flask import url_for, request
from uffd.database import db
from uffd.password_hash import PlaintextPasswordHash
from uffd.models import DeviceLoginConfirmation, Service, OAuth2Client, OAuth2DeviceLoginInitiation, User, RecoveryCodeMethod, TOTPMethod
from uffd.models.mfa import _hotp
from uffd.views.session import login_required
from tests.utils import dump, UffdTestCase, db_flush
class TestSession(UffdTestCase):
def setUpApp(self):
self.app.config['SESSION_LIFETIME_SECONDS'] = 2
@self.app.route('/test_login_required')
@login_required()
def test_login_required():
return 'SUCCESS ' + request.user.loginname, 200
@self.app.route('/test_group_required1')
@login_required(lambda: request.user.is_in_group('users'))
def test_group_required1():
return 'SUCCESS', 200
@self.app.route('/test_group_required2')
@login_required(lambda: request.user.is_in_group('notagroup'))
def test_group_required2():
return 'SUCCESS', 200
def setUp(self):
super().setUp()
self.assertIsNone(request.user)
def login(self):
self.login_as('user')
self.assertIsNotNone(request.user)
def assertLoggedIn(self):
self.assertEqual(self.client.get(path=url_for('test_login_required'), follow_redirects=True).data, b'SUCCESS testuser')
def assertLoggedOut(self):
self.assertNotIn(b'SUCCESS', self.client.get(path=url_for('test_login_required'), follow_redirects=True).data)
def test_login(self):
self.assertLoggedOut()
r = self.client.get(path=url_for('session.login'), follow_redirects=True)
dump('login', r)
self.assertEqual(r.status_code, 200)
r = self.login_as('user')
dump('login_post', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedIn()
def test_login_password_rehash(self):
self.get_user().password = PlaintextPasswordHash.from_password('userpassword')
db.session.commit()
self.assertIsInstance(self.get_user().password, PlaintextPasswordHash)
db_flush()
r = self.login_as('user')
self.assertEqual(r.status_code, 200)
self.assertLoggedIn()
self.assertIsInstance(self.get_user().password, User.password.method_cls)
self.assertTrue(self.get_user().password.verify('userpassword'))
def test_titlecase_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': self.get_user().loginname.title(), 'password': 'userpassword'}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertLoggedIn()
def test_redirect(self):
r = self.login_as('user', ref=url_for('test_login_required'))
self.assertEqual(r.status_code, 200)
self.assertEqual(r.data, b'SUCCESS testuser')
def test_wrong_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': self.get_user().loginname, 'password': 'wrongpassword'},
follow_redirects=True)
dump('login_wrong_password', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_empty_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': self.get_user().loginname, 'password': ''}, follow_redirects=True)
dump('login_empty_password', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
# Regression test for #100 (uncatched LDAPSASLPrepError)
def test_saslprep_invalid_password(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testuser', 'password': 'wrongpassword\n'}, follow_redirects=True)
dump('login_saslprep_invalid_password', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_wrong_user(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'nouser', 'password': 'userpassword'},
follow_redirects=True)
dump('login_wrong_user', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_empty_user(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': '', 'password': 'userpassword'}, follow_redirects=True)
dump('login_empty_user', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_no_access(self):
r = self.client.post(path=url_for('session.login'),
data={'loginname': 'testservice', 'password': 'servicepassword'}, follow_redirects=True)
dump('login_no_access', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_deactivated(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.login_as('user')
dump('login_deactivated', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_deactivated_after_login(self):
self.login_as('user')
self.get_user().is_deactivated = True
db.session.commit()
self.assertLoggedOut()
def test_group_required(self):
self.login()
self.assertEqual(self.client.get(path=url_for('test_group_required1'),
follow_redirects=True).data, b'SUCCESS')
self.assertNotEqual(self.client.get(path=url_for('test_group_required2'),
follow_redirects=True).data, b'SUCCESS')
def test_logout(self):
self.login()
r = self.client.get(path=url_for('session.logout'), follow_redirects=True)
dump('logout', r)
self.assertEqual(r.status_code, 200)
self.assertLoggedOut()
def test_timeout(self):
self.login()
time.sleep(3)
self.assertLoggedOut()
def test_ratelimit(self):
for i in range(20):
self.client.post(path=url_for('session.login'),
data={'loginname': self.get_user().loginname,
'password': 'wrongpassword_%i'%i}, follow_redirects=True)
r = self.login_as('user')
dump('login_ratelimit', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
def test_deviceauth(self):
oauth2_client = OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2'])
initiation = OAuth2DeviceLoginInitiation(client=oauth2_client)
db.session.add(initiation)
db.session.commit()
code = initiation.code
self.login()
r = self.client.get(path=url_for('session.deviceauth'), follow_redirects=True)
dump('deviceauth', r)
self.assertEqual(r.status_code, 200)
r = self.client.get(path=url_for('session.deviceauth', **{'initiation-code': code}), follow_redirects=True)
dump('deviceauth_check', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'test', r.data)
r = self.client.post(path=url_for('session.deviceauth_submit'), data={'initiation-code': code}, follow_redirects=True)
dump('deviceauth_submit', r)
self.assertEqual(r.status_code, 200)
initiation = OAuth2DeviceLoginInitiation.query.filter_by(code=code).one()
self.assertEqual(len(initiation.confirmations), 1)
self.assertEqual(initiation.confirmations[0].session.user.loginname, 'testuser')
self.assertIn(initiation.confirmations[0].code.encode(), r.data)
r = self.client.get(path=url_for('session.deviceauth_finish'), follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertEqual(DeviceLoginConfirmation.query.all(), [])
class TestMfaViews(UffdTestCase):
def add_recovery_codes(self, count=10):
user = self.get_user()
for _ in range(count):
db.session.add(RecoveryCodeMethod(user=user))
