def test_adding_assurance_with_invalid_hash_and_email_fails(self):
badhash = self.createHash()
form = self.prepareLoginForm(digest=badhash)
self.assertReportedError(
self.controller.doAddAssurance,[form],
400, ['This user does not have that digest'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def test_adding_assurance_with_invalid_hash_and_no_email_fails(self):
badhash = self.createHash()
form = self.prepareLoginForm(digest=badhash,email=False)
self.assertReportedError(
self.controller.doAddAssurance,[form],
400, ['No user with this hash'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def shownDataForUser(self, user):
return dict(
email=user.email,
userid=user.userid,
assurances=Assurance.getByUser(user),
hash=user.hash,
credentials=Credential.getByUser_as_dictlist(user))
def shownDataForUser(self, user):
return dict(
email=user.email,
userid=user.userid,
assurances=Assurance.getByUser(user),
hash=user.hash,
credentials=Credential.getByUser_as_dictlist(user))
def test_in_assured_collision_the_hash_of_the_user_is_deleted(self):
self.doHashCollision()
assurances = Assurance.getByUser(self.anotherUser)
assurer = assurances['test'][0]['assurer']
self.assertEqual(assurer, self.controller.getCurrentUser().email)
self.assertEqual(self.targetUser.hash, self.digest)
self.assertEqual(self.anotherUser.hash, None)
def test_in_assured_collision_the_hash_of_the_user_is_deleted(self):
self.doHashCollision()
assurances = Assurance.getByUser(self.anotherUser)
assurer = assurances['test'][0]['assurer']
self.assertEqual(assurer, self.controller.getCurrentUser().email)
self.assertEqual(self.targetUser.hash, self.digest)
self.assertEqual(self.anotherUser.hash, None)
def your_assurances_are_deleted_in_deregistration(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
Assurance.new(user, "test", user)
assurances = Assurance.getByUser(user)
self.assertTrue(len(assurances) > 0)
data = dict(
csrf_token = self.getCSRF(c),
credentialType= "password",
identifier= self.usercreation_userid,
secret = self.usercreation_password
)
c.post(config.base_url+'/deregister', data=data)
user = User.getByEmail(self.usercreation_email)
assurances = Assurance.getByUser(user)
self.assertTrue(len(assurances) == 0)
def _do_get_by_email(self, email):
assurances = Assurance.getByUser(self.getCurrentUser())
if assurances.has_key('assurer'):
user = User.getByEmail(email)
if user is None:
raise ReportedError(["no such user"], status=404)
return self.as_dict(user)
raise ReportedError(["no authorization"], status=403)
def test_adding_assurance_with_email_and_hash_of_someone_other_fails(self):
otherHash = self.createHash()
form = self.prepareLoginForm(digest=otherHash)
self.anotherUser = self.createUserWithCredentials().user
self.anotherUser.hash = otherHash
self.assertReportedError(self.controller.doAddAssurance, [form], 400,
['This user does not have that digest'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def test_email_validation_gives_emailverification_assurance(self):
self.setupRandom()
with app.test_client():
email = self.registerAndObtainValidationUri()
self.assertTrue(self.validateUri.startswith(config.BASE_URL + "/v1/verify_email"))
with app.test_client() as client:
user = User.getByEmail(email)
creds = Credential.getByUser(user)
assurances = Assurance.getByUser(user)
self.assertTrue(emailVerification not in assurances)
resp = client.get(self.validateUri)
self.assertEqual(resp.status_code, 200)
self.assertEqual(user.email, email)
newcreds = Credential.getByUser(user)
self.assertEqual(len(creds) - 1 , len(newcreds))
assurances = Assurance.getByUser(user)
self.assertTrue(assurances[emailVerification] is not None)
user.rm()
def test_adding_assurance_with_email_and_hash_of_someone_other_fails(self):
otherHash = self.createHash()
form = self.prepareLoginForm(digest=otherHash)
self.anotherUser = self.createUserWithCredentials().user
self.anotherUser.hash = otherHash
self.assertReportedError(
self.controller.doAddAssurance,[form],
400, ['This user does not have that digest'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def doGetByEmail(self, email):
current_user = self.getCurrentUser()
assurances = Assurance.getByUser(current_user)
if 'assurer' in assurances:
