def test_authentication_log(self):
from frappe.auth import LoginManager, CookieManager
# test user login log
frappe.local.form_dict = {'cmd': 'login'}
frappe.form_dict = {
'sid': 'Guest',
'pwd': 'admin',
'usr': '******'
}
frappe.local.cookie_manager = CookieManager()
frappe.local.login_manager = LoginManager()
auth_log = self.get_auth_log()
self.assertEquals(auth_log.status, 'Success')
# test user logout log
frappe.local.login_manager.logout()
auth_log = self.get_auth_log(operation='Logout')
self.assertEquals(auth_log.status, 'Success')
# test invalid login
frappe.form_dict.update({'pwd': 'password'})
self.assertRaises(frappe.AuthenticationError, LoginManager)
auth_log = self.get_auth_log()
self.assertEquals(auth_log.status, 'Failed')
def test_brute_security(self):
update_system_settings({
'allow_consecutive_login_attempts': 3,
'allow_login_after_fail': 5
})
frappe.local.form_dict = frappe._dict({
'cmd': 'login',
'sid': 'Guest',
'pwd': 'admin',
'usr': '******'
})
frappe.local.cookie_manager = CookieManager()
frappe.local.login_manager = LoginManager()
auth_log = self.get_auth_log()
self.assertEquals(auth_log.status, 'Success')
# test user logout log
frappe.local.login_manager.logout()
auth_log = self.get_auth_log(operation='Logout')
self.assertEquals(auth_log.status, 'Success')
# test invalid login
frappe.form_dict.update({'pwd': 'password'})
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.SecurityException, LoginManager)
time.sleep(5)
self.assertRaises(frappe.AuthenticationError, LoginManager)
frappe.local.form_dict = frappe._dict()
def test_activity_log(self):
# test user login log
frappe.local.form_dict = frappe._dict({
"cmd": "login",
"sid": "Guest",
"pwd": "admin",
"usr": "******"
})
frappe.local.cookie_manager = CookieManager()
frappe.local.login_manager = LoginManager()
auth_log = self.get_auth_log()
self.assertEqual(auth_log.status, "Success")
# test user logout log
frappe.local.login_manager.logout()
auth_log = self.get_auth_log(operation="Logout")
self.assertEqual(auth_log.status, "Success")
# test invalid login
frappe.form_dict.update({"pwd": "password"})
self.assertRaises(frappe.AuthenticationError, LoginManager)
auth_log = self.get_auth_log()
self.assertEqual(auth_log.status, "Failed")
frappe.local.form_dict = frappe._dict()
def test_brute_security(self):
update_system_settings({
"allow_consecutive_login_attempts": 3,
"allow_login_after_fail": 5
})
frappe.local.form_dict = frappe._dict({
"cmd": "login",
"sid": "Guest",
"pwd": "admin",
"usr": "******"
})
frappe.local.cookie_manager = CookieManager()
frappe.local.login_manager = LoginManager()
auth_log = self.get_auth_log()
self.assertEquals(auth_log.status, "Success")
# test user logout log
frappe.local.login_manager.logout()
auth_log = self.get_auth_log(operation="Logout")
self.assertEquals(auth_log.status, "Success")
# test invalid login
frappe.form_dict.update({"pwd": "password"})
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.AuthenticationError, LoginManager)
# REMOVE ME: current logic allows allow_consecutive_login_attempts+1 attempts
# before raising security exception, remove below line when that is fixed.
self.assertRaises(frappe.AuthenticationError, LoginManager)
self.assertRaises(frappe.SecurityException, LoginManager)
time.sleep(5)
self.assertRaises(frappe.AuthenticationError, LoginManager)
frappe.local.form_dict = frappe._dict()
def test_reset_password(self):
from frappe.auth import CookieManager, LoginManager
from frappe.utils import set_request
old_password = "******"
new_password = "******"
set_request(path="/random")
frappe.local.cookie_manager = CookieManager()
frappe.local.login_manager = LoginManager()
frappe.set_user("*****@*****.**")
test_user = frappe.get_doc("User", "*****@*****.**")
test_user.reset_password()
self.assertEqual(
update_password(new_password, key=test_user.reset_password_key),
"/app")
self.assertEqual(
update_password(new_password, key="wrong_key"),
"The Link specified has either been used before or Invalid")
# password verification should fail with old password
self.assertRaises(frappe.exceptions.AuthenticationError,
verify_password, old_password)
verify_password(new_password)
# reset password
update_password(old_password, old_password=new_password)
self.assertRaisesRegex(frappe.exceptions.ValidationError,
"Invalid key type", update_password, "test", 1,
['like', '%'])
password_strength_response = {
"feedback": {
"password_policy_validation_passed": False,
"suggestions": ["Fix password"]
}
}
# password strength failure test
with patch.object(user_module,
"test_password_strength",
return_value=password_strength_response):
self.assertRaisesRegex(frappe.exceptions.ValidationError,
"Fix password", update_password,
new_password, 0,
test_user.reset_password_key)
# test redirect URL for website users
frappe.set_user("*****@*****.**")
self.assertEqual(
update_password(new_password, old_password=old_password), "/")
# reset password
update_password(old_password, old_password=new_password)
# test API endpoint
with patch.object(user_module.frappe, 'sendmail') as sendmail:
frappe.clear_messages()
test_user = frappe.get_doc("User", "*****@*****.**")
self.assertEqual(reset_password(user="******"), None)
test_user.reload()
self.assertEqual(
update_password(new_password,
key=test_user.reset_password_key), "/")
update_password(old_password, old_password=new_password)
self.assertEqual(
json.loads(frappe.message_log[0]), {
"message":
"Password reset instructions have been sent to your email"
})
sendmail.assert_called_once()
self.assertEqual(sendmail.call_args[1]["recipients"],
"*****@*****.**")
self.assertEqual(reset_password(user="******"), None)
self.assertEqual(reset_password(user="******"), "not allowed")
self.assertEqual(reset_password(user="******"), "not found")