db.session.commit()
def add_totp(self):
db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
db.session.commit()
def test_auth_integration(self):
self.add_recovery_codes()
self.add_totp()
db.session.commit()
self.assertIsNone(request.user)
r = self.login_as('user')
dump('mfa_auth_redirected', r)
self.assertEqual(r.status_code, 200)
self.assertIn(b'/mfa/auth', r.data)
self.assertIsNone(request.user)
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
dump('mfa_auth', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
def test_auth_disabled(self):
self.assertIsNone(request.user)
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth', ref='/redirecttarget'), follow_redirects=False)
self.assertEqual(r.status_code, 302)
self.assertTrue(r.location.endswith('/redirecttarget'))
self.assertIsNotNone(request.user)
def test_auth_recovery_only(self):
self.add_recovery_codes()
self.assertIsNone(request.user)
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth', ref='/redirecttarget'), follow_redirects=False)
self.assertEqual(r.status_code, 302)
self.assertTrue(r.location.endswith('/redirecttarget'))
self.assertIsNotNone(request.user)
def test_auth_recovery_code(self):
self.add_recovery_codes()
self.add_totp()
method = RecoveryCodeMethod(user=self.get_user())
db.session.add(method)
db.session.commit()
method_id = method.id
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
dump('mfa_auth_recovery_code', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
r = self.client.post(path=url_for('session.mfa_auth_finish', ref='/redirecttarget'), data={'code': method.code_value})
self.assertEqual(r.status_code, 302)
self.assertTrue(r.location.endswith('/redirecttarget'))
self.assertIsNotNone(request.user)
self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=method_id).all()), 0)
def test_auth_totp_code(self):
self.add_recovery_codes()
self.add_totp()
method = TOTPMethod(user=self.get_user(), name='testname')
raw_key = method.raw_key
db.session.add(method)
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
dump('mfa_auth_totp_code', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
code = _hotp(int(time.time()/30), raw_key)
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
dump('mfa_auth_totp_code_submit', r)
self.assertEqual(r.status_code, 200)
self.assertIsNotNone(request.user)
def test_auth_totp_code_reuse(self):
self.add_recovery_codes()
self.add_totp()
method = TOTPMethod(user=self.get_user(), name='testname')
raw_key = method.raw_key
db.session.add(method)
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
code = _hotp(int(time.time()/30), raw_key)
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertIsNotNone(request.user)
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
def test_auth_empty_code(self):
self.add_recovery_codes()
self.add_totp()
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': ''}, follow_redirects=True)
dump('mfa_auth_empty_code', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
def test_auth_invalid_code(self):
self.add_recovery_codes()
self.add_totp()
method = TOTPMethod(user=self.get_user(), name='testname')
raw_key = method.raw_key
db.session.add(method)
db.session.commit()
self.login_as('user')
r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
code = _hotp(int(time.time()/30), raw_key)
code = str(int(code[0])+1)[-1] + code[1:]
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
dump('mfa_auth_invalid_code', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
def test_auth_ratelimit(self):
self.add_recovery_codes()
self.add_totp()
method = TOTPMethod(user=self.get_user(), name='testname')
raw_key = method.raw_key
db.session.add(method)
db.session.commit()
self.login_as('user')
self.assertIsNone(request.user)
code = _hotp(int(time.time()/30), raw_key)
inv_code = str(int(code[0])+1)[-1] + code[1:]
for i in range(20):
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': inv_code}, follow_redirects=True)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
dump('mfa_auth_ratelimit', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(request.user)
# TODO: webauthn auth tests
tests/views/test_signup.py 0 → 100644
View file @ 98fe5690
import datetime
from flask import url_for, request
from uffd.database import db
from uffd.models import User, Signup, Role, RoleGroup, FeatureFlag
from tests.utils import dump, UffdTestCase, db_flush
def refetch_signup(signup):
db.session.add(signup)
db.session.commit()
id = signup.id
db.session.expunge(signup)
return Signup.query.get(id)
class TestSignupViews(UffdTestCase):
def setUpApp(self):
self.app.config['SELF_SIGNUP'] = True
self.app.last_mail = None
def test_signup(self):
r = self.client.get(path=url_for('signup.signup_start'), follow_redirects=True)
dump('test_signup', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_submit', r)
self.assertEqual(r.status_code, 200)
db_flush()
signups = Signup.query.filter_by(loginname='newuser').all()
self.assertEqual(len(signups), 1)
signup = signups[0]
self.assertEqual(signup.loginname, 'newuser')
self.assertEqual(signup.displayname, 'New User')
self.assertEqual(signup.mail, 'new@example.com')
self.assertIn(signup.token, str(self.app.last_mail.get_content()))
self.assertTrue(signup.password.verify('notsecret'))
self.assertTrue(signup.validate()[0])
def test_signup_disabled(self):
self.app.config['SELF_SIGNUP'] = False
r = self.client.get(path=url_for('signup.signup_start'), follow_redirects=True)
dump('test_signup_disabled', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_submit_disabled', r)
self.assertEqual(r.status_code, 200)
db_flush()
self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
def test_signup_wrongpassword(self):
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notthesame'})
dump('test_signup_wrongpassword', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(self.app.last_mail)
def test_signup_invalid(self):
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': '', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_invalid', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(self.app.last_mail)
def test_signup_mailerror(self):
self.app.config['MAIL_SKIP_SEND'] = 'fail'
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_mailerror', r)
self.assertEqual(r.status_code, 200)
def test_signup_hostlimit(self):
