def test_register_generic_pwchange_error(client, cleanup_dummy_user):
"""Change user's password with an unhandled error"""
ipa_client = mock.Mock()
ipa_client.change_password.side_effect = python_freeipa.exceptions.FreeIPAError(
message="something went wrong", code="4242")
with mock.patch("securitas.controller.registration.untouched_ipa_client",
lambda a: ipa_client):
result = client.post(
'/register',
data={
"firstname": "First",
"lastname": "Last",
"username": "******",
"password": "******",
"password_confirm": "password",
},
)
assert_redirects_with_flash(
result,
expected_url="/login",
expected_message=
('Your account has been created, but an error occurred while setting your '
'password (something went wrong). You may need to change it after logging in.'
),
expected_category="warning",
)
def test_ask_post(client, dummy_user, patched_lock):
with mailer.record_messages() as outbox:
result = client.post('/forgot-password/ask', data={"username": "******"})
# Confirmation message
assert_redirects_with_flash(
result,
expected_url="/",
expected_message=(
"An email has been sent to your address with instructions on how to reset "
"your password"
),
expected_category="success",
)
# Sent email
assert len(outbox) == 1
message = outbox[0]
assert message.subject == "Password reset procedure"
assert message.recipients == ["*****@*****.**"]
# Valid token
token_match = re.search(r"\?token=([^\s\"']+)", message.body)
assert token_match is not None
token = token_match.group(1)
token_data = jwt.decode(
token, current_app.config["SECRET_KEY"], algorithms=["HS256"]
)
assert token_data.get("username") == "dummy"
assert "last_change" in token_data
# Lock activated
patched_lock["store"].assert_called_once()
def test_change_invalid_token(client):
result = client.get('/forgot-password/change?token=this-is-invalid')
assert_redirects_with_flash(
result,
expected_url="/forgot-password/ask",
expected_message="The token is invalid, please request a new one.",
expected_category="warning",
)
def test_change_no_token(client):
result = client.get('/forgot-password/change')
assert_redirects_with_flash(
result,
expected_url="/forgot-password/ask",
expected_message="No token provided, please request one.",
expected_category="warning",
)
def test_group_remove_member_invalid_form(client, dummy_user_as_group_manager):
"""Test an invalid form when removing a member from a group"""
result = client.post('/group/dummy-group/members/remove', data={})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message="Username must not be empty",
expected_category="danger",
)
def test_user_edit_post(client, logged_in_dummy_user):
"""Test posting to the user edit page: /user/<username>/edit/"""
result = client.post('/user/dummy/edit/', data=POST_CONTENTS)
assert_redirects_with_flash(
result,
expected_url="/user/dummy/",
expected_message="Profile has been succesfully updated.",
expected_category="success",
)
def test_user_unauthed(client):
"""Check that when unauthed, the user page redirects back to /."""
result = client.get('/user/dudemcpants/')
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="Please log in to continue.",
expected_category="warning",
)
def test_change_not_active(client, token_for_dummy_user, patched_lock):
result = client.get(f'/forgot-password/change?token={token_for_dummy_user}')
patched_lock["delete"].assert_called_once()
assert_redirects_with_flash(
result,
expected_url="/forgot-password/ask",
expected_message="The token has expired, please request a new one.",
expected_category="warning",
)
def test_group_add_unknown_member(client, dummy_user_as_group_manager):
"""Test adding a non-existent member to a group"""
result = client.post('/group/dummy-group/members/',
data={"new_member_username": "******"})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message="User testuser was not found in the system.",
expected_category="danger",
)
def test_group_add_member(client, dummy_user_as_group_manager, make_user):
"""Test adding a member to a group"""
make_user("testuser")
result = client.post('/group/dummy-group/members/',
data={"new_member_username": "******"})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message="You got it! testuser has been added to dummy-group.",
expected_category="success",
)
def test_change_too_old(client, token_for_dummy_user, patched_lock):
passed_expiry = datetime.datetime.now() - datetime.timedelta(minutes=1)
patched_lock["valid_until"].return_value = passed_expiry
result = client.get(f'/forgot-password/change?token={token_for_dummy_user}')
patched_lock["delete"].assert_called_once()
assert_redirects_with_flash(
result,
expected_url="/forgot-password/ask",
expected_message="The token has expired, please request a new one.",
expected_category="warning",
)
def test_user_edit_no_permission(method, client, logged_in_dummy_user):
"""Verify that a user can't be changed by another user."""
