def test_superuser_may_add_user(self):
USERNAME = '******'
resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME,
'add-is-user-password': '******'})
assert_http_redirect(resp)
assert_true(User.objects.filter(username=USERNAME).exists())
def test_user_should_be_authorized_with_two_factor_authentication(
self, user):
login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(login_resp)
resp_location = login_resp['Location']
assert_equal(resp_location[:resp_location.find('?')],
settings.TWO_FACTOR_REDIRECT_URL)
assert_false(login_resp.wsgi_request.user.is_authenticated)
token = login_resp.wsgi_request.token
assert_true(token.two_factor_code is not None)
assert_false(token.is_authenticated)
# the code value needs to be overwritted, so that its value could be used for next request
token.two_factor_code = make_password('12345',
salt=Token.TWO_FACTOR_CODE_SALT)
token.save()
code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL,
{'code': '12345'})
assert_http_redirect(code_check_resp)
assert_equal(code_check_resp['location'], '/accounts/profile/')
assert_true(code_check_resp.wsgi_request.token.is_authenticated)
assert_true(code_check_resp.wsgi_request.user.is_authenticated)
assert_equal(code_check_resp.wsgi_request.user, user)
def test_superuser_may_add_user(self):
USERNAME = '******'
resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME,
'add-is-user-password': '******'})
assert_http_redirect(resp)
assert_true(User.objects.filter(username=USERNAME).exists())
def test_group_permission_shound_not_be_over_limit(self):
group_a = Group.objects.create(name='group A')
group_b = Group.objects.create(name='group B')
group_c = Group.objects.create(name='group C')
resp = self.post(
'/group/{}/'.format(group_a.pk), {
'detail-is-group-name': 'group A',
'detail-is-group-fgroups': [group_b.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_c.pk],
'detail-is-group-fperms': []
})
assert_http_ok(resp)
with override_settings(PERM_GROUP_MAX_LEVEL=3):
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_c.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
def authorize(self, username, password):
assert_http_redirect(
self.post(config.LOGIN_URL, {
config.USERNAME: username,
config.PASSWORD: password
},
content_type=MULTIPART_CONTENT))
def test_user_should_not_be_authorized_via_cookie_if_cookie_is_turned_off(
self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_be_authorized_with_changed_cookie_name(self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_in('ChangedAuthorization', self.c.cookies)
assert_http_ok(self.get(self.INDEX_URL))
def test_user_with_permission_may_add_user(self):
self.logged_user.user.perms.add_perm('core.issue_tracker.UserIsCore.create')
USERNAME = '******'
resp = self.post('%sadd/' % self.USER_UI_URL, data={'add-is-user-username': USERNAME,
'add-is-user-password': '******'})
assert_http_redirect(resp)
assert_true(User.objects.filter(username=USERNAME).exists())
def test_user_should_be_logged_out_via_cookies(self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_http_ok(self.get(self.UI_LOGOUT_URL))
assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_not_be_authorized_via_cookie_if_cookie_has_not_allowed_header(
self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
Token.objects.all().update(allowed_cookie=False)
assert_http_redirect(self.get(self.INDEX_URL))
def test_send_two_factor_token_should_be_called_for_two_factor_login(
self, send_two_factor_token):
self.create_user()
login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(login_resp)
send_two_factor_token.assert_called_once_with(
login_resp.wsgi_request.token, self.CODE)
def test_user_should_be_authorized_via_cookie(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
assert_false(Token.objects.last().allowed_header)
assert_true(Token.objects.last().allowed_cookie)
def test_token_type_should_be_required(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': resp.json()['token']}))
def test_user_should_not_be_authorized_via_http_header_if_headers_are_turned_off(
self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_false(self.client.cookies)
def test_user_should_be_authorized_via_http_header(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_not_in('Authorization', self.c.cookies)
assert_true(Token.objects.last().allowed_header)
assert_false(Token.objects.last().allowed_cookie)
def test_token_should_be_expired(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
resp = self.get(
self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
with freeze_time(timezone.now() + timedelta(hours=1), tick=True):
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION': 'Bearer {}'.format(token),
}))
def test_user_should_be_logged_out_via_http_header(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
assert_http_ok(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION':
'Bearer {}'.format(token)}))
assert_http_accepted(
self.delete(
self.API_LOGIN_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION':
'Bearer {}'.format(token)}))
def test_user_should_be_authorized_with_changed_header_name(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_X_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
def test_group_permission_shoud_not_have_cycles(self):
group_a = Group.objects.create(name='group A')
group_b = Group.objects.create(name='group B')
resp = self.post(
'/group/{}/'.format(group_a.pk), {
'detail-is-group-name': 'group A',
'detail-is-group-fgroups': [group_b.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_a.pk],
'detail-is-group-fperms': []
})
assert_http_ok(resp)
def test_user_should_not_be_authorized_via_header_if_token_has_not_allowed_header(
self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
Token.objects.all().update(allowed_header=False)
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
def test_user_should_not_be_logged_in_two_factor_for_invalid_code(
self, user):
login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(login_resp)
# the code value needs to be overwritten, so that its value could be used for next request
login_resp.wsgi_request.token.two_factor_code = make_password(
'12345', salt=Token.TWO_FACTOR_CODE_SALT)
login_resp.wsgi_request.token.save()
code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL,
{'code': 'other_code'})
assert_http_ok(code_check_resp)
assert_in(
_('The inserted value does not correspond to the sent code.'),
code_check_resp._container[0].decode('utf8'))
assert_false(code_check_resp.wsgi_request.token.is_authenticated)
def test_user_should_log_and_logout_to_the_administration(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.LOGIN_URL, {'username': '******', 'password': '******'})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
assert_false(Token.objects.last().allowed_header)
assert_true(Token.objects.last().allowed_cookie)
assert_http_ok(self.get(self.LOGOUT_URL))
assert_http_redirect(self.get(self.INDEX_URL))
def test_non_logged_user_should_receive_302(self):
resp = self.get(self.USER_UI_URL)
assert_http_redirect(resp)
def authorize(self, username, password):
resp = self.post('/login/', {
'username': username,
'password': password
})
assert_http_redirect(resp)
def test_non_logged_user_should_receive_302(self):
resp = self.get('/user/')
assert_http_redirect(resp)
def test_non_logged_user_should_receive_302(self):
resp = self.get(self.USER_UI_URL)
assert_http_redirect(resp)
def authorize(self, username, password):
assert_http_redirect(
self.post(config.LOGIN_URL, {
config.USERNAME: username,
config.PASSWORD: password
}))
def authorize(self, username, password):
resp = self.post(config.LOGIN_URL, {config.USERNAME: username, config.PASSWORD: password})
assert_http_redirect(resp)