# Each signup_submit request leaks information about the existance of a
# user with a specific loginname. A host/network-based ratelimit should
# make enumerations of all user accounts difficult/next to impossible.
# Additionally each successful requests sends a mail to an
# attacker-controlled address. The ratelimit limits the applicability for
# spamming.
for i in range(20):
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'test%d@example.com'%i,
'password1': 'notsecret', 'password2': 'notsecret'})
self.assertEqual(r.status_code, 200)
self.app.last_mail = None
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_hostlimit', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
self.assertIsNone(self.app.last_mail)
def test_signup_maillimit(self):
for i in range(3):
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
self.assertEqual(r.status_code, 200)
self.app.last_mail = None
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
'password1': 'notsecret', 'password2': 'notsecret'})
dump('test_signup_maillimit', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(self.app.last_mail)
# Check that we did not hit the host limit
r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
data={'loginname': 'differentuser', 'displayname': 'New User',
'mail': 'different@mailaddress.com', 'password1': 'notsecret',
'password2': 'notsecret'})
self.assertIsNotNone(self.app.last_mail)
def test_signup_check(self):
r = self.client.post(path=url_for('signup.signup_check'), follow_redirects=True,
data={'loginname': 'newuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'ok')
def test_signup_check_invalid(self):
r = self.client.post(path=url_for('signup.signup_check'), follow_redirects=True,
data={'loginname': ''})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'invalid')
def test_signup_check_exists(self):
r = self.client.post(path=url_for('signup.signup_check'), follow_redirects=True,
data={'loginname': 'testuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'exists')
def test_signup_check_ratelimited(self):
for i in range(20):
r = self.client.post(path=url_for('signup.signup_check'), follow_redirects=True,
data={'loginname': 'newuser%d'%i})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
r = self.client.post(path=url_for('signup.signup_check'), follow_redirects=True,
data={'loginname': 'newuser'})
self.assertEqual(r.status_code, 200)
self.assertEqual(r.content_type, 'application/json')
self.assertEqual(r.json['status'], 'ratelimited')
def test_confirm(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
self.assertFalse(signup.completed)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
dump('test_signup_confirm', r)
self.assertEqual(r.status_code, 200)
signup = refetch_signup(signup)
self.assertFalse(signup.completed)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_submit', r)
self.assertEqual(r.status_code, 200)
signup = refetch_signup(signup)
self.assertTrue(signup.completed)
self.assertEqual(signup.user.loginname, 'newuser')
self.assertEqual(signup.user.displayname, 'New User')
self.assertEqual(signup.user.primary_email.address, 'new@example.com')
self.assertTrue(User.query.filter_by(loginname='newuser').one_or_none().password.verify('notsecret'))
def test_confirm_loggedin(self):
baserole = Role(name='baserole', is_default=True)
db.session.add(baserole)
baserole.groups[self.get_access_group()] = RoleGroup()
db.session.commit()
self.login_as('user')
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
self.assertFalse(signup.completed)
self.assertIsNotNone(request.user)
self.assertEqual(request.user.loginname, self.get_user().loginname)
r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
self.assertEqual(r.status_code, 200)
signup = refetch_signup(signup)
self.assertTrue(signup.completed)
self.assertIsNotNone(request.user)
self.assertEqual(request.user.loginname, 'newuser')
def test_confirm_notfound(self):
r = self.client.get(path=url_for('signup.signup_confirm', signup_id=1, token='notasignuptoken'), follow_redirects=True)
dump('test_signup_confirm_notfound', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=1, token='notasignuptoken'), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_submit_notfound', r)
self.assertEqual(r.status_code, 200)
def test_confirm_expired(self):
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup.created = datetime.datetime.utcnow() - datetime.timedelta(hours=49)
signup = refetch_signup(signup)
r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
dump('test_signup_confirm_expired', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_submit_expired', r)
self.assertEqual(r.status_code, 200)
def test_confirm_completed(self):
signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='new@example.com', password='notsecret')
signup.user = self.get_user()
signup = refetch_signup(signup)
self.assertTrue(signup.completed)
r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
dump('test_signup_confirm_completed', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_submit_completed', r)
self.assertEqual(r.status_code, 200)
def test_confirm_wrongpassword(self):
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'wrongpassword'})
dump('test_signup_confirm_wrongpassword', r)
signup = refetch_signup(signup)
self.assertEqual(r.status_code, 200)
self.assertFalse(signup.completed)
def test_confirm_error(self):
# finish returns None and error message (here: because the user already exists)
signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_error', r)
signup = refetch_signup(signup)
self.assertEqual(r.status_code, 200)
self.assertFalse(signup.completed)
def test_confirm_error_email_uniqueness(self):
FeatureFlag.unique_email_addresses.enable()
db.session.commit()
# finish returns None and error message (here: because the email address already exists)
# This case is interesting, because the error also invalidates the ORM session
signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
db.session.add(signup)
db.session.commit()
signup_id = signup.id
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_error_email_uniqueness', r)
self.assertEqual(r.status_code, 200)
signup = Signup.query.get(signup_id)
self.assertFalse(signup.completed)
def test_confirm_hostlimit(self):
for i in range(20):
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'wrongpassword%d'%i})
self.assertEqual(r.status_code, 200)
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
self.assertFalse(signup.completed)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_hostlimit', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(signup.completed)
