def test_get_all_users(self):
d = datetime.datetime
with transaction.manager:
user1 = User(first_name='John1',
last_name='Doe',
creation=d(2012, 12, 12, 9, 10, 0),
email='*****@*****.**',
email_verified=False,
send_passwords_periodically=False)
Session.add(user1)
self.add_passwords(user1, 10)
user2 = User(first_name='John2',
last_name='Doe',
creation=d(2013, 1, 2, 13, 10, 0),
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=True)
Session.add(user2)
self.add_passwords(user2, 10)
user3 = User(first_name='John3',
last_name='Doe',
creation=d(2014, 6, 20, 10, 58, 10),
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=True)
Session.add(user3)
self.add_passwords(user3, 10)
when = datetime.datetime(2012, 10, 12, 10, 0, 0)
users = tuple(get_all_users(when))
self.assertEqual(len(users), 1)
self.assertEqual(users[0].first_name, 'John3')
def test_show_in_user(self):
request = DummyRequest()
ga = GoogleAnalytics(request)
self.assertFalse(ga.show_in_user(User(allow_google_analytics=False)))
self.assertTrue(ga.show_in_user(User(allow_google_analytics=True)))
def test_revoke_application_app(self):
administrator = User(screen_name='Alice doe',
first_name='Alice',
last_name='Doe',
email='*****@*****.**')
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
main_url='http://example.com',
callback_url='http://example.com/callback',
user=administrator)
auth_app = AuthorizedApplication(
scope=['read-passwords'],
response_type='code',
redirect_uri='http://example.com/callback',
application=app,
user=user,
)
with transaction.manager:
Session.add(user)
Session.add(app)
Session.add(auth_app)
Session.flush()
user_id = user.id
app_id = app.id
self.testapp.get('/__login/' + str(user_id))
self.assertEqual(Session.query(Application).count(), 1)
self.assertEqual(Session.query(AuthorizedApplication).count(), 1)
res = self.testapp.get('/oauth2/applications/%s/revoke' % str(app_id))
self.assertEqual(res.status, '200 OK')
res.mustcontain('Revoke authorization to application <span>Test Application</span>')
res = self.testapp.post('/oauth2/applications/%s/revoke' % str(app_id), {
'submit': 'Yes, I am sure',
})
self.assertEqual(res.status, '302 Found')
self.assertEqual(res.location, 'http://localhost/oauth2/authorized-applications')
try:
auth_app = Session.query(AuthorizedApplication).filter(
AuthorizedApplication.application_id == app_id,
AuthorizedApplication.user_id == user_id,
).one()
except NoResultFound:
auth_app = None
self.assertEqual(auth_app, None)
# the application should not be removed on cascade
self.assertEqual(Session.query(Application).count(), 1)
def test_authorized_applications(self):
administrator = User(screen_name='Alice doe',
first_name='Alice',
last_name='Doe',
email='*****@*****.**')
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app1 = Application(name='Test Application 1',
main_url='http://example.com/1',
callback_url='http://example.com/1/callback',
image_url='http://example.com/1/image.png',
description='Test description 1',
user=administrator)
auth_app1 = AuthorizedApplication(
scope=['scope1'],
response_type='code',
redirect_uri='http://example.com/1/callback',
application=app1,
user=user,
)
app2 = Application(name='Test Application 2',
main_url='http://example.com/2',
callback_url='http://example.com/2/callback',
image_url='http://example.com/2/image.png',
description='Test description 2',
user=administrator)
auth_app2 = AuthorizedApplication(
scope=['scope1'],
response_type='code',
redirect_uri='http://example.com/2/callback',
application=app2,
user=user,
)
with transaction.manager:
Session.add(user)
Session.add(app1)
Session.add(auth_app1)
Session.add(app2)
Session.add(auth_app2)
Session.flush()
user_id = user.id
self.testapp.get('/__login/' + str(user_id))
res = self.testapp.get('/oauth2/authorized-applications')
self.assertEqual(res.status, '200 OK')
res.mustcontain('Authorized Applications')
res.mustcontain('Test Application 1')
res.mustcontain('Test Application 2')
def test_merge_valid_users(self):
master_user = User()
Session.add(master_user)
other_user = User()
Session.add(other_user)
Session.flush()
self.assertEqual(2, Session.query(User).count())
self.assertEqual(1, merge_accounts(master_user, [other_user.id]))
self.assertEqual(1, Session.query(User).count())
