class TestViews(OsfTestCase):
@mock.patch('website.addons.twofactor.models.push_status_message')
def setUp(self, mocked):
super(TestViews, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('twofactor')
self.user_settings = self.user.get_addon('twofactor')
def test_confirm_code(self):
# Send a valid code to the API endpoint for the user settings.
res = self.app.post_json(
'/api/v1/settings/twofactor/',
{'code': _valid_code(self.user_settings.totp_secret)},
auth=self.user.auth)
# reload the user settings object from the DB
self.user_settings.reload()
assert_true(self.user_settings.is_confirmed)
assert_equal(res.status_code, 200)
def test_confirm_code_failure(self):
res = self.app.post_json('/api/v1/settings/twofactor/',
{'code': '000000'},
auth=self.user.auth,
expect_errors=True)
assert_equal(res.status_code, 403)
json = res.json
assert_in('verification code', json['message_long'])
# reload the user settings object from the DB
self.user_settings.reload()
assert_false(self.user_settings.is_confirmed)
def test_revoke_didnt_award(self):
badgeid = self.user_settings.badges[0]._id
initnum = len(self.project.badgeassertion__awarded)
assert_true(self.user_settings.can_award)
url = api_url_for('award_badge', pid=self.project._id)
ret = self.app.post_json(url, {'badgeid': badgeid},
auth=self.user.auth)
self.project.reload()
assert_equals(ret.status_int, 200)
assert_equals(initnum + 1, len(self.project.badgeassertion__awarded))
assertion = self.project.badgeassertion__awarded[0]
revoke = api_url_for('revoke_badge', pid=self.project._id)
user2 = AuthUserFactory()
user2.add_addon('badges', override=True)
user2.save()
user2.reload()
ret = self.app.post_json(revoke, {
'id': assertion._id,
'reason': ''
},
auth=user2.auth,
expect_errors=True)
self.project.reload()
self.user_settings.reload()
assertion.reload()
assert_equals(ret.status_int, 400)
assert_false(assertion.revoked)
assert_true(self.project.badgeassertion__awarded[0]._id, assertion._id)
assert_false(assertion._id in self.user_settings.revocation_list)
class TestAssertion(OsfTestCase):
def setUp(self):
super(TestAssertion, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges', self.user.auth)
self.usersettings.save()
self.project = ProjectFactory()
self.node_settings = self.project.get_addon('badges')
create_mock_badge(self.usersettings)
self.badge = self.usersettings.badges[0]
def test_parent(self):
assertion = BadgeAssertion.create(self.badge, self.project)
assert_equals(assertion.badge, self.badge)
def test_recipient(self):
assertion = BadgeAssertion.create(self.badge, self.project)
test_data = {
'idenity': self.project._id,
'type': 'osfnode',
'hashed': False
}
assert_equals(assertion.recipient, test_data)
def test_awarder(self):
assertion = BadgeAssertion.create(self.badge, self.project)
assert_equals(assertion.awarder, self.usersettings)
def test_set_config_not_owner(self, mock_metadata):
mock_metadata.return_value = {
'data': {
'name': 'Fake Folder'
}
}
user = AuthUserFactory()
user.add_addon('zotero')
self.project.add_contributor(user)
self.project.save()
res = self.app.put_json(
self.project.api_url_for('zotero_set_config'),
{
'external_account_id': self.account._id,
'external_list_id': 'list',
},
auth=user.auth,
)
self.node_addon.reload()
assert_equal(self.user_addon, self.node_addon.user_settings)
serializer = ZoteroSerializer(node_settings=self.node_addon, user_settings=None)
result = {
'result': serializer.serialized_node_settings
}
assert_equal(res.json, result)
class TestUserSettingsModel(OsfTestCase):
def setUp(self):
super(TestUserSettingsModel, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges')
self.usersettings.save()
def test_can_award(self):
assert_false(self.usersettings.can_award)
create_mock_badge(self.usersettings)
assert_true(self.usersettings.can_award)
def test_to_openbadge(self):
self.user.fullname = 'HoneyBadger'
self.user.username = '******'
self.user.save()
test = {'name': 'HoneyBadger', 'email': '*****@*****.**'}
assert_equal(self.usersettings.to_openbadge(), test)
def test_badges(self):
create_mock_badge(self.usersettings)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 2)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 3)
class TestBadge(OsfTestCase):
def setUp(self):
super(TestBadge, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges', self.user.auth)
self.usersettings.save()
def test_fields(self):
badgedata = create_badge_dict()
create_mock_badge(self.usersettings, badge_data=badgedata)
badge = self.usersettings.badges[0]
assert_equals(badge.name, badgedata['badgeName'])
assert_equals(badge.description, badgedata['description'])
assert_equals(badge.image, 'temp.png')
assert_equals(badge.criteria, badgedata['criteria'])
def test_system_badge(self):
create_mock_badge(self.usersettings)
badge = self.usersettings.badges[0]
badge.make_system_badge()
assert_true(badge.is_system_badge)
assert_equals(badge, Badge.get_system_badges()[0])
def test_assertions(self):
create_mock_badge(self.usersettings)
badge = self.usersettings.badges[0]
assert_equals(len(badge.assertions), 0)
for n in xrange(4):
BadgeAssertion.create(badge, None)
assert_equals(len(badge.assertions), n + 1)
def test_revoke_didnt_award(self):
badgeid = self.user_settings.badges[0]._id
initnum = len(self.project.badgeassertion__awarded)
assert_true(self.user_settings.can_award)
url = api_url_for('award_badge', pid=self.project._id)
ret = self.app.post_json(url, {'badgeid': badgeid}, auth=self.user.auth)
self.project.reload()
assert_equals(ret.status_int, 200)
assert_equals(initnum + 1, len(self.project.badgeassertion__awarded))