def test_confirm_confirmlimit(self):
signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
signup = refetch_signup(signup)
self.assertFalse(signup.completed)
for i in range(5):
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'wrongpassword%d'%i})
self.assertEqual(r.status_code, 200)
self.assertFalse(signup.completed)
r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
dump('test_signup_confirm_confirmlimit', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(signup.completed)
tests/views/test_user.py 0 → 100644
View file @ 98fe5690
from flask import url_for, request
from uffd.database import db
from uffd.models import User, UserEmail, Group, Role, Service, ServiceUser, FeatureFlag, MFAMethod, RecoveryCodeMethod, TOTPMethod
from tests.utils import dump, UffdTestCase
class TestUserViews(UffdTestCase):
def setUp(self):
super().setUp()
self.app.last_mail = None
self.login_as('admin')
def test_index(self):
r = self.client.get(path=url_for('user.index'), follow_redirects=True)
dump('user_index', r)
self.assertEqual(r.status_code, 200)
def test_new(self):
db.session.add(Role(name='base', is_default=True))
role1 = Role(name='role1')
db.session.add(role1)
role2 = Role(name='role2')
db.session.add(role2)
db.session.commit()
role1_id = role1.id
r = self.client.get(path=url_for('user.show'), follow_redirects=True)
dump('user_new', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
f'role-{role1_id}': '1', 'password': 'newpassword'}, follow_redirects=True)
dump('user_new_submit', r)
self.assertEqual(r.status_code, 200)
user_ = User.query.filter_by(loginname='newuser').one_or_none()
roles = sorted([r.name for r in user_.roles_effective])
self.assertIsNotNone(user_)
self.assertFalse(user_.is_service_user)
self.assertEqual(user_.loginname, 'newuser')
self.assertEqual(user_.displayname, 'New User')
self.assertEqual(user_.primary_email.address, 'newuser@example.com')
self.assertFalse(user_.password)
self.assertGreaterEqual(user_.unix_uid, self.app.config['USER_MIN_UID'])
self.assertLessEqual(user_.unix_uid, self.app.config['USER_MAX_UID'])
role1 = Role(name='role1')
self.assertEqual(roles, ['base', 'role1'])
self.assertIsNotNone(self.app.last_mail)
def test_new_service(self):
db.session.add(Role(name='base', is_default=True))
role1 = Role(name='role1')
db.session.add(role1)
role2 = Role(name='role2')
db.session.add(role2)
db.session.commit()
role1_id = role1.id
r = self.client.get(path=url_for('user.show'), follow_redirects=True)
dump('user_new_service', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
f'role-{role1_id}': '1', 'password': 'newpassword', 'serviceaccount': '1'}, follow_redirects=True)
dump('user_new_submit', r)
self.assertEqual(r.status_code, 200)
user = User.query.filter_by(loginname='newuser').one_or_none()
roles = sorted([r.name for r in user.roles])
self.assertIsNotNone(user)
self.assertTrue(user.is_service_user)
self.assertEqual(user.loginname, 'newuser')
self.assertEqual(user.displayname, 'New User')
self.assertEqual(user.primary_email.address, 'newuser@example.com')
self.assertTrue(user.unix_uid)
self.assertFalse(user.password)
role1 = Role(name='role1')
self.assertEqual(roles, ['role1'])
self.assertIsNone(self.app.last_mail)
def test_new_invalid_loginname(self):
r = self.client.post(path=url_for('user.create'),
data={'loginname': '!newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_invalid_loginname', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
def test_new_empty_loginname(self):
r = self.client.post(path=url_for('user.create'),
data={'loginname': '', 'email': 'newuser@example.com', 'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_empty_loginname', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
def test_new_conflicting_loginname(self):
self.assertEqual(User.query.filter_by(loginname='testuser').count(), 1)
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'testuser', 'email': 'newuser@example.com', 'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_conflicting_loginname', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(User.query.filter_by(loginname='testuser').count(), 1)
def test_new_empty_email(self):
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'newuser', 'email': '', 'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_empty_email', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
def test_new_conflicting_email(self):
FeatureFlag.unique_email_addresses.enable()
db.session.commit()
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'newuser', 'email': 'test@example.com', 'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_conflicting_email', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
def test_new_invalid_display_name(self):
r = self.client.post(path=url_for('user.create'),
data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'A'*200,
'password': 'newpassword'}, follow_redirects=True)
dump('user_new_invalid_display_name', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
def test_update(self):
user_unupdated = self.get_user()
email_id = str(user_unupdated.primary_email.id)
db.session.add(Role(name='base', is_default=True))
role1 = Role(name='role1')
db.session.add(role1)
role2 = Role(name='role2')
db.session.add(role2)
role2.members.append(user_unupdated)
db.session.commit()
role1_id = role1.id
r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
dump('user_update', r)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
'displayname': 'New User', f'role-{role1_id}': '1', 'password': ''},
follow_redirects=True)
dump('user_update_submit', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_user()
roles = sorted([r.name for r in user_updated.roles_effective])
self.assertEqual(user_updated.displayname, 'New User')
self.assertEqual(user_updated.primary_email.address, 'test@example.com')
self.assertEqual(user_updated.unix_uid, user_unupdated.unix_uid)
self.assertEqual(user_updated.loginname, user_unupdated.loginname)
self.assertTrue(user_updated.password.verify('userpassword'))
self.assertEqual(roles, ['base', 'role1'])
def test_update_password(self):
user_unupdated = self.get_user()
email_id = str(user_unupdated.primary_email.id)
r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
'displayname': 'New User',
'password': 'newpassword'}, follow_redirects=True)
dump('user_update_password', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_user()
self.assertEqual(user_updated.displayname, 'New User')
self.assertEqual(user_updated.primary_email.address, 'test@example.com')