def test_announce_send_email(self):
with transaction.manager:
user1 = User(first_name='John0',
last_name='Doe',
email='',
email_verified=False,
send_passwords_periodically=False)
Session.add(user1)
self.add_passwords(user1, 10)
user2 = User(first_name='John1',
last_name='Doe',
email='',
email_verified=True,
send_passwords_periodically=False)
Session.add(user2)
self.add_passwords(user2, 10)
user3 = User(first_name='John2',
last_name='Doe',
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=True)
Session.add(user3)
self.add_passwords(user3, 10)
user4 = User(first_name='John3',
last_name='Doe',
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=True)
Session.add(user4)
self.add_passwords(user4, 10)
user5 = User(first_name='John4',
last_name='Doe',
email='*****@*****.**',
email_verified=False,
send_passwords_periodically=True)
Session.add(user5)
self.add_passwords(user5, 10)
sys.argv = ['notused', self.conf_file_path, 'new_feature_send_passwords_via_email']
sys.stdout = StringIO()
result = announce()
self.assertEqual(result, None)
stdout = sys.stdout.getvalue()
expected_output = """Sending email to John2 Doe <*****@*****.**>
Sending email to John3 Doe <*****@*****.**>
"""
self.assertEqual(stdout, expected_output)
def test_register_or_update_existing_user(self):
user = User(screen_name='JohnDoe',
first_name='John',
last_name='')
identity = ExternalIdentity(provider='twitter',
external_id='1',
user=user)
Session.add(user)
Session.add(identity)
Session.flush()
user_id = user.id
request = testing.DummyRequest()
request.session = {USER_ATTR: True}
request.google_analytics = GoogleAnalytics(request)
response = register_or_update(request, 'twitter', '1', {
'screen_name': 'JohnDoe',
'first_name': 'John',
'last_name': 'Doe',
'email': '*****@*****.**',
}, '/next')
self.assertEqual(response.status, '302 Found')
self.assertEqual(response.location, '/next')
user = Session.query(User).filter(User.id == user_id).one()
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.last_name, 'Doe')
self.assertEqual(user.allow_google_analytics, True)
def test_application_edit_cancel(self):
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
main_url='http://example.com',
callback_url='http://example.com/callback',
authorized_origins=['http://example.com',
'https://example.com'],
production_ready=False,
image_url='http://example.com/image.png',
description='example description')
user.applications.append(app)
with transaction.manager:
Session.add(user)
Session.flush()
app_id = app.id
user_id = user.id
self.testapp.get('/__login/' + str(user_id))
res = self.testapp.post('/oauth2/applications/%s/edit' % str(app_id), {
'cancel': 'Cancel',
})
self.assertEqual(res.status, '302 Found')
self.assertEqual(res.location, 'http://localhost/oauth2/applications')
def create_user(email='',
email_verified=False,
provider='twitter',
external_id='twitter1',
**kwargs):
date = datetime.datetime(2012, 12, 12, 12, 12)
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email=email,
email_verified=email_verified,
creation=date,
last_login=date,
**kwargs)
identity = ExternalIdentity(provider=provider,
external_id=external_id,
user=user)
with transaction.manager:
Session.add(user)
Session.add(identity)
Session.flush()
user_id = user.id
return user_id
def test_get_image_url_with_size(self):
request = DummyRequest()
request.user = User(email='*****@*****.**')
gravatar = Gravatar(request, 'http://localhost/default_gravatar.png')
self.assertURLEqual(
gravatar.get_image_url(100),
'https://www.gravatar.com/avatar/d4c74594d841139328695756648b6bd6?s=100&d=http%3A%2F%2Flocalhost%2Fdefault_gravatar.png')
def test_clients_two_apps(self):
administrator = User(screen_name='Alice doe',
first_name='Alice',
last_name='Doe',
email='*****@*****.**')
app1 = Application(name='Example app 1',
main_url='https://example.com',
callback_url='https://example.com/callback',
image_url='https://example.com/image.png',
description='example description',
production_ready=True,
user=administrator)
app2 = Application(name='Example app 2',
main_url='https://2.example.com',
callback_url='https://2.example.com/callback',
production_ready=False,
user=administrator)
with transaction.manager:
Session.add(app1)
Session.add(app2)
Session.flush()
res = self.testapp.get('/oauth2/clients')
