def test_delete_without_permissions(app, client): utils = Utils(app, client) public_id = utils.get_public_id() headers = {'Authorization': f'Bearer {utils.generate_access_token()}'} resp = client.delete(f'/api/users/{public_id}', headers=headers) assert resp.status_code == 403 assert json.loads(resp.data.decode()).get('message') == 'Access Denied!'
def test_admin_update_without_data(app, client): utils = Utils(app, client) public_id = utils.get_public_id() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/{public_id}', headers=headers) assert resp.status_code == 200
def test_admin_update_invalid_data(app, client): utils = Utils(app, client) guid = utils.get_guid() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/{guid}', headers=headers, json={'invalid': 'invalid'}) assert resp.status_code == 400
def test_admin_update_non_existing_role(app, client): utils = Utils(app, client) public_id = utils.get_public_id() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/{public_id}', headers=headers, json={'role': 'invalid'}) assert resp.status_code == 400 assert json.loads(resp.data.decode()).get('message') == 'Invalid Role'
def test_admin_update(app, client): utils = Utils(app, client) public_id = utils.get_public_id() data = {'displayName': 'My new display name!'} headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/{public_id}', headers=headers, json=data) assert resp.status_code == 200 assert json.loads(resp.data.decode()).get('data').get( 'displayName') == data.get('displayName')
def test_logout_invalid(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_access_token(refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 resp = client.delete('/api/auth/refresh/invalid') assert resp.status_code == 401 assert json.loads( resp.data.decode()).get('message') == 'Invalid refresh token'
def test_refresh_token_invalid_data(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_access_token(refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 resp = client.post('/api/auth/refresh', json={'invalid': 'invalid'}) assert resp.status_code == 400 assert json.loads( resp.data.decode()).get('message') == 'Payload is invalid'
def test_authentication_without_activation(app, client): utils = Utils(app, client) utils.create_user(username='******', password='******', verified=False) resp = client.post('/api/auth', json={ 'username': '******', 'password': '******' }) assert resp.status_code == 401 assert json.loads( resp.data.decode('utf8')).get('message') == 'Account not activated'
def test_authentication_with_invalid_2fa_token(app, client): utils = Utils(app, client) utils.enable_2fa() resp = client.post('/api/auth', json={ 'username': '******', 'password': '******', 'token': '999999' }) assert resp.status_code == 401 assert json.loads( resp.data.decode('utf8')).get('message') == 'Invalid credentials'
def test_get(app, client): utils = Utils(app, client) public_id = utils.get_public_id() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.get(f'/api/users/{public_id}', headers=headers) assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('data').get('email') == '*****@*****.**' assert json.loads( resp.data.decode()).get('data').get('displayName') == 'test' assert not json.loads(resp.data.decode()).get('data').get('2fa')
def test_admin_update_enable_2fa(app, client): utils = Utils(app, client) public_id = utils.get_public_id() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/{public_id}', headers=headers, json={'totp_enabled': True}) assert resp.status_code == 400 assert json.loads(resp.data.decode()).get( 'message') == 'You are not allowed to enable 2FA.'
def test_refresh_token_deleted_account(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_access_token(refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 utils.delete_user() resp = client.post('/api/auth/refresh', json={'refreshToken': refresh_token}) assert resp.status_code == 400 assert json.loads( resp.data.decode()).get('message') == 'User does not exist!'
def test_update_enable_2fa_invalid_token(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } # first step to enable 2fa, get secret key resp = client.put('/api/users/me', headers=headers, json={'totp_enabled': True}) assert resp.status_code == 200 assert not json.loads(resp.data.decode()).get('data').get('2fa') assert '2fa_secret' in json.loads(resp.data.decode()).get('data') secret = json.loads(resp.data.decode()).get('data').get('2fa_secret') # generate a 2fa token using the secret key, and use it to activate 2fa totp_token = str(onetimepass.get_totp(secret)).zfill(6) resp = client.post('/api/users/2fa', headers=headers, json={'token': '000000'}) assert resp.status_code == 400 assert json.loads( resp.data.decode()).get('message') == 'invalid token, try again' resp = client.post('/api/users/2fa', headers=headers, json={'token': str(totp_token)}) assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('message') == '2fa has been enabled'
def test_get_all(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.get(f'/api/users', headers=headers) assert resp.status_code == 200
def test_delete_without_data(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.delete(f'/api/users', headers=headers) assert resp.status_code == 405
def test_update_show_qr_after_2fa_has_been_enabled(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } # first step to enable 2fa, get secret key resp = client.put('/api/users/me', headers=headers, json={'totp_enabled': True}) assert resp.status_code == 200 assert not json.loads(resp.data.decode()).get('data').get('2fa') assert '2fa_secret' in json.loads(resp.data.decode()).get('data') # generate a 2fa token using the secret key, and use it to activate 2fa secret = json.loads(resp.data.decode()).get('data').get('2fa_secret') totp_token = str(onetimepass.get_totp(secret)).zfill(6) resp = client.post('/api/users/2fa', headers=headers, json={'token': str(totp_token)}) assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('message') == '2fa has been enabled' # it should not be possible to generate the qr code after 2fa has been enabled # this would be a potential security vulnerability resp = client.get('/api/users/2fa', headers=headers) assert resp.status_code == 400 assert json.loads( resp.data.decode()).get('message') == 'Unable to generate QR Code'
def test_PlainTextUpdater(self): self.file = Utils.create_github_content_file(file='content.txt') self.ptf = PlainTextFile(self.file, self.instance) self.instance.files = [self.ptf.github_file] self.ptu = PlainTextUpdater(TestSearchAndReplaceTransformation.Args(), self.instance) self.assertIs(self.ptu.run(), True)
def test_get_user_info(app, client): utils = Utils(app, client) resp = client.get( '/api/auth', headers={'Authorization': f'Bearer {utils.generate_access_token()}'}) assert resp.status_code == 200 assert 'username' in json.loads(resp.data.decode()).get('data') assert parser.parse( json.loads(resp.data.decode()).get('data').get('created'))
def test_logout_blacklisted(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_admin_access_token( refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 resp = client.delete(f'/api/auth/refresh/{refresh_token}') assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('data') == 'Successfully blacklisted token' resp = client.delete(f'/api/auth/refresh/{refresh_token}') assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('data') == 'Successfully blacklisted token'
def test_update_modify_role(app, client): utils = Utils(app, client) data = {'role': 'admin'} headers = {'Authorization': f'Bearer {utils.generate_access_token()}'} resp = client.put('/api/users/me', headers=headers, json=data) assert resp.status_code == 403 assert json.loads(resp.data.decode()).get( 'message') == 'You are not allowed to change your role!'