user = User.getByEmail(email)
if user is None:
raise ReportedError([noSuchUser], status=404)
return self.as_dict(user)
raise ReportedError([noAuthorization], status=403)
def as_dict(self, user, **kwargs):
kwargs.update({'email':user.email,
'userid':user.userid,
'assurances':Assurance.getByUser(user),
'hash': user.hash,
'credentials': Credential.getByUser_as_dictlist(user)
})
ret = json.dumps(kwargs)
return self.make_response(ret,200)
def doGetByEmail(self, email):
current_user = self.getCurrentUser()
assurances = Assurance.getByUser(current_user)
if 'assurer' in assurances:
user = User.getByEmail(email)
if user is None:
raise ReportedError([noSuchUser], status=404)
return self.as_dict(user)
raise ReportedError([noAuthorization], status=403)
def adding_assurance_is_possible_using_the_hash_only(self):
with app.test_client() as c:
target = self._setupTest(c)
data = dict(
digest = target.hash,
assurance = "test",
csrf_token = self.getCSRF(c))
resp = c.post(config.base_url + '/v1/add_assurance', data = data)
self.assertEquals(200, resp.status_code)
self.assertEquals(Assurance.getByUser(target)['test'][0]['assurer'], current_user.email)
def getShownUser(self, userid, authuser, isHerself):
if userid == 'me':
shownUser = authuser
elif isHerself:
if Assurance.getByUser(authuser).has_key('assurer'):
shownUser = User.get(userid)
else:
raise ReportedError(["no authorization to show other users"], status=403)
else:
raise ReportedError(["no authorization to show other users"], status=403)
return shownUser
def test_email_validation_gives_emailverification_assurance(self):
self.setupRandom()
with app.test_client():
email = self.registerAndObtainValidationUri()
self.assertTrue(
self.validateUri.startswith(config.BASE_URL +
"/v1/verify_email"))
with app.test_client() as client:
user = User.getByEmail(email)
creds = Credential.getByUser(user)
assurances = Assurance.getByUser(user)
self.assertTrue(emailVerification not in assurances)
resp = client.get(self.validateUri)
self.assertEqual(resp.status_code, 200)
self.assertEqual(user.email, email)
newcreds = Credential.getByUser(user)
self.assertEqual(len(creds) - 1, len(newcreds))
assurances = Assurance.getByUser(user)
self.assertTrue(assurances[emailVerification] is not None)
user.rm()
def email_validation_gives_emailverification_assurance(self):
self.setupRandom()
with app.test_client() as c:
resp, outbox = self.register(c)
email = self.registered_email
logout_user()
self.assertUserResponse(resp)
self.validateUri=re.search('href="([^"]*)',outbox[0].body).group(1)
self.assertTrue(self.validateUri.startswith(config.base_url + "/v1/verify_email/"))
with app.test_client() as c:
user = User.getByEmail(email)
creds = Credential.getByUser(user)
assurances = Assurance.getByUser(user)
self.assertTrue(assurances.has_key(emailVerification) is False)
resp = c.get(self.validateUri)
self.assertEqual(user.email, email)
newcreds = Credential.getByUser(user)
self.assertEquals(len(creds) - 1 , len(newcreds))
assurances = Assurance.getByUser(user)
self.assertTrue(assurances[emailVerification] is not None)
user.rm()
def test_if_hash_is_same_no_assurances_deleted(self):
digest = self.createHash()
user = self.createUserWithCredentials().user
data = dict(
digest=digest
)
self.controller.checkAndUpdateHash(FakeForm(data), user)
Assurance.new(user, "test", user)
self.controller.checkAndUpdateHash(FakeForm(data), user)
assurances = Assurance.getByUser(user)
self.assertTrue("test" in assurances.keys())
self.assertTrue("hashgiven" in assurances.keys())
def getDataOfUserForAuthenticator(self, userid, authuser, authenticator):
user = User.get(userid)
if not user:
raise ReportedError([noSuchUser], status=404)
if self.doesUserAskOwnData(userid, authenticator):
return self.shownDataForUser(user)
if self.doesUserAskForOthersData(authuser, authenticator):
assurances = Assurance.getByUser(authuser)
if 'assurer' in assurances:
return self.shownDataForAssurer(user)
else:
raise ReportedError([noShowAuthorization], status=403)
return self.shownDataForApp(user, authenticator)
def getDataOfUserForAuthenticator(self, userid, authuser, authenticator):
user = User.get(userid)
if not user:
raise ReportedError([noSuchUser], status=404)
