def test_create_audit_event_separate_secrets(): secret = SecretFactory() secret2 = SecretFactory() user = UserFactory() create_audit_event( user, Actions.view_secret, description="I viewed a secret", secret=secret, report_once=True, ) create_audit_event( user, Actions.view_secret, description="I viewed another secret", secret=secret2, report_once=True, ) assert Audit.objects.count() == 2 audit = Audit.objects.last() assert audit.timestamp == timezone.now() assert audit.description == "I viewed another secret"
def test_permission(self, start_permissions, input, expected): secret = SecretFactory() user = UserFactory() for perm in start_permissions: assign_perm(perm, user, secret) secret.set_permission(user, input) assert set(get_perms(user, secret)) == expected
def test_remove_permissions(self, start_permissions): secret = SecretFactory() user = UserFactory() for perm in start_permissions: assign_perm(perm, user, secret) secret.remove_permissions(user) assert get_perms(user, secret) == []
def test_invalid_code(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) response = client.post( reverse("secret:mfa_setup", kwargs={"pk": secret.pk}), {"mfa_string": "invalid-otp-code"}, ) secret.refresh_from_db() assert response.status_code == 200 assert not secret.mfa_string
def test_setup_success(self, client): mfa_string = "otpauth://totp/Someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=Someapp" # noqa user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) response = client.post( reverse("secret:mfa_setup", kwargs={"pk": secret.pk}), {"mfa_string": mfa_string}) secret.refresh_from_db() assert response.status_code == 302 assert response.url == reverse("secret:mfa", kwargs={"pk": secret.pk}) assert secret.mfa_string == mfa_string
def test_audit_event_is_created(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) target_group = GroupFactory() assign_perm("change_secret", target_group, secret) assign_perm("view_secret", target_group, secret) response = client.post( reverse("secret:delete-permission", kwargs={"pk": secret.pk}), { "group": target_group.id, "permission": "view_secret" }, ) assert response.status_code == 302 assert Audit.objects.count() == 1 audit = Audit.objects.first() assert audit.user == user assert audit.timestamp == timezone.now() assert audit.secret == secret assert audit.description == f"Access removed for {target_group}"
def test_generate_token(self, client): mfa_string = "otpauth://totp/someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=someapp" # noqa user = login_and_verify_user(client) secret = SecretFactory(mfa_string=mfa_string) assign_perm("view_secret", user, secret) response = client.get(reverse("secret:mfa", kwargs={"pk": secret.pk})) content = response.content.decode("utf-8") assert response.status_code == 200 code = re.search(r"\>(\d{6})\<", content).groups()[0] assert secret.verify_otp(code)
def test_update_success(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) response = client.post( reverse("secret:detail", kwargs={"pk": secret.pk}), {"name": "hello world"}) assert response.status_code == 302 assert response.url == reverse("secret:detail", kwargs={"pk": secret.pk}) secret.refresh_from_db() assert secret.name == "hello world"
def test_verify_audit_events_are_created(self, client): secret = SecretFactory() permission_url = reverse("secret:permissions", kwargs={"pk": secret.pk}) user = login_and_verify_user(client) assign_perm("change_secret", user, secret) target_user = UserFactory() assert Audit.objects.count() == 0 response = client.post( permission_url, { "user": target_user.id, "permission": "change_secret" }, ) assert response.status_code == 302 assert response.url == permission_url assert Audit.objects.count() == 1 audit = Audit.objects.first() assert audit.user == user assert audit.timestamp == timezone.now() assert audit.secret == secret assert audit.action == Actions.add_permission.name assert audit.description == f"Permission level to set change_secret for {target_user}"
def test_auth_required(self, client): secret = SecretFactory() url = reverse("secret:detail", kwargs={"pk": secret.pk}) response = client.get(url) assert response.status_code == 302 qs = "?next=" + quote_plus(url) assert response.url == reverse("authbroker_client:login") + qs
def test_page_requires_view_permission(self, client): login_and_verify_user(client) secret = SecretFactory() response = client.get( reverse("secret:mfa_setup", kwargs={"pk": secret.pk})) assert response.status_code == 403
def test_superuer_can_view_instance(self): user = UserFactory(is_superuser=True) secret = SecretFactory() assert user.has_perm("secret.view_secret", secret) assert user.has_perm("secret.change_secret", secret)
def test_user_cannot_view_secret_without_permissions(self, client): login_and_verify_user(client) secret = SecretFactory() response = client.get( reverse("secret:detail", kwargs={"pk": secret.pk})) assert response.status_code == 403
def test_audit(self, client): mfa_string = "otpauth://totp/someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=someapp" # noqa user = login_and_verify_user(client) secret = SecretFactory(mfa_string=mfa_string) assign_perm("view_secret", user, secret) assert Audit.objects.count() == 0
def test_page_requires_2fa_verification(self, client): secret = SecretFactory() login_and_verify_user(client, verify=False) response = client.get( reverse("secret:mfa_setup", kwargs={"pk": secret.pk})) assert response.status_code == 302 assert response.url.startswith(reverse("twofactor:verify"))