self.assertEqual(res.status, '200 OK')
res.mustcontain(
'Available Clients', 'Example app 1', 'https://example.com',
'https://example.com/image.png', 'example description',
no=('Example app 2', 'https://2.example.com'),
)
def test_cors_headers_app_origins(self):
cm = CORSManager('')
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
authorized_origins=['http://localhost'])
user.applications.append(app)
with transaction.manager:
Session.add(user)
Session.add(app)
Session.flush()
app_id = app.id
request = DummyRequest(headers={'Origin': 'http://localhost'},
params={'client_id': app_id})
response = request.response
cm.add_cors_header(request, response)
self.assertEqual(
response.headers, {
'Content-Type': 'text/html; charset=UTF-8',
'Content-Length': '0',
'Access-Control-Allow-Origin': 'http://localhost',
})
def test_applications_list_apps_one_app(self):
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
main_url='https://example.com',
callback_url='https://example.com/callback',
production_ready=False)
user.applications.append(app)
with transaction.manager:
Session.add(user)
Session.flush()
app_id = app.id
user_id = user.id
self.testapp.get('/__login/' + str(user_id))
res = self.testapp.get('/oauth2/applications')
self.assertEqual(res.status, '200 OK')
res.mustcontain('John')
res.mustcontain('Log out')
res.mustcontain('Developer Applications')
res.mustcontain('Register new application')
res.mustcontain(app_id)
res.mustcontain('Test Application')
res.mustcontain('https://example.com')
def test_get_accounts_multiple_providers(self):
user = User(email='*****@*****.**', email_verified=True)
identity1 = ExternalIdentity(user=user,
provider='twitter',
external_id='1234')
identity2 = ExternalIdentity(user=user,
provider='google',
external_id='4321')
password = Password(user=user, secret='secret')
Session.add(user)
Session.add(identity1)
Session.add(identity2)
Session.add(password)
Session.flush()
self.assertEqual(user.get_accounts('google'), [{
'id':
user.id,
'is_current':
True,
'is_verified':
True,
'passwords':
1,
'providers': [{
'name': 'twitter',
'is_current': False,
}, {
'name': 'google',
'is_current': True,
}]
}])
def test_application_edit_unauthorized(self):
create_and_login_user(self.testapp)
app = Application(name='Test Application',
main_url='http://example.com',
callback_url='http://example.com/callback',
authorized_origins=['http://example.com',
'https://example.com'],
production_ready=False,
image_url='http://example.com/image.png',
description='example description')
other_user = User(screen_name='Alice doe',
first_name='Alice',
last_name='Doe',
email='*****@*****.**')
other_user.applications.append(app)
with transaction.manager:
Session.add(other_user)
Session.flush()
app_id = app.id
res = self.testapp.get('/oauth2/applications/%s/edit' % str(app_id),
status=401)
self.assertEqual(res.status, '401 Unauthorized')
def test_application_edit_invalid_change(self):
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
main_url='http://example.com',
callback_url='http://example.com/callback',
authorized_origins=['http://example.com',
'https://example.com'],
production_ready=False,
image_url='http://example.com/image.png',
description='example description')
user.applications.append(app)
with transaction.manager:
Session.add(user)
Session.flush()
app_id = app.id
user_id = user.id
self.testapp.get('/__login/' + str(user_id))
res = self.testapp.post('/oauth2/applications/%s/edit' % str(app_id), {
'submit': 'Save changes',
})
self.assertEqual(res.status, '200 OK')
res.mustcontain('There was a problem with your submission')
res.mustcontain('Required')
def test_merge_with_itself(self):
user = User()
Session.add(user)
Session.flush()
self.assertEqual(1, Session.query(User).count())
self.assertEqual(0, merge_accounts(user, [user.id]))
self.assertEqual(1, Session.query(User).count())
def test_merge_users(self):
with transaction.manager:
user1 = User(email='*****@*****.**')
identity1 = ExternalIdentity(provider='twitter', external_id='1234',
user=user1)
password1 = Password(secret='s3cr3t1', user=user1)
password2 = Password(secret='s3cr3t2', user=user1)
user2 = User(email='*****@*****.**')
identity2 = ExternalIdentity(provider='google', external_id='4321',
user=user2)