if self.doesUserAskOwnData(userid, authenticator):
return self.shownDataForUser(user)
if self.doesUserAskForOthersData(authuser, authenticator):
assurances = Assurance.getByUser(authuser)
if 'assurer' in assurances:
return self.shownDataForAssurer(user)
else:
raise ReportedError([noShowAuthorization], status=403)
return self.shownDataForApp(user, authenticator)
def the_assurances_are_overwritten_on_hash_update(self):
with app.test_client() as c:
resp = self.login(c)
self.assertUserResponse(resp)
user = User.getByEmail(self.usercreation_email)
Assurance.new(user, "test", user, time.time())
oldHash = self.createHash()
user.hash = oldHash
userToCheck = User.getByEmail(self.usercreation_email)
self.assertEqual(len(Assurance.getByUser(userToCheck)), 1)
self.setupRandom()
digest = oldHash
csrf = self.getCSRF(c)
data = dict(
digest= digest,
csrf_token= csrf
)
resp = c.post(config.base_url+'/v1/users/me/update_hash', data=data)
self.assertEqual(200,resp.status_code)
userAfter = User.getByEmail(self.usercreation_email)
self.assertEqual(len(Assurance.getByUser(userAfter)), 0)
def adding_assurance_with_invalid_hash_and_email_fails(self):
with app.test_client() as c:
target = self._setupTest(c)
self.setupRandom()
data = dict(
digest = self.createHash(),
assurance = "test",
email = target.email,
csrf_token = self.getCSRF(c))
resp = c.post(config.base_url + '/v1/add_assurance', data = data)
self.assertEquals(400, resp.status_code)
self.assertEquals(self.fromJson(resp)['errors'],'This user does not have that digest')
self.assertFalse(Assurance.getByUser(target).has_key('test'))
def addUserDataToDict(self, user, kwargs):
return kwargs.update({
'email':
user.email,
'userid':
user.userid,
'assurances':
Assurance.getByUser(user),
'hash':
user.hash,
'credentials':
Credential.getByUser_as_dictlist(user)
})
def test_assurers_with_appropriate_credential_can_add_assurance_to_user_using_hash(self):
"""
the appropriate credential is an assurance in the form "assurer.<assurance_name>"
where assurance_name is the assurance to be added
"""
with app.test_client() as client:
target = self._setupTest(client)
data = dict(
digest = target.hash,
assurance = "test",
email = target.email,
csrf_token = self.getCSRF(client))
resp = client.post(config.BASE_URL + '/v1/add_assurance', data = data)
self.assertEqual(200, resp.status_code)
self.assertEqual(Assurance.getByUser(target)['test'][0]['assurer'], current_user.email)
def test_assurers_with_appropriate_credential_can_add_assurance_to_user_using_hash(
self):
"""
the appropriate credential is an assurance in the form "assurer.<assurance_name>"
where assurance_name is the assurance to be added
"""
with app.test_client() as client:
target = self._setupTest(client)
data = dict(digest=target.hash,
assurance="test",
email=target.email,
csrf_token=self.getCSRF(client))
resp = client.post(config.BASE_URL + '/v1/add_assurance',
data=data)
self.assertEqual(200, resp.status_code)
self.assertEqual(
Assurance.getByUser(target)['test'][0]['assurer'],
current_user.email)
def when_an_assurance_added_with_hash_and_email___and_there_is_another_user_with_the_same_hash___the_hash_from_the_other_user_is_deleted(self):
with app.test_client() as c:
target = self._setupTest(c)
anotherUser = self.createUserWithCredentials()
anotherEmail = self.usercreation_email
anotherUser.hash = target.hash
targetHash = target.hash
anotherUser.save()
data = dict(
digest = target.hash,
assurance = "test",
email = target.email,
csrf_token = self.getCSRF(c))
resp = c.post(config.base_url + '/v1/add_assurance', data = data)
self.assertEquals(200, resp.status_code)
self.assertEquals(Assurance.getByUser(target)['test'][0]['assurer'], current_user.email)
anotherUser = User.getByEmail(anotherEmail)
self.assertEqual(anotherUser.hash, None)
user = User.getByEmail(target.email)
self.assertEqual(user.hash, targetHash)
def doUpdateHashForUser(self, client, assurance="test", addDigest=True, digest=None):
resp = self.login(client)
self.assertUserResponse(resp)
user = User.getByEmail(self.userCreationEmail)
Assurance.new(user, assurance, user, time.time())
oldHash = self.createHash()
user.hash = oldHash
user.save()
userToCheck = User.getByEmail(self.userCreationEmail)