assertion = self.project.badgeassertion__awarded[0]
revoke = api_url_for('revoke_badge', pid=self.project._id)
user2 = AuthUserFactory()
user2.add_addon('badges', override=True)
user2.save()
user2.reload()
ret = self.app.post_json(revoke,
{
'id': assertion._id,
'reason': ''
}, auth=user2.auth, expect_errors=True)
self.project.reload()
self.user_settings.reload()
assertion.reload()
assert_equals(ret.status_int, 400)
assert_false(assertion.revoked)
assert_true(self.project.badgeassertion__awarded[0]._id, assertion._id)
assert_false(assertion._id in self.user_settings.revocation_list)
class TestGoogleDriveHgridViews(OsfTestCase):
def setUp(self):
super(TestGoogleDriveHgridViews, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('googledrive')
self.project = ProjectFactory(creator=self.user)
self.project.add_addon('googledrive', Auth(self.user))
self.node_settings = self.project.get_addon('googledrive')
self.user_settings = self.user.get_addon('googledrive')
self.node_settings.user_settings = self.user_settings
self.user_settings.save()
self.node_settings.save()
# Log user in
self.app.authenticate(*self.user.auth)
@mock.patch('website.addons.googledrive.views.hgrid.GoogleDriveClient.folders')
def test_googledrive_folders(self, mock_drive_client_folders):
folderId = '12345'
mock_drive_client_folders.return_value = mock_folders['items']
url = api_url_for('googledrive_folders', pid=self.project._primary_key, folderId=folderId)
res = self.app.get(url, auth=self.user.auth)
assert_equal(res.status_code, 200)
assert_equal(len(res.json), len(mock_folders['items']))
@mock.patch('website.addons.googledrive.views.hgrid.GoogleDriveClient.about')
def test_googledrive_folders_returns_only_root(self, mock_about):
mock_about.return_value = {'rootFolderId': '24601'}
url = self.project.api_url_for('googledrive_folders')
res = self.app.get(url, auth=self.user.auth)
assert_equal(len(res.json), 1)
assert_equal(res.status_code, 200)
assert_equal(res.json[0]['id'], '24601')
class TestGoogleDriveHgridViews(OsfTestCase):
def setUp(self):
super(TestGoogleDriveHgridViews, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('googledrive')
self.project = ProjectFactory(creator=self.user)
self.project.add_addon('googledrive', Auth(self.user))
self.node_settings = self.project.get_addon('googledrive')
self.user_settings = self.user.get_addon('googledrive')
self.node_settings.user_settings = self.user_settings
self.user_settings.save()
self.node_settings.save()
# Log user in
self.app.authenticate(*self.user.auth)
@mock.patch('website.addons.googledrive.views.hgrid.GoogleDriveClient.folders')
def test_googledrive_folders(self, mock_drive_client_folders):
folderId = '12345'
mock_drive_client_folders.return_value = mock_folders['items']
url = api_url_for('googledrive_folders', pid=self.project._primary_key, folderId=folderId)
res = self.app.get(url, auth=self.user.auth)
assert_equal(res.status_code, 200)
assert_equal(len(res.json), len(mock_folders['items']))
@mock.patch('website.addons.googledrive.views.hgrid.GoogleDriveClient.about')
def test_googledrive_folders_returns_only_root(self, mock_about):
mock_about.return_value = {'rootFolderId': '24601'}
url = self.project.api_url_for('googledrive_folders')
res = self.app.get(url, auth=self.user.auth)
assert_equal(len(res.json), 1)
assert_equal(res.status_code, 200)
assert_equal(res.json[0]['id'], '24601')
class TestBadge(OsfTestCase):
def setUp(self):
super(TestBadge, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges', self.user.auth)
self.usersettings.save()
def test_fields(self):
badgedata = create_badge_dict()
create_mock_badge(self.usersettings, badge_data=badgedata)
badge = self.usersettings.badges[0]
assert_equals(badge.name, badgedata['badgeName'])
assert_equals(badge.description, badgedata['description'])
assert_equals(badge.image, 'temp.png')
assert_equals(badge.criteria, badgedata['criteria'])
def test_system_badge(self):
create_mock_badge(self.usersettings)
badge = self.usersettings.badges[0]
badge.make_system_badge()
assert_true(badge.is_system_badge)
assert_equals(badge, Badge.get_system_badges()[0])
def test_assertions(self):
create_mock_badge(self.usersettings)
badge = self.usersettings.badges[0]
assert_equals(len(badge.assertions), 0)
for n in xrange(4):
BadgeAssertion.create(badge, None)
assert_equals(len(badge.assertions), n + 1)
def test_set_user_config_fail(self, mock_connection):
mock_connection.return_value = create_mock_connection('wrong', 'info')
# Create a user with no settings
user = AuthUserFactory()
user.add_addon('dataverse')
user_settings = user.get_addon('dataverse')
url = api_url_for('dataverse_set_user_config')
params = {'dataverse_username': '******',
'dataverse_password': '******'}
# Post incorrect credentials to existing user
res = self.app.post_json(url, params, auth=self.user.auth,
expect_errors=True)
self.user_settings.reload()
# Original user's info has not changed
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(self.user_settings.dataverse_username, 'snowman')
assert_equal(self.user_settings.dataverse_password, 'frosty')
# Post incorrect credentials to new user
res = self.app.post_json(url, params, auth=user.auth,
expect_errors=True)
user_settings.reload()
# New user's incorrect credentials were not saved
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(user_settings.dataverse_username, None)
assert_equal(user_settings.dataverse_password, None)
def test_set_user_config_fail(self, mock_connection):
mock_connection.side_effect = UnauthorizedError('Bad credentials!')