password3 = Password(secret='s3cr3t3', user=user2)
password4 = Password(secret='s3cr3t4', user=user2)
Session.add(user1)
Session.add(identity1)
Session.add(password1)
Session.add(password2)
Session.add(user2)
Session.add(identity2)
Session.add(password3)
Session.add(password4)
Session.flush()
user1_id = user1.id
user2_id = user2.id
user1 = Session.query(User).filter(User.id == user1_id).one()
user2 = Session.query(User).filter(User.id == user2_id).one()
self.assertEqual(1, len(user1.identities))
self.assertEqual(4, Session.query(Password).count())
with transaction.manager:
merge_users(user1, user2)
self.assertEqual(4, Session.query(Password).count())
self.assertEqual(0, Session.query(Password).filter(
Password.user_id == user2_id).count())
try:
user2_refreshed = Session.query(User).filter(User.id == user2_id).one()
except NoResultFound:
user2_refreshed = None
self.assertEqual(user2_refreshed, None)
user1 = Session.query(User).filter(User.id == user1_id).one()
self.assertEqual(2, len(user1.identities))
def test_merge_with_invented_users(self):
user = User()
Session.add(user)
Session.flush()
fake_id = '00000000-0000-0000-0000-000000000000'
self.assertEqual(1, Session.query(User).count())
self.assertEqual(0, merge_accounts(user, [fake_id]))
self.assertEqual(1, Session.query(User).count())
def test_application_delete(self):
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
app = Application(name='Test Application',
callback_url='https://example.com/callback',
production_ready=False)
user.applications.append(app)
auth_app = AuthorizedApplication(
scope=['scope1'],
response_type='code',
redirect_uri='http://example.com/callback',
application=app,
user=user,
)
with transaction.manager:
Session.add(user)
Session.add(auth_app)
Session.flush()
app_id = app.id
user_id = user.id
self.testapp.get('/__login/' + str(user_id))
self.assertEqual(Session.query(Application).count(), 1)
self.assertEqual(Session.query(AuthorizedApplication).count(), 1)
res = self.testapp.get('/oauth2/applications/%s/delete' % str(app_id))
self.assertEqual(res.status, '200 OK')
res.mustcontain('Delete Application <span>Test Application</span>')
res.mustcontain('Are you sure you want to remove the application')
res.mustcontain('Yes, I am sure')
res.mustcontain('No, take me back to the application list')
# now delete it
res = self.testapp.post('/oauth2/applications/%s/delete' % str(app_id),
{'submit': 'Yes, I am sure'})
self.assertEqual(res.status, '302 Found')
self.assertEqual(res.location, 'http://localhost/oauth2/applications')
try:
app = Session.query(Application).filter(
Application.id == app_id).one()
except NoResultFound:
app = None
self.assertEqual(app, None)
self.assertEqual(Session.query(User).count(), 1)
self.assertEqual(Session.query(Application).count(), 0)
# Related authorizations should be deleted on cascade
self.assertEqual(Session.query(AuthorizedApplication).count(), 0)
def test_get_user_existing_user(self):
user = User(screen_name='John Doe')
Session.add(user)
Session.flush()
user_id = user.id
self.config.testing_securitypolicy(userid=user_id)
request = testing.DummyRequest()
new_user = get_user(request)
self.assertEqual(new_user.id, user.id)
self.assertEqual(new_user.screen_name, 'John Doe')
def test_assert_authenticated_user_is_registered_existing_user(self):
user = User(screen_name='John Doe')
Session.add(user)
Session.flush()
user_id = user.id
self.config.testing_securitypolicy(userid=user_id)
request = testing.DummyRequest()
res = assert_authenticated_user_is_registered(request)
self.assertEqual(res.id, user_id)
self.assertEqual(res.screen_name, 'John Doe')
def test_get_accounts_no_provider(self):
user = User(email='*****@*****.**')
Session.add(user)
Session.flush()
self.assertEqual(user.get_accounts(''), [{
'id': user.id,
'is_current': False,
'is_verified': False,
'passwords': 0,
'providers': []
}])
def test_get_user_passwords_no_passwords(self):
user = User(first_name='John', last_name='Doe')
with transaction.manager:
Session.add(user)
Session.flush()
user_id = user.id
user = Session.query(User).filter(User.id == user_id).one()
self.assertEqual(get_user_passwords(user), [])
def create_user():
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
with transaction.manager:
Session.add(user)
Session.flush()