def test_delete_invalid_data(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.delete(f'/api/users/invalid', headers=headers) assert resp.status_code == 404 assert json.loads( resp.data.decode()).get('message') == 'User does not exist'
def test_create_without_data(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.post('/api/users', headers=headers) assert resp.status_code == 400 assert json.loads( resp.data.decode()).get('message') == 'Payload is invalid'
def test_refresh_token(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_access_token(refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 resp = client.post('/api/auth/refresh', json={'refreshToken': refresh_token}) assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('message') == 'Token refresh was successful' assert 'accessToken' in json.loads(resp.data.decode()) access_token = json.loads(resp.data.decode()).get('accessToken') resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200
def test_logout(app, client): utils = Utils(app, client) access_token, refresh_token = utils.generate_access_token(refresh=True) resp = client.get('/api/auth', headers={'Authorization': f'Bearer {access_token}'}) assert resp.status_code == 200 resp = client.delete(f'/api/auth/refresh/{refresh_token}') assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('data') == 'Successfully blacklisted token' # refresh token should now be invalid, access token will be still valid til it's expired resp = client.post('/api/auth/refresh', json={'refreshToken': refresh_token}) assert resp.status_code == 401 assert json.loads( resp.data.decode()).get('data') == 'Invalid refresh token'
def test_authentication_invalid_credentials(app, client): Utils(app, client) resp = client.post('/api/auth', json={ 'username': '******', 'password': '******' }) assert resp.status_code == 401 assert json.loads( resp.data.decode('utf8')).get('message') == 'Invalid credentials'
def test_authentication(app, client): Utils(app, client) resp = client.post('/api/auth', json={ 'username': '******', 'password': '******' }) assert resp.status_code == 200 assert 'accessToken' in json.loads(resp.data.decode()) assert 'refreshToken' in json.loads(resp.data.decode())
def test_admin_update_disable_2fa(app, client): utils = Utils(app, client) utils.enable_2fa() public_id = utils.get_public_id() headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } # check if 2fa is enabled resp = client.get(f'/api/users/{public_id}', headers=headers) assert json.loads(resp.data.decode()).get('data').get('2fa') # disable 2fa resp = client.put(f'/api/users/{public_id}', headers=headers, json={'totp_enabled': False}) assert resp.status_code == 200 assert not json.loads(resp.data.decode()).get('data').get('2fa')
def test_update_disable_2fa_without_token(app, client): utils = Utils(app, client) utils.enable_2fa() headers = {'Authorization': f'Bearer {utils.generate_access_token()}'} # check if 2fa is enabled # resp = client.get('/api/auth', headers=headers) resp = client.get( '/api/auth', headers={'Authorization': f'Bearer {utils.generate_access_token()}'}) assert json.loads(resp.data.decode()).get('data').get('2fa') # disable 2fa resp = client.put(f'/api/users/me', headers=headers, json={'totp_enabled': False}) assert resp.status_code == 400 assert json.loads(resp.data.decode()).get( 'message') == 'Unable to deactivate 2fa, token not submitted'
def test_admin_update_invalid_user(app, client): utils = Utils(app, client) headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.put(f'/api/users/invalid', headers=headers, json={'displayName': 'new'}) assert resp.status_code == 404 assert json.loads( resp.data.decode()).get('message') == 'User does not exist'
def test_delete(app, client): utils = Utils(app, client) # create user to delete data = { 'username': '******', 'password': '******', 'email': '*****@*****.**', 'role': 'user' } headers = { 'Authorization': f'Bearer {utils.generate_admin_access_token()}' } resp = client.post('/api/users', headers=headers, json=data) assert resp.status_code == 201 public_id = utils.get_public_id('new_user') resp = client.delete(f'/api/users/{public_id}', headers=headers) assert resp.status_code == 200 assert json.loads( resp.data.decode()).get('data') == 'Successfully deleted user!'