result = client.open(
"/user/dudemcpants/edit/",
method=method,
data=POST_CONTENTS if method == "POST" else None,
)
assert_redirects_with_flash(
result,
expected_url="/user/dudemcpants/",
expected_message="You do not have permission to edit this account.",
expected_category="danger",
)
def test_group_remove_member(client, dummy_user_as_group_manager, make_user):
"""Test removing a member from a group"""
make_user("testuser")
ipa_admin.group_add_member("dummy-group", users="testuser")
result = client.post('/group/dummy-group/members/remove',
data={"username": "******"})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message=
"You got it! testuser has been removed from dummy-group.",
expected_category="success",
)
def test_password_changes(client, dummy_user, no_password_min_time):
"""Verify that password changes"""
result = client.post(
'/password-reset?username=dummy',
data={
"current_password": "******",
"password": "******",
"password_confirm": "secretpw",
},
)
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="Your password has been changed",
expected_category="success",
)
def test_login_expired_password(client, dummy_user_expired_password):
"""Test a successful Login with an expired password"""
result = client.post(
'/login',
data={"username": "******", "password": "******"},
follow_redirects=False,
)
assert_redirects_with_flash(
result,
expected_url="/password-reset?username=dummy",
expected_message="Password expired. Please reset it.",
expected_category="danger",
)
# We are not logged in
assert "securitas_session" not in session
assert "securitas_username" not in session
def test_password_changes_wrong_user(client, logged_in_dummy_user):
"""Verify that we error if trying to change another user's password"""
result = client.post(
'/user/admin/password-reset',
data={
"username": "******",
"current_password": "******",
"password": "******",
"password_confirm": "secretpw",
},
)
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="You do not have permission to edit this account.",
expected_category="danger",
)
def test_group_remove_self(client, logged_in_dummy_user, dummy_group):
"""Test a non-sponsor user removing themselves from a group"""
ipa_admin.group_add_member("dummy-group", users="dummy")
result = client.get('/group/dummy-group/')
assert result.status_code == 200
page = BeautifulSoup(result.data, 'html.parser')
leave_btn = page.select_one("#leave-group-btn")
assert leave_btn.get_text(strip=True) == "Leave group"
result = client.post('/group/dummy-group/members/remove',
data={"username": "******"})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message="You got it! dummy has been removed from dummy-group.",
expected_category="success",
)
def test_ask_no_smtp(client, dummy_user, patched_lock):
with mock.patch("securitas.controller.password.mailer") as mailer:
mailer.send.side_effect = ConnectionRefusedError
with mock.patch("securitas.controller.password.app.logger") as logger:
result = client.post('/forgot-password/ask', data={"username": "******"})
# Email
mailer.send.assert_called_once()
# Lock untouched
patched_lock["store"].assert_not_called()
# Error message
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="We could not send you an email, please retry later",
expected_category="danger",
)
# Log message
logger.error.assert_called_once()
def test_change_post(client, dummy_user, token_for_dummy_user, patched_lock_active):
with mock.patch("securitas.controller.password.app.logger") as logger:
result = client.post(
f'/forgot-password/change?token={token_for_dummy_user}',
data={"password": "******", "password_confirm": "newpassword"},
)
patched_lock_active["delete"].assert_called()
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="Your password has been changed.",
expected_category="success",
)
# Log message
logger.info.assert_called_once()
log_msg = logger.info.call_args[0][0]
assert "dummy" in log_msg
assert "newpassword" not in log_msg
def test_password_changes_user(client, logged_in_dummy_user, dummy_group,
no_password_min_time):
"""Verify that password changes"""
ipa_admin.group_add_member("dummy-group", users="dummy")
result = client.post(
'/user/dummy/password-reset',
data={
"username": "******",
"current_password": "******",
"password": "******",
"password_confirm": "secretpw",
},
)
assert_redirects_with_flash(
result,
expected_url="/",
expected_message="Your password has been changed",
expected_category="success",
)
def test_group_remove_member_invalid(client, dummy_user_as_group_manager):
"""Test failure when removing a member from a group"""
with mock.patch(
"securitas.security.ipa.Client.group_remove_member") as method:
method.side_effect = python_freeipa.exceptions.ValidationError(
message={
"member": {
"user": [("testuser", "something went wrong")],
"group": []
}
},
code="4242",
)
result = client.post('/group/dummy-group/members/remove',
data={"username": "******"})
assert_redirects_with_flash(
result,
expected_url="/group/dummy-group/",
expected_message="Unable to remove user testuser: something went wrong",
expected_category="danger",
)
def test_register_short_password(client, cleanup_dummy_user):
"""Register a user with too short a password"""
result = client.post(
'/register',
data={
"firstname": "First",
"lastname": "Last",
"username": "******",
"password": "******",
"password_confirm": "42",
},
)
assert_redirects_with_flash(
result,
expected_url="/login",
expected_message=
('Your account has been created, but the password you chose does not comply '
'with the policy (Constraint violation: Password is too short) and has thus '
'been set as expired. You will be asked to change it after logging in.'
),
expected_category="warning",
)
def test_change_recent_password_change(
client,
dummy_user,
dummy_group,
token_for_dummy_user,
no_password_min_time,
patched_lock_active,
):
ipa_admin.group_add_member("dummy-group", users="dummy")
ipa = untouched_ipa_client(current_app)
ipa.change_password("dummy", "dummy_password", "dummy_password")
result = client.get(f'/forgot-password/change?token={token_for_dummy_user}')
patched_lock_active["delete"].assert_called_once()
assert_redirects_with_flash(
result,
expected_url="/forgot-password/ask",
expected_message=(
"Your password has been changed since you requested this token, please "
"request a new one."
),
expected_category="warning",
)
def test_change_post_password_too_short(
client, dummy_user, token_for_dummy_user, patched_lock_active
):
with mock.patch("securitas.controller.password.app.logger") as logger:
result = client.post(
f'/forgot-password/change?token={token_for_dummy_user}',
data={"password": "******", "password_confirm": "42"},
)
assert_redirects_with_flash(
result,
expected_url="/login",
expected_message=(
'Your password has been changed, but it does not comply '
'with the policy (Constraint violation: Password is too short) and has thus '
'been set as expired. You will be asked to change it after logging in.'
),
expected_category="warning",
)
patched_lock_active["delete"].assert_called()
logger.info.assert_called_with(
"Password for dummy was changed to a non-compliant password after completing "
"the forgotten password process."
)