self.assertEqual(user_updated.unix_uid, user_unupdated.unix_uid)
self.assertEqual(user_updated.loginname, user_unupdated.loginname)
self.assertTrue(user_updated.password.verify('newpassword'))
self.assertFalse(user_updated.password.verify('userpassword'))
def test_update_invalid_password(self):
user_unupdated = self.get_user()
email_id = str(user_unupdated.primary_email.id)
r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
'displayname': 'New User',
'password': 'A'}, follow_redirects=True)
dump('user_update_invalid_password', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_user()
self.assertFalse(user_updated.password.verify('A'))
self.assertTrue(user_updated.password.verify('userpassword'))
self.assertEqual(user_updated.displayname, user_unupdated.displayname)
self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
self.assertEqual(user_updated.loginname, user_unupdated.loginname)
# Regression test for #100 (login not possible if password contains character disallowed by SASLprep)
def test_update_saslprep_invalid_password(self):
user_unupdated = self.get_user()
email_id = str(user_unupdated.primary_email.id)
r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
'displayname': 'New User',
'password': 'newpassword\n'}, follow_redirects=True)
dump('user_update_invalid_password', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_user()
self.assertFalse(user_updated.password.verify('newpassword\n'))
self.assertTrue(user_updated.password.verify('userpassword'))
self.assertEqual(user_updated.displayname, user_unupdated.displayname)
self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
self.assertEqual(user_updated.loginname, user_unupdated.loginname)
def test_update_email(self):
user = self.get_user()
email = UserEmail(user=user, address='foo@example.com')
service1 = Service(name='service1', enable_email_preferences=True, limit_access=False)
service2 = Service(name='service2', enable_email_preferences=True, limit_access=False)
db.session.add_all([service1, service2])
db.session.commit()
email1_id = user.primary_email.id
email2_id = email.id
service1_id = service1.id
service2_id = service2.id
r = self.client.post(path=url_for('user.update', id=user.id),
data={'loginname': 'testuser',
f'email-{email1_id}-present': '1',
f'email-{email2_id}-present': '1',
f'email-{email2_id}-verified': '1',
f'newemail-1-address': 'new1@example.com',
f'newemail-2-address': 'new2@example.com', f'newemail-2-verified': '1',
'primary_email': email2_id, 'recovery_email': email1_id,
f'service_{service1_id}_email': 'primary',
f'service_{service2_id}_email': email2_id,
'displayname': 'Test User', 'password': ''},
follow_redirects=True)
dump('user_update_email', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertEqual(user.primary_email.id, email2_id)
self.assertEqual(user.recovery_email.id, email1_id)
self.assertEqual(ServiceUser.query.get((service1.id, user.id)).service_email, None)
self.assertEqual(ServiceUser.query.get((service2.id, user.id)).service_email.id, email2_id)
self.assertEqual(
{email.address: email.verified for email in user.all_emails},
{
'test@example.com': True,
'foo@example.com': True,
'new1@example.com': False,
'new2@example.com': True,
}
)
def test_update_email_conflict(self):
user = self.get_user()
user_id = user.id
email_id = user.primary_email.id
email_address = user.primary_email.address
r = self.client.post(path=url_for('user.update', id=user.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1',
f'newemail-1-address': user.primary_email.address},
follow_redirects=True)
dump('user_update_email_conflict', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(UserEmail.query.filter_by(user_id=user_id).count(), 1)
def test_update_email_strict_uniqueness(self):
FeatureFlag.unique_email_addresses.enable()
db.session.commit()
user = self.get_user()
email = UserEmail(user=user, address='foo@example.com')
service1 = Service(name='service1', enable_email_preferences=True, limit_access=False)
service2 = Service(name='service2', enable_email_preferences=True, limit_access=False)
db.session.add_all([service1, service2])
db.session.commit()
email1_id = user.primary_email.id
email2_id = email.id
service1_id = service1.id
service2_id = service2.id
r = self.client.post(path=url_for('user.update', id=user.id),
data={'loginname': 'testuser',
f'email-{email1_id}-present': '1',
f'email-{email2_id}-present': '1',
f'email-{email2_id}-verified': '1',
f'newemail-1-address': 'new1@example.com',
f'newemail-2-address': 'new2@example.com', f'newemail-2-verified': '1',
'primary_email': email2_id, 'recovery_email': email1_id,
f'service_{service1_id}_email': 'primary',
f'service_{service2_id}_email': email2_id,
'displayname': 'Test User', 'password': ''},
follow_redirects=True)
dump('user_update_email_strict_uniqueness', r)
self.assertEqual(r.status_code, 200)
user = self.get_user()
self.assertEqual(user.primary_email.id, email2_id)
self.assertEqual(user.recovery_email.id, email1_id)
self.assertEqual(ServiceUser.query.get((service1.id, user.id)).service_email, None)
self.assertEqual(ServiceUser.query.get((service2.id, user.id)).service_email.id, email2_id)
self.assertEqual(
{email.address: email.verified for email in user.all_emails},
{
'test@example.com': True,
'foo@example.com': True,
'new1@example.com': False,
'new2@example.com': True,
}
)
def test_update_email_strict_uniqueness_conflict(self):
FeatureFlag.unique_email_addresses.enable()
db.session.commit()
user = self.get_user()
user_id = user.id
email_id = user.primary_email.id
email_address = user.primary_email.address
r = self.client.post(path=url_for('user.update', id=user.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1',
f'newemail-1-address': user.primary_email.address},
follow_redirects=True)
dump('user_update_email_strict_uniqueness_conflict', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(UserEmail.query.filter_by(user_id=user_id).count(), 1)
def test_update_invalid_display_name(self):
user_unupdated = self.get_user()
email_id = str(user_unupdated.primary_email.id)
r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
self.assertEqual(r.status_code, 200)
r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
data={'loginname': 'testuser',
f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
'displayname': 'A'*200,
'password': 'newpassword'}, follow_redirects=True)
dump('user_update_invalid_display_name', r)
self.assertEqual(r.status_code, 200)
user_updated = self.get_user()
self.assertEqual(user_updated.displayname, user_unupdated.displayname)