# Create a user with no settings
user = AuthUserFactory()
user.add_addon('dataverse')
user_settings = user.get_addon('dataverse')
url = api_url_for('dataverse_set_user_config')
params = {'api_token': 'wrong-info'}
# Post incorrect credentials to existing user
res = self.app.post_json(url,
params,
auth=self.user.auth,
expect_errors=True)
self.user_settings.reload()
# Original user's info has not changed
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(self.user_settings.api_token, 'snowman-frosty')
# Post incorrect credentials to new user
res = self.app.post_json(url,
params,
auth=user.auth,
expect_errors=True)
user_settings.reload()
# New user's incorrect credentials were not saved
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(user_settings.api_token, None)
class TestUserSettingsModel(OsfTestCase):
def setUp(self):
super(TestUserSettingsModel, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges')
self.usersettings.save()
def test_can_award(self):
assert_false(self.usersettings.can_award)
create_mock_badge(self.usersettings)
assert_true(self.usersettings.can_award)
def test_to_openbadge(self):
self.user.fullname = 'HoneyBadger'
self.user.username = '******'
self.user.save()
test = {
'name': 'HoneyBadger',
'email': '*****@*****.**'
}
assert_equal(self.usersettings.to_openbadge(), test)
def test_badges(self):
create_mock_badge(self.usersettings)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 2)
create_mock_badge(self.usersettings)
assert_equal(len(self.usersettings.badges), 3)
class TestAssertion(OsfTestCase):
def setUp(self):
super(TestAssertion, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('badges', override=True)
self.usersettings = self.user.get_addon('badges', self.user.auth)
self.usersettings.save()
self.project = ProjectFactory()
self.node_settings = self.project.get_addon('badges')
create_mock_badge(self.usersettings)
self.badge = self.usersettings.badges[0]
def test_parent(self):
assertion = BadgeAssertion.create(self.badge, self.project)
assert_equals(assertion.badge, self.badge)
def test_recipient(self):
assertion = BadgeAssertion.create(self.badge, self.project)
test_data = {
'idenity': self.project._id,
'type': 'osfnode',
'hashed': False
}
assert_equals(assertion.recipient, test_data)
def test_awarder(self):
assertion = BadgeAssertion.create(self.badge, self.project)
assert_equals(assertion.awarder, self.usersettings)
def test_oauth_delete_user_two_osf_user(self, mock_revoke_token,
mock_github_user):
mock_revoke_token.return_value = True
user = mock.Mock()
user.id = "testing user id"
user.login = "******"
mock_github_user.return_value = user
views.auth.create_and_attach_oauth(self.user_settings,
"testing acess token",
"testing token type")
user2 = AuthUserFactory()
user2.add_addon('github')
user2.save()
user_settings2 = user2.get_addon('github')
views.auth.create_and_attach_oauth(user_settings2,
"testing access token",
"testing token type")
url = api_url_for("github_oauth_delete_user")
self.app.delete(url, auth=self.user.auth)
self.user_settings.reload()
user_settings2.reload()
assert_false(self.user_settings.oauth_token_type)
assert_false(self.user_settings.oauth_access_token)
assert_false(self.user_settings.github_user_name)
assert_false(self.user_settings.oauth_settings)
assert_true(user_settings2.oauth_settings)
assert_equal(user_settings2.oauth_token_type, "testing token type")
assert_equal(user_settings2.oauth_access_token, "testing access token")
assert_equal(user_settings2.github_user_name, "testing user")
class TestMenbibAuthViews(OsfTestCase):
def setUp(self):
self.app = TestApp(app)
self.user = AuthUserFactory()
self.app.authenticate(*self.user.auth)
def test_menbib_oauth_start(self):
url = api_url_for('menbib_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.menbib.views.auth.finish_auth')
def test_menbib_oauth_finish(self, mock_finish):
mock_finish.return_value = AuthResult('mytokenabc', 'myrefreshabc', 'cool', '3600')
url = api_url_for('menbib_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
def test_menbib_oauth_delete_user(self):
self.user.add_addon('menbib')
user_settings = self.user.get_addon('menbib')
user_settings.access_token = '12345abc'
assert_true(user_settings.has_auth)
self.user.save()
url = api_url_for('menbib_oauth_delete_user')
res = self.app.delete(url)
user_settings.reload()
assert_false(user_settings.has_auth)
class TestAuthViews(OsfTestCase):
def setUp(self):
self.app = TestApp(app)
self.user = AuthUserFactory()
self.app.authenticate(*self.user.auth)
def test_mendeley_oauth_start(self):
self.user.add_addon('mendeley')
settings = self.user.get_addon('mendeley')
settings.access_token = '12345abc'
print settings.has_auth
settings.save()
# assert_true(settings.has_auth)
url = views.mendeley_oauth_start(self)
print url
def test_mendeley_oauth_delete_user(self):
pass
def test_mendeley_oauth_delete_node(self):
pass
def test_mendeley_oauth_callback(self):
pass
def test_set_user_config_fail(self, mock_connection):
mock_connection.return_value = create_mock_connection('wrong', 'info')
# Create a user with no settings
user = AuthUserFactory()
user.add_addon('dataverse')
user_settings = user.get_addon('dataverse')
url = api_url_for('dataverse_set_user_config')
params = {'dataverse_username': '******', 'dataverse_password': '******'}
# Post incorrect credentials to existing user
res = self.app.post_json(url,
params,
auth=self.user.auth,
expect_errors=True)
self.user_settings.reload()
# Original user's info has not changed
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(self.user_settings.dataverse_username, 'snowman')
assert_equal(self.user_settings.dataverse_password, 'frosty')
# Post incorrect credentials to new user
res = self.app.post_json(url,
params,
auth=user.auth,
expect_errors=True)
user_settings.reload()
# New user's incorrect credentials were not saved
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(user_settings.dataverse_username, None)
assert_equal(user_settings.dataverse_password, None)
def test_set_config_not_owner(self, mock_metadata):
mock_metadata.return_value = {
'data': {
'name': 'Fake Folder'
}
}
user = AuthUserFactory()
user.add_addon('zotero')
self.project.add_contributor(user)
self.project.save()
res = self.app.put_json(
self.project.api_url_for('zotero_set_config'),
{
'external_account_id': self.account._id,
'external_list_id': 'list',
},
auth=user.auth,
)
self.node_addon.reload()
assert_equal(self.user_addon, self.node_addon.user_settings)
serializer = ZoteroSerializer(node_settings=self.node_addon, user_settings=None)
result = {
'result': serializer.serialized_node_settings
}
assert_equal(res.json, result)
class TestDataverseRestrictions(DataverseAddonTestCase):
def setUp(self):
super(DataverseAddonTestCase, self).setUp()
# Nasty contributor who will try to access content that he shouldn't
# have access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
@mock.patch('website.addons.dataverse.views.config.connect_from_settings')
def test_restricted_set_study_not_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Contributor has dataverse auth, but is not the node authorizer
self.contrib.add_addon('dataverse')
self.contrib.save()
url = api_url_for('set_dataverse_and_study',
pid=self.project._primary_key)
params = {
'dataverse': {
'alias': 'ALIAS1'
},
'study': {
'hdl': 'doi:12.3456/DVN/00002'
},
}
res = self.app.post_json(url,
params,
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def test_set_user_config_fail(self, mock_connection):
mock_connection.side_effect = UnauthorizedError('Bad credentials!')
