def test_login_webauthn(live_server, selenium, test_user): # pylint: disable=unused-argument
"""test login by webauthn"""
device = SoftWebauthnDevice()
device.cred_init(webauthn.rp.id, b'randomhandle')
persist_and_detach(
WebauthnCredential(user=test_user,
user_handle=device.user_handle,
credential_data=cbor.encode(
device.cred_as_attested().__dict__)))
selenium.get(url_for('auth.login_route', _external=True))
selenium.find_element_by_xpath(
'//form//input[@name="username"]').send_keys(test_user.username)
selenium.find_element_by_xpath('//form//input[@type="submit"]').click()
# some javascript code must be emulated
webdriver_waituntil(selenium, js_variable_ready('window.pkcro_raw'))
pkcro = cbor.decode(
b64decode(
selenium.execute_script('return window.pkcro_raw;').encode(
'utf-8')))
assertion = device.get(pkcro, 'https://%s' % webauthn.rp.id)
selenium.execute_script(
'authenticate_assertion(CBOR.decode(Sner.base64_to_array_buffer("%s")));'
% b64encode(cbor.encode(assertion)).decode('utf-8'))
# and back to standard test codeflow
webdriver_waituntil(
selenium,
EC.presence_of_element_located((By.XPATH, '//a[text()="Logout"]')))
def test_profile_webauthn_register_route(live_server, sl_user): # pylint: disable=unused-argument
"""register new credential for user"""
device = SoftWebauthnDevice()
sl_user.get(url_for('auth.profile_webauthn_register_route',
_external=True))
# some javascript code must be emulated
webdriver_waituntil(sl_user, js_variable_ready('window.pkcco_raw'))
pkcco = cbor.decode(
b64decode(
sl_user.execute_script('return window.pkcco_raw;').encode(
'utf-8')))
attestation = device.create(pkcco, 'https://%s' % webauthn.rp.id)
sl_user.execute_script(
'pack_attestation(CBOR.decode(Sner.base64_to_array_buffer("%s")));' %
b64encode(cbor.encode(attestation)).decode('utf-8'))
# and back to standard test codeflow
sl_user.find_element_by_xpath(
'//form[@id="webauthn_register_form"]//input[@name="name"]').send_keys(
'pytest token')
sl_user.find_element_by_xpath(
'//form[@id="webauthn_register_form"]//input[@type="submit"]').click()
user = User.query.filter(User.username == 'pytest_user').one()
assert user.webauthn_credentials
def test_login_webauthn(live_server, selenium, webauthn_credential_factory): # pylint: disable=unused-argument
"""test login by webauthn"""
device = SoftWebauthnDevice()
device.cred_init(webauthn.rp.id, b'randomhandle')
wncred = webauthn_credential_factory.create(initialized_device=device)
# factory post_generate does not call commit to propagate self.attr changes, that messes the actual db state when
# accessing from different process such as real browser
db.session.commit()
selenium.get(url_for('auth.login_route', _external=True))
selenium.find_element_by_xpath(
'//form//input[@name="username"]').send_keys(wncred.user.username)
selenium.find_element_by_xpath('//form//input[@type="submit"]').click()
# some javascript code must be emulated
webdriver_waituntil(selenium, js_variable_ready('window.pkcro_raw'))
pkcro = cbor.decode(
b64decode(
selenium.execute_script('return window.pkcro_raw;').encode(
'utf-8')))
assertion = device.get(pkcro, 'https://%s' % webauthn.rp.id)
selenium.execute_script(
'authenticate_assertion(CBOR.decode(Sner.base64_to_array_buffer("%s")));'
% b64encode(cbor.encode(assertion)).decode('utf-8'))
# and back to standard test codeflow
webdriver_waituntil(
selenium,
EC.presence_of_element_located((By.XPATH, '//a[text()="Logout"]')))
def check_vulns_multiactions(sclnt, dt_id):
"""check vuln toolbar actions; there must be 2 rows to perform the test"""
# there should be two rows in total
dt_elem = dt_wait_processing(sclnt, dt_id)
toolbar_elem = sclnt.find_element_by_id('%s_toolbar' % dt_id)
assert len(dt_elem.find_elements_by_xpath('//tbody/tr[@role="row"]')) == 2
# one cloud be be tagged
dt_elem.find_element_by_xpath('(//tr[@role="row"]/td[contains(@class, "select-checkbox")])[1]').click()
toolbar_elem.find_element_by_xpath('//a[contains(@class, "abutton_tag_multiid") and text()="Info"]').click()
dt_elem = dt_wait_processing(sclnt, dt_id)
assert Vuln.query.filter(Vuln.name == 'vuln 1', Vuln.tags.any('info')).one()
# or the other one
dt_elem.find_element_by_xpath('(//tr[@role="row"]/td[contains(@class, "select-checkbox")])[2]').click()
toolbar_elem.find_element_by_xpath('//a[contains(@class, "abutton_tag_multiid") and text()="Report"]').click()
dt_elem = dt_wait_processing(sclnt, dt_id)
assert Vuln.query.filter(Vuln.name == 'vuln 2', Vuln.tags.any('report')).one()
# both might be tagged at the same time
toolbar_elem.find_element_by_xpath('//a[text()="All"]').click()
toolbar_elem.find_element_by_xpath('//a[contains(@class, "abutton_tag_multiid") and text()="Todo"]').click()
dt_elem = dt_wait_processing(sclnt, dt_id)
assert Vuln.query.filter(Vuln.tags.any('todo')).count() == 2
# or deleted
toolbar_elem.find_element_by_xpath('//a[text()="All"]').click()