self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
self.assertEqual(user_updated.loginname, user_unupdated.loginname)
self.assertFalse(user_updated.password.verify('newpassword'))
self.assertTrue(user_updated.password.verify('userpassword'))
def test_show(self):
r = self.client.get(path=url_for('user.show', id=self.get_user().id), follow_redirects=True)
dump('user_show', r)
self.assertEqual(r.status_code, 200)
def test_show_self(self):
r = self.client.get(path=url_for('user.show', id=self.get_admin().id), follow_redirects=True)
dump('user_show_self', r)
self.assertEqual(r.status_code, 200)
def test_delete(self):
r = self.client.get(path=url_for('user.delete', id=self.get_user().id), follow_redirects=True)
dump('user_delete', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(self.get_user())
def test_deactivate(self):
r = self.client.get(path=url_for('user.deactivate', id=self.get_user().id), follow_redirects=True)
dump('user_deactivate', r)
self.assertEqual(r.status_code, 200)
self.assertTrue(self.get_user().is_deactivated)
def test_activate(self):
self.get_user().is_deactivated = True
db.session.commit()
r = self.client.get(path=url_for('user.activate', id=self.get_user().id), follow_redirects=True)
dump('user_activate', r)
self.assertEqual(r.status_code, 200)
self.assertFalse(self.get_user().is_deactivated)
def test_disable_mfa(self):
db.session.add(RecoveryCodeMethod(user=self.get_admin()))
user = self.get_user()
for _ in range(10):
db.session.add(RecoveryCodeMethod(user=user))
db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
db.session.commit()
self.login_as('admin')
admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
r = self.client.get(path=url_for('user.disable_mfa', id=self.get_user().id), follow_redirects=True)
dump('user_disable_mfa', r)
self.assertEqual(r.status_code, 200)
self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_user()).all()), 0)
self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
def test_csvimport(self):
role1 = Role(name='role1')
db.session.add(role1)
role2 = Role(name='role2')
db.session.add(role2)
db.session.commit()
data = f'''\
newuser1,newuser1@example.com,
newuser2,newuser2@example.com,{role1.id}
newuser3,newuser3@example.com,{role1.id};{role2.id}
newuser4,newuser4@example.com,9999
newuser5,newuser5@example.com,notanumber
newuser6,newuser6@example.com,{role1.id};{role2.id};
newuser7,invalidmail,
newuser8,,
,newuser9@example.com,
,,
,,,
newuser10,newuser10@example.com,
newuser11,newuser11@example.com, {role1.id};{role2.id}
newuser12,newuser12@example.com,{role1.id};{role1.id}
<invalid tag-like thingy>'''
r = self.client.post(path=url_for('user.csvimport'), data={'csv': data}, follow_redirects=True)
dump('user_csvimport', r)
self.assertEqual(r.status_code, 200)
user = User.query.filter_by(loginname='newuser1').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser1')
self.assertEqual(user.displayname, 'newuser1')
self.assertEqual(user.primary_email.address, 'newuser1@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, [])
user = User.query.filter_by(loginname='newuser2').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser2')
self.assertEqual(user.displayname, 'newuser2')
self.assertEqual(user.primary_email.address, 'newuser2@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, ['role1'])
user = User.query.filter_by(loginname='newuser3').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser3')
self.assertEqual(user.displayname, 'newuser3')
self.assertEqual(user.primary_email.address, 'newuser3@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, ['role1', 'role2'])
user = User.query.filter_by(loginname='newuser4').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser4')
self.assertEqual(user.displayname, 'newuser4')
self.assertEqual(user.primary_email.address, 'newuser4@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, [])
user = User.query.filter_by(loginname='newuser5').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser5')
self.assertEqual(user.displayname, 'newuser5')
self.assertEqual(user.primary_email.address, 'newuser5@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, [])
user = User.query.filter_by(loginname='newuser6').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser6')
self.assertEqual(user.displayname, 'newuser6')
self.assertEqual(user.primary_email.address, 'newuser6@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, ['role1', 'role2'])
self.assertIsNone(User.query.filter_by(loginname='newuser7').one_or_none())
self.assertIsNone(User.query.filter_by(loginname='newuser8').one_or_none())
self.assertIsNone(User.query.filter_by(loginname='newuser9').one_or_none())
user = User.query.filter_by(loginname='newuser10').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser10')
self.assertEqual(user.displayname, 'newuser10')
self.assertEqual(user.primary_email.address, 'newuser10@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, [])
user = User.query.filter_by(loginname='newuser11').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser11')
self.assertEqual(user.displayname, 'newuser11')
self.assertEqual(user.primary_email.address, 'newuser11@example.com')
# Currently the csv import is not very robust, imho newuser11 should have role1 and role2!
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, ['role2'])
user = User.query.filter_by(loginname='newuser12').one_or_none()
self.assertIsNotNone(user)
self.assertEqual(user.loginname, 'newuser12')
self.assertEqual(user.displayname, 'newuser12')
self.assertEqual(user.primary_email.address, 'newuser12@example.com')
roles = sorted([r.name for r in user.roles])
self.assertEqual(roles, ['role1'])
class TestGroupViews(UffdTestCase):
def setUp(self):
super().setUp()
self.login_as('admin')
def test_index(self):
r = self.client.get(path=url_for('group.index'), follow_redirects=True)
dump('group_index', r)
self.assertEqual(r.status_code, 200)
def test_show(self):
r = self.client.get(path=url_for('group.show', gid=20001), follow_redirects=True)
dump('group_show', r)
self.assertEqual(r.status_code, 200)
def test_new(self):
r = self.client.get(path=url_for('group.show'), follow_redirects=True)
dump('group_new', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(Group.query.filter_by(name='newgroup').one_or_none())
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': '', 'name': 'newgroup', 'description': 'Test description'},
follow_redirects=True)
dump('group_new_submit', r)
self.assertEqual(r.status_code, 200)
group = Group.query.filter_by(name='newgroup').one_or_none()