assurancesBefore = Assurance.getByUser(userToCheck)
self.assertEqual(len(assurancesBefore), 1)
self.setupRandom()
csrf = self.getCSRF(client)
data = dict(csrf_token=csrf)
if addDigest:
if digest is None:
data['digest'] = self.createHash()
else:
data['digest'] = digest
resp = client.post(config.BASE_URL + '/v1/users/me/update_hash', data=data)
return resp
def assureUserHaveTheGivingAssurancesFor(self, neededAssurance):
assurances = Assurance.getByUser(self.getCurrentUser())
assurerAssurance = "assurer.{0}".format(neededAssurance)
if not (assurances.has_key('assurer') and assurances.has_key(assurerAssurance)):
raise ReportedError(["no authorization"], 403)
def test_your_assurances_are_deleted_in_deregistration(self):
self._doDeregistrationDoit()
user = User.getByEmail(self.userCreationEmail)
assurances = Assurance.getByUser(user)
self.assertTrue(len(assurances) == 0)
def test_your_assurances_are_deleted_in_deregistration(self):
self._doDeregistrationDoit()
user = User.getByEmail(self.userCreationEmail)
assurances = Assurance.getByUser(user)
self.assertTrue(len(assurances) == 0)
def _assureHaveCredentialsAndAssurances(self, user):
creds = Credential.getByUser(user)
self.assertTrue(len(creds) > 0)
assurances = Assurance.getByUser(user)
self.assertTrue(len(assurances) > 0)
def test_adding_assurance_with_invalid_hash_and_no_email_fails(self):
badhash = self.createHash()
form = self.prepareLoginForm(digest=badhash, email=False)
self.assertReportedError(self.controller.doAddAssurance, [form], 400,
['No user with this hash'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def _setupTestWithoutAssurance(self, client):
self.login(client)
target = self._createUserWithHash()
self.assertTrue('test' not in Assurance.getByUser(target))
return target
def assureUserHaveTheGivingAssurancesFor(self, neededAssurance):
assurances = Assurance.getByUser(self.getCurrentUser())
if not self.isAssuredToAddAssurance(assurances, neededAssurance):
raise ReportedError([noAuthorization], 403)
def _setupTestWithoutAssurance(self, c):
self.login(c)
target = self._createUserWithHash()
self.assertTrue(Assurance.getByUser(target).has_key('test') is False)
return target
def handAssured(self, anotherUser: User) -> bool:
for assurance in Assurance.getByUser(anotherUser):
if assurance not in [emailVerification]:
return True
return False
def assureUserHaveTheGivingAssurancesFor(self, neededAssurance):
assurances = Assurance.getByUser(self.getCurrentUser())
if not self.isAssuredToAddAssurance(assurances, neededAssurance):
raise ReportedError([noAuthorization], 403)
def addUserDataToDict(self, user, kwargs):
return kwargs.update({'email':user.email, 'userid':user.userid,
'assurances':Assurance.getByUser(user),
'hash':user.hash,
'credentials':Credential.getByUser_as_dictlist(user)})
def _setupTestWithoutAssurance(self, client):
self.login(client)
target = self._createUserWithHash()
self.assertTrue('test' not in Assurance.getByUser(target))
return target
def test_adding_assurance_with_invalid_hash_and_email_fails(self):
badhash = self.createHash()
form = self.prepareLoginForm(digest=badhash)
self.assertReportedError(self.controller.doAddAssurance, [form], 400,
['This user does not have that digest'])
self.assertFalse('test' in Assurance.getByUser(self.targetUser))
def isAnyoneHandAssurredOf(self, anotherUsers):
for anotherUser in anotherUsers:
for assurance in Assurance.getByUser(anotherUser):
if assurance not in [emailVerification]:
return True
return False
def handAssured(self, anotherUser: User) -> bool:
for assurance in Assurance.getByUser(anotherUser):
if assurance not in [emailVerification]:
return True
return False
def updateHashForUser(self, client, assurance="test", addDigest=True, digest=None):
resp = self.doUpdateHashForUser(client, assurance, addDigest, digest)
self.assertEqual(200, resp.status_code)
self.userAfter = User.getByEmail(self.userCreationEmail)
assurances = Assurance.getByUser(self.userAfter)
return assurances
def test_confirmChangeEmail_adds_a_emailverification_assurance_if_called_with_changeemailandverify_secret(self):
self.doConfirmChangeEmail(useverifysecret=True)
self.assertIn("emailverification",Assurance.getByUser(self.user))