# Create a user with no settings
user = AuthUserFactory()
user.add_addon('dataverse')
user_settings = user.get_addon('dataverse')
url = api_url_for('dataverse_set_user_config')
params = {'api_token': 'wrong-info'}
# Post incorrect credentials to existing user
res = self.app.post_json(url, params, auth=self.user.auth,
expect_errors=True)
self.user_settings.reload()
# Original user's info has not changed
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(self.user_settings.api_token, 'snowman-frosty')
# Post incorrect credentials to new user
res = self.app.post_json(url, params, auth=user.auth,
expect_errors=True)
user_settings.reload()
# New user's incorrect credentials were not saved
assert_equal(res.status_code, http.UNAUTHORIZED)
assert_equal(user_settings.api_token, None)
class TestBoxIntegration(OsfTestCase):
def setUp(self):
super(TestBoxIntegration, self).setUp()
self.user = AuthUserFactory()
# User is logged in
self.app.authenticate(*self.user.auth)
def test_cant_start_oauth_if_already_authorized(self):
# User already has box authorized
self.user.add_addon('box')
self.user.save()
settings = self.user.get_addon('box')
oauth = BoxOAuthSettings(user_id='fa;l', access_token='a;lkjadl;kas')
oauth.save()
settings.oauth_settings = oauth
settings.save()
assert_true(self.user.get_addon('box').has_auth)
# Tries to start oauth again
url = api_url_for('box_oauth_start_user')
res = self.app.get(url).follow()
# Is redirected back to settings page
assert_equal(
res.request.path,
web_url_for('user_addons')
)
def test_oauth_delete_user_two_osf_user(self, mock_revoke_token, mock_github_user):
mock_revoke_token.return_value = True
user = mock.Mock()
user.id = "testing user id"
user.login = "******"
mock_github_user.return_value = user
views.auth.create_and_attach_oauth(self.user_settings, "testing acess token", "testing token type")
user2 = AuthUserFactory()
user2.add_addon('github')
user2.save()
user_settings2 = user2.get_addon('github')
views.auth.create_and_attach_oauth(user_settings2, "testing access token", "testing token type")
url = api_url_for("github_oauth_delete_user")
self.app.delete(url, auth=self.user.auth)
self.user_settings.reload()
user_settings2.reload()
assert_false(self.user_settings.oauth_token_type)
assert_false(self.user_settings.oauth_access_token)
assert_false(self.user_settings.github_user_name)
assert_false(self.user_settings.oauth_settings)
assert_true(user_settings2.oauth_settings)
assert_equal(user_settings2.oauth_token_type, "testing token type")
assert_equal(user_settings2.oauth_access_token, "testing access token")
assert_equal(user_settings2.github_user_name, "testing user")
class TestDataverseRestrictions(DataverseAddonTestCase, OsfTestCase):
def setUp(self):
super(DataverseAddonTestCase, self).setUp()
# Nasty contributor who will try to access content that he shouldn't
# have access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
@mock.patch('addons.dataverse.views.client.connect_from_settings')
def test_restricted_set_dataset_not_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Contributor has dataverse auth, but is not the node authorizer
self.contrib.add_addon('dataverse')
self.contrib.save()
url = api_url_for('dataverse_set_config', pid=self.project._primary_key)
params = {
'dataverse': {'alias': 'ALIAS1'},
'dataset': {'doi': 'doi:12.3456/DVN/00002'},
}
res = self.app.post_json(url, params, auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def test_many_users_each_with_the_same_github(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.oauth_settings)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['total'], 2)
def test_s3_set_bucket_no_auth(self):
user = AuthUserFactory()
user.add_addon("s3")
self.project.add_contributor(user, save=True)
url = self.project.api_url_for("s3_post_node_settings")
res = self.app.post_json(url, {"s3_bucket": "hammertofall"}, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, http.BAD_REQUEST)
def test_many_users_each_with_the_same_github_enabled(self):
user = AuthUserFactory()
user.add_addon("github")
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
class TestGoogleDriveUtils(OsfTestCase):
def setUp(self):
super(TestGoogleDriveUtils, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('googledrive')
self.project = ProjectFactory(creator=self.user)
self.project.add_addon('googledrive', Auth(self.user))
self.node_settings = self.project.get_addon('googledrive')
self.user_settings = self.user.get_addon('googledrive')
oauth_settings = GoogleDriveOAuthSettingsFactory()
self.user_settings.oauth_settings = oauth_settings
self.node_settings.user_settings = self.user_settings
self.node_settings.folder_id = '09120912'
self.node_settings.folder_path = 'foo/bar'
self.user_settings.save()
self.node_settings.save()
# Log user in
self.app.authenticate(*self.user.auth)
def test_serialize_settings_helper_returns_correct_urls(self):
result = serialize_settings(self.node_settings, self.user)
urls = result['urls']
assert_equal(urls['files'], self.project.web_url_for('collect_file_trees'))
assert_equal(urls['config'], self.project.api_url_for('googledrive_config_put'))
assert_equal(urls['deauthorize'], self.project.api_url_for('googledrive_deauthorize'))
assert_equal(urls['importAuth'], self.project.api_url_for('googledrive_import_user_auth'))
# Includes endpoint for fetching folders only
# NOTE: Querystring params are in camelCase
assert_equal(urls['get_folders'], self.project.api_url_for('googledrive_folders'))
def test_serialize_settings_helper_returns_correct_auth_info(self):
self.user_settings.access_token = 'abc123'
result = serialize_settings(self.node_settings, self.user)
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_true(result['userHasAuth'])
assert_true(result['userIsOwner'])
def test_serialize_settings_for_user_no_auth(self):
no_addon_user = AuthUserFactory()
result = serialize_settings(self.node_settings, no_addon_user)
assert_false(result['userIsOwner'])
assert_false(result['userHasAuth'])
def test_googledrive_import_user_auth_returns_serialized_settings(self):
self.node_settings.user_settings = None
self.node_settings.save()