user_id = user.id
return user, user_id
def test_several_users_first_of_month(self):
d = datetime.datetime
# Add some users
with transaction.manager:
user1 = User(first_name='John1',
last_name='Doe',
creation=d(2012, 12, 12, 9, 10, 0),
email='*****@*****.**',
email_verified=False,
send_passwords_periodically=False)
Session.add(user1)
self.add_passwords(user1, 10)
user2 = User(first_name='John2',
last_name='Doe',
creation=d(2013, 1, 2, 13, 10, 0),
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=False)
Session.add(user2)
self.add_passwords(user2, 10)
user3 = User(first_name='John3',
last_name='Doe',
creation=d(2014, 6, 20, 10, 58, 10),
email='*****@*****.**',
email_verified=True,
send_passwords_periodically=True)
Session.add(user3)
self.add_passwords(user3, 10)
sys.argv = ['notused', self.conf_file_path]
sys.stdout = StringIO()
result = send_backups_via_email()
self.assertEqual(result, None)
stdout = sys.stdout.getvalue()
expected_output = """Passwords sent to John3 Doe <*****@*****.**>
"""
self.assertEqual(stdout, expected_output)
def test_email_verification_code_verify_negative(self):
evc = EmailVerificationCode()
self.assertNotEqual(evc.code, None)
user = User(first_name='John',
last_name='Doe',
email='*****@*****.**')
Session.add(user)
Session.flush()
evc2 = EmailVerificationCode(evc.code)
result = evc2.verify('*****@*****.**')
self.assertEqual(result, None)
def create_and_login_user(testapp):
user = User(screen_name='John Doe',
first_name='John',
last_name='Doe',
email='*****@*****.**')
with transaction.manager:
Session.add(user)
Session.flush()
user_id = user.id
testapp.get('/__login/' + str(user_id))
return user, user_id
def test_twitter_callback_existing_user(self, post_mock, get_mock):
# good request, twitter is happy now. Existing user
user = User(screen_name='Johnny')
identity = ExternalIdentity(user=user,
provider='twitter',
external_id='user1')
with transaction.manager:
Session.add(user)
Session.add(identity)
Session.flush()
user_id = user.id
mock0 = mock.Mock()
mock0.status_code = 200
mock0.text = 'oauth_callback_confirmed=true&oauth_token=123456789'
mock1 = mock.Mock()
mock1.status_code = 200
mock1.text = 'oauth_token=xyz&user_id=user1&screen_name=JohnDoe'
mock2 = mock.Mock()
mock2.ok = True
mock2.json = lambda: {
'token_type': 'bearer',
'access_token': '1234567890',
}
post_mock.side_effect = [mock0, mock1, mock2]
get_response = get_mock.return_value
get_response.ok = True
get_response.json = lambda: {
'name': 'John Doe',
}
self.testapp.get('/twitter/login')
good_url = '/twitter/callback?oauth_token=123456789&oauth_verifier=abc'
res = self.testapp.get(good_url, status=302)
self.assertEqual(res.status, '302 Found')
self.assertEqual(res.location, 'http://localhost/')
self.assertTrue('Set-Cookie' in res.headers)
# even if the response from twitter included a different
# screen_name, our user will not be updated
new_user = Session.query(User).filter(User.id == user_id).one()
self.assertEqual(new_user.screen_name, 'Johnny')
def test_identity_providers_only_one_account(self):
user1_id = create_and_login_user(self.testapp,
email='*****@*****.**',
email_verified=True)
app1 = Application(name='Test Application',
callback_url='https://example.com/callback/1')
app2 = Application(name='Test Application',
callback_url='https://example.com/callback/2')
admin = User(screen_name='Alice doe',
first_name='Alice',
last_name='Doe',
email='*****@*****.**')
admin.applications.append(app1)
admin.applications.append(app2)
auth_app1 = AuthorizedApplication(
scope=['scope1'],
response_type='code',
redirect_uri='http://example.com/callback/1',
application=app1,
user_id=user1_id,
)
auth_app2 = AuthorizedApplication(
scope=['scope1'],
response_type='code',
redirect_uri='http://example.com/callback/2',
application=app2,
user_id=user1_id,
)
password = Password(secret='s3cr3t', user_id=user1_id)
with transaction.manager:
Session.add(admin)
Session.add(app1)
Session.add(app2)
Session.add(auth_app1)
Session.add(auth_app2)
Session.add(password)
Session.flush()
# one account is not enough for merging
res = self.testapp.post('/identity-providers', {
'submit': 'Merge my accounts',
},
status=400)
self.assertEqual(res.status, '400 Bad Request')
res.mustcontain('You do not have enough accounts to merge')