self.assertIsNotNone(group)
self.assertEqual(group.name, 'newgroup')
self.assertEqual(group.description, 'Test description')
self.assertGreaterEqual(group.unix_gid, self.app.config['GROUP_MIN_GID'])
self.assertLessEqual(group.unix_gid, self.app.config['GROUP_MAX_GID'])
def test_new_fixed_gid(self):
gid = self.app.config['GROUP_MAX_GID'] - 1
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': str(gid), 'name': 'newgroup', 'description': 'Test description'},
follow_redirects=True)
dump('group_new_fixed_gid', r)
self.assertEqual(r.status_code, 200)
group = Group.query.filter_by(name='newgroup').one_or_none()
self.assertIsNotNone(group)
self.assertEqual(group.name, 'newgroup')
self.assertEqual(group.description, 'Test description')
self.assertEqual(group.unix_gid, gid)
def test_new_existing_name(self):
gid = self.app.config['GROUP_MAX_GID'] - 1
db.session.add(Group(name='newgroup', description='Original description', unix_gid=gid))
db.session.commit()
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': '', 'name': 'newgroup', 'description': 'New description'},
follow_redirects=True)
dump('group_new_existing_name', r)
self.assertEqual(r.status_code, 400)
group = Group.query.filter_by(name='newgroup').one_or_none()
self.assertIsNotNone(group)
self.assertEqual(group.name, 'newgroup')
self.assertEqual(group.description, 'Original description')
self.assertEqual(group.unix_gid, gid)
def test_new_name_too_long(self):
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': '', 'name': 'a'*33, 'description': 'New description'},
follow_redirects=True)
dump('group_new_name_too_long', r)
self.assertEqual(r.status_code, 400)
group = Group.query.filter_by(name='a'*33).one_or_none()
self.assertIsNone(group)
def test_new_name_too_short(self):
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': '', 'name': '', 'description': 'New description'},
follow_redirects=True)
dump('group_new_name_too_short', r)
self.assertEqual(r.status_code, 400)
group = Group.query.filter_by(name='').one_or_none()
self.assertIsNone(group)
def test_new_name_invalid(self):
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': '', 'name': 'foo bar', 'description': 'New description'},
follow_redirects=True)
dump('group_new_name_invalid', r)
self.assertEqual(r.status_code, 400)
group = Group.query.filter_by(name='foo bar').one_or_none()
self.assertIsNone(group)
def test_new_existing_gid(self):
gid = self.app.config['GROUP_MAX_GID'] - 1
db.session.add(Group(name='newgroup', description='Original description', unix_gid=gid))
db.session.commit()
r = self.client.post(path=url_for('group.update'),
data={'unix_gid': str(gid), 'name': 'newgroup2', 'description': 'New description'},
follow_redirects=True)
dump('group_new_existing_gid', r)
self.assertEqual(r.status_code, 400)
group = Group.query.filter_by(name='newgroup').one_or_none()
self.assertIsNotNone(group)
self.assertEqual(group.name, 'newgroup')
self.assertEqual(group.description, 'Original description')
self.assertEqual(group.unix_gid, gid)
self.assertIsNone(Group.query.filter_by(name='newgroup2').one_or_none())
def test_update(self):
group = Group(name='newgroup', description='Original description')
db.session.add(group)
db.session.commit()
group_id = group.id
group_gid = group.unix_gid
new_gid = self.app.config['GROUP_MAX_GID'] - 1
r = self.client.post(path=url_for('group.update', id=group_id),
data={'unix_gid': str(new_gid), 'name': 'newgroup_changed', 'description': 'New description'},
follow_redirects=True)
dump('group_update', r)
self.assertEqual(r.status_code, 200)
group = Group.query.get(group_id)
self.assertEqual(group.name, 'newgroup') # Not changed
self.assertEqual(group.description, 'New description') # Changed
self.assertEqual(group.unix_gid, group_gid) # Not changed
def test_delete(self):
group1 = Group(name='newgroup1', description='Original description1')
group2 = Group(name='newgroup2', description='Original description2')
db.session.add(group1)
db.session.add(group2)
db.session.commit()
group1_id = group1.id
group2_id = group2.id
r = self.client.get(path=url_for('group.delete', id=group1_id), follow_redirects=True)
dump('group_delete', r)
self.assertEqual(r.status_code, 200)
self.assertIsNone(Group.query.get(group1_id))
self.assertIsNotNone(Group.query.get(group2_id))
uffd/__init__.py
View file @ 98fe5690
import os
import secrets
import sys
from flask import Flask, redirect, url_for
from werkzeug.routing import IntegerConverter
from flask import Flask, redirect, url_for, request, render_template
from flask_babel import Babel
from babel.dates import LOCALTZ
from werkzeug.exceptions import Forbidden
from flask_migrate import Migrate
from uffd.database import db, SQLAlchemyJSON
from uffd.template_helper import register_template_helper
from uffd.navbar import setup_navbar
from .database import db, customize_db_engine
from .template_helper import register_template_helper
from .navbar import setup_navbar
from .csrf import bp as csrf_bp
from . import models, views, commands
def load_config_file(app, path, silent=False):
if not os.path.exists(path):
if not silent:
raise Exception(f"Config file {path} not found")
return False
def create_app(test_config=None):
# create and configure the app
app = Flask(__name__, instance_relative_config=False)
app.json_encoder = SQLAlchemyJSON
if path.endswith(".json"):
app.config.from_json(path)
elif path.endswith(".yaml") or path.endswith(".yml"):
import yaml # pylint: disable=import-outside-toplevel disable=import-error
with open(path, encoding='utf-8') as ymlfile:
data = yaml.safe_load(ymlfile)
app.config.from_mapping(data)
else:
app.config.from_pyfile(path, silent=True)
return True
def init_config(app: Flask, test_config):
# set development default config values
app.config.from_mapping(
SECRET_KEY=secrets.token_hex(128),
SQLALCHEMY_DATABASE_URI="sqlite:///{}".format(os.path.join(app.instance_path, 'uffd.sqlit3')),
)
app.config["SQLALCHEMY_DATABASE_URI"] = f"sqlite:///{os.path.join(app.instance_path, 'uffd.sqlit3')}"
app.config.from_pyfile('default_config.cfg')
# load config
if test_config is not None:
app.config.from_mapping(test_config)
elif os.environ.get('CONFIG_PATH'):
load_config_file(app, os.environ['CONFIG_PATH'], silent=False)
else:
for filename in ["config.cfg", "config.json", "config.yml", "config.yaml"]:
if load_config_file(app, os.path.join(app.instance_path, filename), silent=True):
break
if app.secret_key is None:
if app.env == "production":
raise Exception("SECRET_KEY not configured and we are running in production mode!")