url = api_url_for('googledrive_import_user_auth', pid=self.project._primary_key)
res = self.app.put(url, auth=self.user.auth)
self.project.reload()
self.node_settings.reload()
expected_result = serialize_settings(self.node_settings, self.user)
result = res.json['result']
assert_equal(result, expected_result)
class TestGoogleDriveUtils(OsfTestCase):
def setUp(self):
super(TestGoogleDriveUtils, self).setUp()
self.user = AuthUserFactory()
self.user.add_addon('googledrive')
self.project = ProjectFactory(creator=self.user)
self.project.add_addon('googledrive', Auth(self.user))
self.node_settings = self.project.get_addon('googledrive')
self.user_settings = self.user.get_addon('googledrive')
oauth_settings = GoogleDriveOAuthSettingsFactory()
self.user_settings.oauth_settings = oauth_settings
self.node_settings.user_settings = self.user_settings
self.node_settings.folder_id = '09120912'
self.node_settings.folder_path = 'foo/bar'
self.user_settings.save()
self.node_settings.save()
# Log user in
self.app.authenticate(*self.user.auth)
def test_serialize_settings_helper_returns_correct_urls(self):
result = serialize_settings(self.node_settings, self.user)
urls = result['urls']
assert_equal(urls['files'], self.project.web_url_for('collect_file_trees'))
assert_equal(urls['config'], self.project.api_url_for('googledrive_config_put'))
assert_equal(urls['deauthorize'], self.project.api_url_for('googledrive_deauthorize'))
assert_equal(urls['importAuth'], self.project.api_url_for('googledrive_import_user_auth'))
# Includes endpoint for fetching folders only
# NOTE: Querystring params are in camelCase
assert_equal(urls['get_folders'], self.project.api_url_for('googledrive_folders'))
def test_serialize_settings_helper_returns_correct_auth_info(self):
self.user_settings.access_token = 'abc123'
result = serialize_settings(self.node_settings, self.user)
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_true(result['userHasAuth'])
assert_true(result['userIsOwner'])
def test_serialize_settings_for_user_no_auth(self):
no_addon_user = AuthUserFactory()
result = serialize_settings(self.node_settings, no_addon_user)
assert_false(result['userIsOwner'])
assert_false(result['userHasAuth'])
def test_googledrive_import_user_auth_returns_serialized_settings(self):
self.node_settings.user_settings = None
self.node_settings.save()
url = api_url_for('googledrive_import_user_auth', pid=self.project._primary_key)
res = self.app.put(url, auth=self.user.auth)
self.project.reload()
self.node_settings.reload()
expected_result = serialize_settings(self.node_settings, self.user)
result = res.json['result']
assert_equal(result, expected_result)
def test_many_users_each_with_the_same_github(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.oauth_settings)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['total'], 2)
def test_s3_set_bucket_no_auth(self):
user = AuthUserFactory()
user.add_addon('s3')
self.project.add_contributor(user, save=True)
url = self.project.api_url_for('s3_set_config')
res = self.app.put_json(url, {'s3_bucket': 'hammertofall'},
auth=user.auth,
expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon('github')
oauth_settings2 = GitHubAccountFactory(display_name='hmoco2')
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['total'], 2)
def test_dropbox_get_share_emails_returns_error_if_not_authorizer(self):
contrib = AuthUserFactory()
contrib.add_addon('dropbox')
contrib.save()
self.project.add_contributor(contrib, auth=Auth(self.user))
self.project.save()
url = api_url_for('dropbox_get_share_emails', pid=self.project._primary_key)
# Non-authorizing contributor sends request
res = self.app.get(url, auth=contrib.auth, expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon("github")
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
assert_equal(github_res["users"]["authorized"], 1)
assert_equal(github_res["users"]["linked"], 1)
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res['provider']['name'] == 'github'][0]
assert_equal(github_res['users']['enabled'], 2)
assert_equal(github_res['users']['authorized'], 1)
assert_equal(github_res['users']['linked'], 1)
def test_s3_set_bucket_no_auth(self):
user = AuthUserFactory()
user.add_addon('s3')
self.project.add_contributor(user, save=True)
url = self.project.api_url + 's3/settings/'
res = self.app.post_json(url, {'s3_bucket': 'hammertofall'},
auth=user.auth,
expect_errors=True)
assert_equal(res.status_code, http.BAD_REQUEST)
class TestAuthViews(OsfTestCase):
def setUp(self):
super(TestAuthViews, self).setUp()
self.user = AuthUserFactory()
# Log user in
self.app.authenticate(*self.user.auth)
def test_dropbox_oauth_start(self):
url = api_url_for('dropbox_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
assert_in('&force_reapprove=true', res.location)
@mock.patch('website.addons.dropbox.views.auth.DropboxOAuth2Flow.finish')
@mock.patch('website.addons.dropbox.views.auth.get_client_from_user_settings')
def test_dropbox_oauth_finish(self, mock_get, mock_finish):
mock_client = mock.MagicMock()
mock_client.account_info.return_value = {'display_name': 'Mr. Drop Box'}
mock_get.return_value = mock_client
mock_finish.return_value = ('mytoken123', 'mydropboxid', 'done')
url = api_url_for('dropbox_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.dropbox.client.DropboxClient.disable_access_token')
def test_dropbox_oauth_delete_user(self, mock_disable_access_token):
self.user.add_addon('dropbox')
settings = self.user.get_addon('dropbox')
settings.access_token = '12345abc'
settings.save()
assert_true(settings.has_auth)
self.user.save()
url = api_url_for('dropbox_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
@mock.patch('website.addons.dropbox.client.DropboxClient.disable_access_token')
def test_dropbox_oauth_delete_user_with_invalid_credentials(self, mock_disable_access_token):
self.user.add_addon('dropbox')
settings = self.user.get_addon('dropbox')
settings.access_token = '12345abc'
settings.save()
assert_true(settings.has_auth)
mock_response = mock.Mock()
mock_response.status = 401
mock_disable_access_token.side_effect = ErrorResponse(mock_response, "The given OAuth 2 access token doesn't exist or has expired.")