def test_page_requires_auth(self, client): secret = SecretFactory() url = reverse("secret:delete-permission", kwargs={"pk": secret.pk}) response = client.get(url) qs = "?next=" + quote_plus(url) assert response.status_code == 302 assert response.url == reverse("authbroker_client:login") + qs
def test_requires_change_permission_to_add_permission(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("view_secret", user, secret) response = client.post( reverse("secret:permissions", kwargs={"pk": secret.pk}), {}) assert response.status_code == 403
def test_load_page(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) response = client.get( reverse("secret:delete-permission", kwargs={"pk": secret.pk}) + f"?user={user.id}&permission=change_secret") assert response.status_code == 200
def test_page_load(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("view_secret", user, secret) response = client.get(reverse("secret:audit", kwargs={"pk": secret.pk})) assert response.status_code == 200 assert response.template_name == ["secret/secret_audit.html"]
def test_page_requires_change_permission(self, client): user = login_and_verify_user(client) secret = SecretFactory() response = client.get( reverse("secret:mfa_delete", kwargs={"pk": secret.pk})) assert response.status_code == 403 assign_perm("view_secret", user, secret) response = client.get( reverse("secret:mfa_delete", kwargs={"pk": secret.pk})) assert response.status_code == 403
def test_view_audit_entry(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("view_secret", user, secret) client.get(reverse("secret:detail", kwargs={"pk": secret.pk})) assert Audit.objects.count() == 1 audit = Audit.objects.first() assert audit.action == Actions.view_secret.name assert audit.timestamp == timezone.now() assert audit.user == user assert audit.secret == secret
def test_shows_setup_link_if_no_mfa_configured(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("view_secret", user, secret) assign_perm("change_secret", user, secret) response = client.get(reverse("secret:mfa", kwargs={"pk": secret.pk})) assert response.status_code == 200 link_html = '<a class="btn btn-danger" href="{}" role="button">Setup MFA client</a>'.format( reverse("secret:mfa_setup", kwargs={"pk": secret.pk})) assert link_html in response.content.decode("utf-8")
def test_update_audit_entry(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) client.post(reverse("secret:detail", kwargs={"pk": secret.pk}), {"name": "hello world"}) assert Audit.objects.count() == 1 audit = Audit.objects.first() assert audit.action == Actions.update_secret.name assert audit.timestamp == timezone.now() assert audit.user == user assert audit.secret == secret
def test_success(self, client): user = login_and_verify_user(client) secret = SecretFactory() secret.mfa_string = "test-string" secret.save() assign_perm("change_secret", user, secret) response = client.post( reverse("secret:mfa_delete", kwargs={"pk": secret.pk})) secret.refresh_from_db() assert response.status_code == 302 assert response.url == reverse("secret:mfa", kwargs={"pk": secret.pk}) assert not secret.mfa_string
def test_superuser_can_view_and_edit_secrets(self, client): login_and_verify_user(client, is_superuser=True) secret = SecretFactory() response = client.get( reverse("secret:detail", kwargs={"pk": secret.pk})) assert response.status_code == 200 response = client.post( reverse("secret:detail", kwargs={"pk": secret.pk}), {"name": "hello world"}) assert response.status_code == 302 assert response.url == reverse("secret:detail", kwargs={"pk": secret.pk}) assert Secret.objects.first().name == "hello world"
def test_delete_group_permissions(self, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) target_group = GroupFactory() assign_perm("change_secret", target_group, secret) assign_perm("view_secret", target_group, secret) response = client.post( reverse("secret:delete-permission", kwargs={"pk": secret.pk}), {"group": target_group.id}, ) assert response.status_code == 302 assert response.url == reverse("secret:permissions", kwargs={"pk": secret.id}) assert get_perms(target_group, secret) == []
def test_user_cannot_change_view_without_permissions(self, client): user = login_and_verify_user(client) secret = SecretFactory() response = client.post( reverse("secret:detail", kwargs={"pk": secret.pk}), {"name": "testing 123"}) assert response.status_code == 403 # 'change_secret' permissions are needed assign_perm("view_secret", user, secret) response = client.post( reverse("secret:detail", kwargs={"pk": secret.pk}), {"name": "testing 123"}) assert response.status_code == 403
def test_add_user_permissions(self, permission, expected, client): user = login_and_verify_user(client) secret = SecretFactory() assign_perm("change_secret", user, secret) target_user = UserFactory() response = client.post( reverse("secret:permissions", kwargs={"pk": secret.pk}), { "user": target_user.id, "permission": permission }, ) assert response.status_code == 302 assert set(get_perms(target_user, secret)) == expected
def test_add_group_permissions(self, permission, expected, client): secret = SecretFactory() permission_url = reverse("secret:permissions", kwargs={"pk": secret.pk}) target_group = GroupFactory() user = login_and_verify_user(client) assign_perm("change_secret", user, secret) response = client.post( permission_url, { "group": target_group.id, "permission": permission }, ) assert response.status_code == 302 assert response.url == permission_url assert set(get_perms(target_group, secret)) == expected