app.secret_key = secrets.token_hex(128)
def create_app(test_config=None): # pylint: disable=too-many-locals,too-many-statements
app = Flask(__name__, instance_relative_config=False)
init_config(app, test_config)
register_template_helper(app)
setup_navbar(app)
if not test_config:
# load the instance config, if it exists, when not testing
app.config.from_pyfile(os.path.join(app.instance_path, 'config.cfg'), silent=True)
# Sort the navbar positions by their blueprint names (from the left)
if app.config['DEFAULT_PAGE_SERVICES']:
positions = ["service", "selfservice"]
else:
# load the test config if passed in
app.config.from_mapping(test_config)
positions = ["selfservice", "service"]
positions += ["rolemod", "invite", "user", "group", "role", "mail"]
setup_navbar(app, positions)
# ensure the instance folder exists
app.register_blueprint(csrf_bp)
views.init_app(app)
commands.init_app(app)
# We never want to fail here, but at a file access that doesn't work.
# We might only have read access to app.instance_path
try:
os.makedirs(app.instance_path)
except OSError:
os.makedirs(app.instance_path, exist_ok=True)
except: # pylint: disable=bare-except
pass
db.init_app(app)
# pylint: disable=C0415
from uffd import user, selfservice, role, mail, session, csrf, ldap, mfa, oauth2
# pylint: enable=C0415
Migrate(app, db, render_as_batch=True, directory=os.path.join(app.root_path, 'migrations'))
with app.app_context():
customize_db_engine(db.engine)
for i in user.bp + selfservice.bp + role.bp + mail.bp + session.bp + csrf.bp + ldap.bp + mfa.bp + oauth2.bp:
app.register_blueprint(i)
@app.shell_context_processor
def push_request_context(): #pylint: disable=unused-variable
ctx = {name: getattr(models, name) for name in models.__all__}
ctx.setdefault('db', db)
return ctx
@app.route("/")
def index(): #pylint: disable=unused-variable
return redirect(url_for('selfservice.index'))
# flask-babel requires pytz-style timezone objects, but in rare cases (e.g.
# non-IANA TZ values) LOCALTZ is stdlib-style (without normalize/localize)
if not hasattr(LOCALTZ, 'normalize'):
LOCALTZ.normalize = lambda dt: dt
if not hasattr(LOCALTZ, 'localize'):
LOCALTZ.localize = lambda dt: dt.replace(tzinfo=LOCALTZ)
return app
class PatchedBabel(Babel):
@property
def default_timezone(self):
if self.app.config['BABEL_DEFAULT_TIMEZONE'] == 'LOCALTZ':
return LOCALTZ
return super().default_timezone
def init_db(app):
with app.app_context():
db.create_all()
babel = PatchedBabel(app, default_timezone='LOCALTZ')
@babel.localeselector
def get_locale(): #pylint: disable=unused-variable
language_cookie = request.cookies.get('language')
if language_cookie is not None and language_cookie in app.config['LANGUAGES']:
return language_cookie
return request.accept_languages.best_match(list(app.config['LANGUAGES']))
app.add_template_global(get_locale)
return app
uffd/babel.cfg 0 → 100644
View file @ 98fe5690
[python: **.py]
[jinja2: **/templates/**.html]
uffd/commands/__init__.py 0 → 100644
View file @ 98fe5690
from .user import user_command
from .group import group_command
from .role import role_command
from .profile import profile_command
from .gendevcert import gendevcert_command
from .cleanup import cleanup_command
from .roles_update_all import roles_update_all_command
from .unique_email_addresses import unique_email_addresses_command
def init_app(app):
app.cli.add_command(user_command)
app.cli.add_command(group_command)
app.cli.add_command(role_command)
app.cli.add_command(gendevcert_command)
app.cli.add_command(profile_command)
app.cli.add_command(cleanup_command)
app.cli.add_command(roles_update_all_command)
app.cli.add_command(unique_email_addresses_command)
uffd/commands/cleanup.py 0 → 100644
View file @ 98fe5690
import click
from flask.cli import with_appcontext
from uffd.tasks import cleanup_task
from uffd.database import db
@click.command('cleanup', help='Cleanup expired data')
@with_appcontext
def cleanup_command():
cleanup_task.run()
db.session.commit()
uffd/commands/gendevcert.py 0 → 100644
View file @ 98fe5690
import os
import click
from werkzeug.serving import make_ssl_devcert
@click.command("gendevcert", help='Generates a self-signed TLS certificate for development')
def gendevcert_command(): #pylint: disable=unused-variable
if os.path.exists('devcert.crt') or os.path.exists('devcert.key'):
print('Refusing to overwrite existing "devcert.crt"/"devcert.key" file!')
return
make_ssl_devcert('devcert')
print('Certificate written to "devcert.crt", private key to "devcert.key".')
print('Run `flask run --cert devcert.crt --key devcert.key` to use it.')
uffd/commands/group.py 0 → 100644
View file @ 98fe5690
from flask import current_app
from flask.cli import AppGroup
from sqlalchemy.exc import IntegrityError
import click
from uffd.database import db
from uffd.models import Group
group_command = AppGroup('group', help='Manage groups')
@group_command.command(help='List names of all groups')
def list():
with current_app.test_request_context():
for group in Group.query:
click.echo(group.name)
@group_command.command(help='Show details of group')
@click.argument('name')
def show(name):
with current_app.test_request_context():
group = Group.query.filter_by(name=name).one_or_none()
if group is None:
raise click.ClickException(f'Group {name} not found')
click.echo(f'Name: {group.name}')
click.echo(f'Unix GID: {group.unix_gid}')
click.echo(f'Description: {group.description}')
click.echo(f'Members: {", ".join([user.loginname for user in group.members])}')
@group_command.command(help='Create new group')
@click.argument('name')
@click.option('--description', default='', help='Set description text. Empty per default.')
def create(name, description):
with current_app.test_request_context():
group = Group(description=description)
if not group.set_name(name):
raise click.ClickException('Invalid name')
try:
db.session.add(group)
db.session.commit()
except IntegrityError:
# pylint: disable=raise-missing-from
raise click.ClickException(f'A group with name "{name}" already exists')
@group_command.command(help='Update group attributes')
@click.argument('name')
@click.option('--description', help='Set description text.')
def update(name, description):
with current_app.test_request_context():
group = Group.query.filter_by(name=name).one_or_none()
if group is None:
raise click.ClickException(f'Group {name} not found')
if description is not None:
group.description = description
db.session.commit()
@group_command.command(help='Delete group')
@click.argument('name')
def delete(name):
with current_app.test_request_context():
group = Group.query.filter_by(name=name).one_or_none()
if group is None:
raise click.ClickException(f'Group {name} not found')
db.session.delete(group)
db.session.commit()

Impressum - Datenschutzerklärung