self.user.save()
url = api_url_for('dropbox_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
def test_s3_set_bucket_already_authed(self):
user = AuthUserFactory()
user.add_addon("s3")
user_settings = user.get_addon("s3")
user_settings.access_key = "foo"
user_settings.secret_key = "bar"
user_settings.save()
self.project.add_contributor(user, save=True)
url = self.project.api_url_for("s3_post_node_settings")
res = self.app.post_json(url, {"s3_bucket": "hammertofall"}, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, http.BAD_REQUEST)
def test_s3_set_bucket_no_auth(self):
user = AuthUserFactory()
user.add_addon('s3')
self.project.add_contributor(user, save=True)
url = self.project.api_url + 's3/settings/'
res = self.app.post_json(
url, {'s3_bucket': 'hammertofall'}, auth=user.auth,
expect_errors=True
)
assert_equal(res.status_code, http.BAD_REQUEST)
class TestAuthViews(OsfTestCase):
def setUp(self):
super(TestAuthViews, self).setUp()
self.user = AuthUserFactory()
# Log user in
self.app.authenticate(*self.user.auth)
def test_box_oauth_start(self):
url = api_url_for('box_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.box_oauth_finish')
@mock.patch('website.addons.box.views.auth.finish_auth')
@mock.patch('website.addons.box.views.auth.BoxClient')
def test_box_oauth_finish(self, mock_get, mock_finish, mock_oauth):
mock_client = mock.MagicMock()
mock_client.get_user_info.return_value = {
'name': 'Mr. Box',
'id': '1234567890'
}
mock_get.return_value = mock_client
mock_finish.return_value = {
'token_type': 'something',
'access_token': 'something',
'refresh_token': 'something'
}
mock_oauth.return_value = ('mytoken123', 'myboxid', 'done')
url = api_url_for('box_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.flash')
def test_box_oauth_finish_cancelled(self, mock_flash):
url = api_url_for('box_oauth_finish', error='User declined!')
res = self.app.get(url)
assert_is_redirect(res)
mock_flash.assert_called_once()
@mock.patch('website.addons.box.model.BoxOAuthSettings.revoke_access_token'
)
def test_box_oauth_delete_user(self, mock_disable_access_token):
self.user.add_addon('box')
settings = self.user.get_addon('box')
oauth = BoxOAuthSettings(user_id='fa;l', access_token='a;lkjadl;kas')
oauth.save()
settings.oauth_settings = oauth
settings.save()
assert_true(settings.has_auth)
self.user.save()
url = api_url_for('box_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
def test_s3_set_bucket_no_auth(self):
user = AuthUserFactory()
user.add_addon('s3')
self.project.add_contributor(user, save=True)
url = self.project.api_url_for('s3_set_config')
res = self.app.put_json(
url, {'s3_bucket': 'hammertofall'}, auth=user.auth,
expect_errors=True
)
assert_equal(res.status_code, http.FORBIDDEN)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon("github")
oauth_settings2 = GitHubAccountFactory(display_name="hmoco2")
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [res for res in results if res["provider"]["name"] == "github"][0]
assert_equal(github_res["users"]["enabled"], 2)
assert_equal(github_res["users"]["authorized"], 1)
assert_equal(github_res["users"]["linked"], 1)
def test_github_enabled_not_linked_or_authorized(self):
user = AuthUserFactory()
user.add_addon('github')
user.external_accounts.append(self.external_account)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['enabled'], 2)
assert_equal(github_res['users']['authorized'], 1)
assert_equal(github_res['users']['linked'], 1)
def test_many_users_each_with_a_different_github(self):
user = AuthUserFactory()
user.add_addon('github')
oauth_settings2 = GitHubAccountFactory(display_name='hmoco2')
oauth_settings2.save()
user.external_accounts.append(oauth_settings2)
user.save()
results = AddonSnapshot().get_events()
github_res = [
res for res in results if res['provider']['name'] == 'github'
][0]
assert_equal(github_res['users']['total'], 2)
def test_s3_set_bucket_already_authed(self):
user = AuthUserFactory()
user.add_addon('s3')
user_settings = user.get_addon('s3')
user_settings.access_key = 'foo'
user_settings.secret_key = 'bar'
user_settings.save()
self.project.add_contributor(user, save=True)
url = self.project.api_url_for('s3_post_node_settings')
res = self.app.post_json(url, {'s3_bucket': 'hammertofall'},
auth=user.auth,
expect_errors=True)
assert_equal(res.status_code, http.BAD_REQUEST)
class TestRestrictions(BoxAddonTestCase):
def setUp(self):
super(BoxAddonTestCase, self).setUp()
# Nasty contributor who will try to access folders that he shouldn't have
# access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
self.user.add_addon('box')
settings = self.user.get_addon('box')
settings.access_token = '12345abc'
settings.last_refreshed = datetime.utcnow()
settings.save()
self.patcher = mock.patch(
'website.addons.box.model.BoxNodeSettings.fetch_folder_name')
self.patcher.return_value = 'foo bar/baz'
self.patcher.start()
@mock.patch('website.addons.box.model.BoxNodeSettings.has_auth')
def test_restricted_hgrid_data_contents(self, mock_auth):
mock_auth.__get__ = mock.Mock(return_value=False)
# tries to access a parent folder
url = self.project.api_url_for('box_list_folders', path='foo bar')
res = self.app.get(url, auth=self.contrib.auth, expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
def test_restricted_config_contrib_no_addon(self):
url = api_url_for('box_config_put', pid=self.project._primary_key)
res = self.app.put_json(url, {'selected': {
'path': 'foo'
}},
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, httplib.BAD_REQUEST)
def test_restricted_config_contrib_not_owner(self):
# Contributor has box auth, but is not the node authorizer
self.contrib.add_addon('box')
self.contrib.save()
url = api_url_for('box_config_put', pid=self.project._primary_key)
res = self.app.put_json(url, {'selected': {
'path': 'foo'
}},
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
class TestAuthViews(OsfTestCase):
def setUp(self):
super(TestAuthViews, self).setUp()
self.user = AuthUserFactory()
# Log user in
self.app.authenticate(*self.user.auth)
def test_box_oauth_start(self):
url = api_url_for('box_oauth_start_user')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.box_oauth_finish')
@mock.patch('website.addons.box.views.auth.finish_auth')
@mock.patch('website.addons.box.views.auth.BoxClient')
def test_box_oauth_finish(self, mock_get, mock_finish, mock_oauth):
mock_client = mock.MagicMock()
mock_client.get_user_info.return_value = {'name': 'Mr. Box', 'id': '1234567890'}
mock_get.return_value = mock_client
mock_finish.return_value = {
'token_type': 'something',
'access_token': 'something',
'refresh_token': 'something'
}
mock_oauth.return_value = ('mytoken123', 'myboxid', 'done')
url = api_url_for('box_oauth_finish')
res = self.app.get(url)
assert_is_redirect(res)
@mock.patch('website.addons.box.views.auth.flash')
def test_box_oauth_finish_cancelled(self, mock_flash):
url = api_url_for('box_oauth_finish', error='User declined!')
res = self.app.get(url)
assert_is_redirect(res)
mock_flash.assert_called_once()
@mock.patch('website.addons.box.model.BoxOAuthSettings.revoke_access_token')
def test_box_oauth_delete_user(self, mock_disable_access_token):
self.user.add_addon('box')
settings = self.user.get_addon('box')
oauth = BoxOAuthSettings(user_id='fa;l', access_token='a;lkjadl;kas')
oauth.save()
settings.oauth_settings = oauth
settings.save()
assert_true(settings.has_auth)
self.user.save()
url = api_url_for('box_oauth_delete_user')
self.app.delete(url)
settings.reload()
assert_false(settings.has_auth)
def test_import_auth_cant_write_node(self):
ea = self.ExternalAccountFactory()
user = AuthUserFactory()
user.add_addon(self.ADDON_SHORT_NAME, auth=Auth(user))
user.external_accounts.append(ea)
user.save()
node = ProjectFactory(creator=self.user)
node.add_contributor(user, permissions=[permissions.READ], auth=self.auth, save=True)
node.add_addon(self.ADDON_SHORT_NAME, auth=self.auth)
node.save()
url = node.api_url_for("{0}_import_auth".format(self.ADDON_SHORT_NAME))
res = self.app.put_json(url, {"external_account_id": ea._id}, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def test_s3_set_bucket_already_authed(self):
user = AuthUserFactory()
user.add_addon('s3')
user_settings = user.get_addon('s3')
user_settings.access_key = 'foo'
user_settings.secret_key = 'bar'
user_settings.save()
self.project.add_contributor(user, save=True)
url = self.project.api_url + 's3/settings/'
res = self.app.post_json(
url, {'s3_bucket': 'hammertofall'}, auth=user.auth,
expect_errors=True
)
assert_equal(res.status_code, http.BAD_REQUEST)
def test_import_auth_cant_write_node(self):
ea = self.ExternalAccountFactory()
user = AuthUserFactory()
user.add_addon(self.ADDON_SHORT_NAME, auth=Auth(user))
user.external_accounts.append(ea)
user.save()
node = ProjectFactory(creator=self.user)
node.add_contributor(user, permissions=[permissions.READ], auth=self.auth, save=True)
node.add_addon(self.ADDON_SHORT_NAME, auth=self.auth)
node.save()
url = node.api_url_for('{0}_import_auth'.format(self.ADDON_SHORT_NAME))
res = self.app.put_json(url, {
'external_account_id': ea._id
}, auth=user.auth, expect_errors=True)
assert_equal(res.status_code, http.FORBIDDEN)
def test_set_config_not_owner(self, mock_metadata):
mock_metadata.return_value = MockFolder(name="Fake Folder")
user = AuthUserFactory()
user.add_addon("mendeley")
self.project.add_contributor(user)
self.project.save()
res = self.app.put_json(
self.project.api_url_for("mendeley_set_config"),
{"external_account_id": self.account._id, "external_list_id": "list"},
auth=user.auth,
)
self.node_addon.reload()
assert_equal(self.user_addon, self.node_addon.user_settings)
serializer = MendeleySerializer(node_settings=self.node_addon, user_settings=None)
expected = {"result": serializer.serialized_node_settings}
assert_equal(res.json, expected)
def test_set_config_not_owner(self):
user = AuthUserFactory()
user.add_addon('mendeley')
self.project.add_contributor(user)
self.project.save()
res = self.app.put_json(
self.project.api_url_for('mendeley_set_config'),
{
'external_account_id': self.account._id,
'external_list_id': 'list',
},
auth=user.auth,
)
self.node_addon.reload()
assert_equal(self.user_addon, self.node_addon.user_settings)
assert_equal(res.json, {})
class TestRestrictions(DropboxAddonTestCase):
def setUp(self):
super(DropboxAddonTestCase, self).setUp()
# Nasty contributor who will try to access folders that he shouldn't have
# access to
self.contrib = AuthUserFactory()
self.project.add_contributor(self.contrib, auth=Auth(self.user))
self.project.save()
# Set shared folder
self.node_settings.folder = 'foo bar/bar'
self.node_settings.save()
@mock.patch('website.addons.dropbox.client.DropboxClient.metadata')
def test_restricted_hgrid_data_contents(self, mock_metadata):
mock_metadata.return_value = mock_responses['metadata_list']
# tries to access a parent folder
url = self.project.api_url_for('dropbox_hgrid_data_contents',
path='foo bar')
res = self.app.get(url, auth=self.contrib.auth, expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
def test_restricted_config_contrib_no_addon(self):
url = self.project.api_url_for('dropbox_config_put')
res = self.app.put_json(url, {'selected': {
'path': 'foo'
}},
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, httplib.BAD_REQUEST)
def test_restricted_config_contrib_not_owner(self):
# Contributor has dropbox auth, but is not the node authorizer
self.contrib.add_addon('dropbox')
self.contrib.save()
url = self.project.api_url_for('dropbox_config_put')
res = self.app.put_json(url, {'selected': {
'path': 'foo'
}},
auth=self.contrib.auth,
expect_errors=True)
assert_equal(res.status_code, httplib.FORBIDDEN)
def test_set_user_config(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Create a user with no settings
user = AuthUserFactory()
user.add_addon('dataverse')
user_settings = user.get_addon('dataverse')
url = api_url_for('dataverse_set_user_config')
params = {'api_token': 'snowman-frosty'}
# Post dataverse credentials
self.app.post_json(url, params, auth=user.auth)
user_settings.reload()
# User settings have updated correctly
assert_equal(user_settings.api_token, 'snowman-frosty')
def test_serialize_settings_helper_non_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Non-owner user without add-on
serializer = DataverseSerializer(node_settings=self.node_settings)
result = serializer.serialized_node_settings
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_false(result['userHasAuth'])
assert_false(result['userIsOwner'])
# Non-owner user with add-on
stranger = AuthUserFactory()
stranger.add_addon('dataverse')
stranger.external_accounts.append(create_external_account())
serializer.user_settings = stranger.get_addon('dataverse')
result = serializer.serialized_node_settings
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_true(result['userHasAuth'])
assert_false(result['userIsOwner'])
def test_serialize_settings_helper_non_owner(self, mock_connection):
mock_connection.return_value = create_mock_connection()
# Non-owner user without add-on
stranger = AuthUserFactory()
result = serialize_settings(self.node_settings, stranger)
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_false(result['userHasAuth'])
assert_false(result['userIsOwner'])
# Non-owner user with add-on
stranger.add_addon('dataverse')
stranger_settings = stranger.get_addon('dataverse')
stranger_settings.api_token = 'foo-bar'
stranger_settings.save()
result = serialize_settings(self.node_settings, stranger)
assert_equal(result['nodeHasAuth'], self.node_settings.has_auth)
assert_true(result['userHasAuth'])
assert_false(result['userIsOwner'])
class TestDropboxIntegration(OsfTestCase):
def setUp(self):
super(TestDropboxIntegration, self).setUp()
self.user = AuthUserFactory()
# User is logged in
self.app.authenticate(*self.user.auth)
def test_cant_start_oauth_if_already_authorized(self):
# User already has dropbox authorized
self.user.add_addon('dropbox')
self.user.save()
settings = self.user.get_addon('dropbox')
settings.access_token = 'abc123foobarbaz'
settings.save()
assert_true(self.user.get_addon('dropbox').has_auth)
# Tries to start oauth again
url = api_url_for('dropbox_oauth_start_user')
res = self.app.get(url).follow()
# Is redirected back to settings page
assert_equal(res.request.path, web_url_for('user_addons'))
class TestAddonAuth(OsfTestCase):
def setUp(self):
super(TestAddonAuth, self).setUp()
self.flask_app = SetEnvironMiddleware(self.app.app, REMOTE_ADDR='127.0.0.1')
self.test_app = webtest.TestApp(self.flask_app)
self.user = AuthUserFactory()
self.auth_obj = Auth(user=self.user)
self.node = ProjectFactory(creator=self.user)
self.session = Session(data={'auth_user_id': self.user._id})
self.session.save()
self.cookie = itsdangerous.Signer(settings.SECRET_KEY).sign(self.session._id)
self.configure_addon()
def configure_addon(self):
self.user.add_addon('github')
self.user_addon = self.user.get_addon('github')
self.oauth_settings = AddonGitHubOauthSettings(github_user_id='john')
self.oauth_settings.save()
self.user_addon.oauth_settings = self.oauth_settings
self.user_addon.oauth_access_token = 'secret'
self.user_addon.save()
self.node.add_addon('github', self.auth_obj)
self.node_addon = self.node.get_addon('github')
self.node_addon.user = '******'
self.node_addon.repo = 'youre-my-best-friend'
self.node_addon.user_settings = self.user_addon
self.node_addon.save()
def build_url(self, **kwargs):
options = dict(
action='download',
cookie=self.cookie,
nid=self.node._id,
provider=self.node_addon.config.short_name,
)
options.update(kwargs)
return api_url_for('get_auth', **options)
def test_auth_download(self):
url = self.build_url()
res = self.test_app.get(url)
assert_equal(res.json['auth'], views.make_auth(self.user))
assert_equal(res.json['credentials'], self.node_addon.serialize_waterbutler_credentials())
assert_equal(res.json['settings'], self.node_addon.serialize_waterbutler_settings())
expected_url = furl.furl(self.node.api_url_for('create_waterbutler_log', _absolute=True))
observed_url = furl.furl(res.json['callback_url'])
observed_url.port = expected_url.port
assert_equal(expected_url, observed_url)
def test_auth_missing_args(self):
url = self.build_url(cookie=None)
res = self.test_app.get(url, expect_errors=True)
assert_equal(res.status_code, 400)
def test_auth_bad_cookie(self):
url = self.build_url(cookie=self.cookie[::-1])
res = self.test_app.get(url, expect_errors=True)
assert_equal(res.status_code, 401)
def test_auth_missing_addon(self):
url = self.build_url(provider='queenhub')
res = self.test_app.get(url, expect_errors=True)
assert_equal(res.status_code, 400)
def test_auth_bad_ip(self):
flask_app = SetEnvironMiddleware(self.app.app, REMOTE_ADDR='192.168.1.1')
test_app = webtest.TestApp(flask_app)
url = self.build_url()
res = test_app.get(url, expect_errors=True)
assert_equal(res.status_code, 403)