toolbar_elem.find_element_by_xpath('//a[contains(@class, "abutton_delete_multiid")]').click()
webdriver_waituntil(sclnt, EC.alert_is_present())
sclnt.switch_to.alert.accept()
dt_wait_processing(sclnt, dt_id)
assert not Vuln.query.all()
def switch_tab(sclnt, tab_name, dt_name, control_data):
"""switches host view tab and waits until dt is rendered"""
sclnt.find_element_by_xpath(
'//ul[@id="host_view_tabs"]//a[contains(@class, "nav-link") and @href="#%s"]'
% tab_name).click()
webdriver_waituntil(sclnt,
EC.visibility_of_element_located((By.ID, dt_name)))
dt_rendered(sclnt, dt_name, control_data)
def test_vuln_view_route_tagging(live_server, sl_operator, test_vuln): # pylint: disable=unused-argument
"""test vuln view tagging features"""
sl_operator.get(url_for('storage.vuln_view_route', vuln_id=test_vuln.id, _external=True))
sl_operator.find_element_by_xpath('//a[contains(@class, "abutton_tag_view") and text()="Info"]').click()
webdriver_waituntil(
sl_operator, EC.visibility_of_element_located((By.XPATH, '//span[contains(@class, "tag-badge") and contains(text(), "info")]')))
vuln = Vuln.query.get(test_vuln.id)
assert 'info' in vuln.tags
def test_job_list_route_inrow_repeat(live_server, sl_operator, job): # pylint: disable=unused-argument
"""job list inrow requeue button"""
dt_id = 'job_list_table'
sl_operator.get(url_for('scheduler.job_list_route', _external=True))
dt_wait_processing(sl_operator, dt_id)
sl_operator.find_element_by_id(dt_id).find_element_by_class_name('abutton_submit_dataurl_jobrepeat').click()
webdriver_waituntil(sl_operator, EC.alert_is_present())
sl_operator.switch_to.alert.accept()
dt_wait_processing(sl_operator, dt_id)
assert len(json.loads(job.assignment)['targets']) == Target.query.count()
def test_queue_list_route_inrow_flush(live_server, sl_operator, test_target): # pylint: disable=unused-argument
"""flush queue inrow button"""
dt_id = 'queue_list_table'
sl_operator.get(url_for('scheduler.queue_list_route', _external=True))
dt_wait_processing(sl_operator, dt_id)
sl_operator.find_element_by_id(dt_id).find_element_by_class_name(
'abutton_submit_dataurl_queueflush').click()
webdriver_waituntil(sl_operator, EC.alert_is_present())
sl_operator.switch_to.alert.accept()
dt_wait_processing(sl_operator, dt_id)
assert not Queue.query.get(test_target.queue_id).targets
def selenium_in_roles(sclnt, roles):
"""create user role and login selenium to role(s)"""
tmp_password = PWS.generate()
tmp_user = User(username='******', password=PWS.hash(tmp_password), active=True, roles=roles)
db.session.add(tmp_user)
db.session.commit()
sclnt.get(url_for('auth.login_route', _external=True))
sclnt.find_element_by_xpath('//form//input[@name="username"]').send_keys(tmp_user.username)
sclnt.find_element_by_xpath('//form//input[@name="password"]').send_keys(tmp_password)
sclnt.find_element_by_xpath('//form//input[@type="submit"]').click()
webdriver_waituntil(sclnt, EC.presence_of_element_located((By.XPATH, '//a[text()="Logout"]')))
return sclnt
def check_annotate(sclnt, annotate_elem_class, test_model):
"""check annotate functionality"""
# disable fade, the timing interferes with the test
sclnt.execute_script('$("div#modal-global").toggleClass("fade")')
ActionChains(sclnt).double_click(
sclnt.find_element_by_xpath('//td[contains(@class, "%s")]' %
annotate_elem_class)).perform()
webdriver_waituntil(
sclnt,
EC.visibility_of_element_located(
(By.XPATH, '//h4[@class="modal-title" and text()="Annotate"]')))
sclnt.find_element_by_css_selector(
'#modal-global form textarea[name="comment"]').send_keys(
'annotated comment')
sclnt.find_element_by_css_selector('#modal-global form').submit()
webdriver_waituntil(
sclnt,
EC.invisibility_of_element_located(
(By.XPATH, '//div[@class="modal-global"')))
webdriver_waituntil(sclnt, no_ajax_pending())
assert 'annotated comment' in test_model.__class__.query.get(
test_model.id).comment
def test_vuln_list_route_viatarget_visibility_toggle(live_server, sl_operator,
vuln): # pylint: disable=unused-argument
"""viatarget visibility toggle"""
class JsDocumentReloaded(): # pylint: disable=too-few-public-methods
"""custom expected_condition, wait for document to be realoaded"""
def __call__(self, driver):
return driver.execute_script(
'return(document.readyState==="complete" && document.title!=="reload helper")'
)
sl_operator.get(url_for('storage.vuln_list_route', _external=True))
dt_rendered(sl_operator, 'vuln_list_table', vuln.comment)
webdriver_waituntil(
sl_operator,
EC.invisibility_of_element_located(
(By.XPATH, '//th[contains(text(), "via_target")]')))
sl_operator.execute_script('document.title="reload helper"')
sl_operator.find_element_by_xpath(
'//li[contains(@class, "dropdown")]/a[@id="dropdownUser"]').click()
webdriver_waituntil(
sl_operator,
EC.visibility_of_element_located(
(By.XPATH, '//a[contains(text(), "Toggle via_target")]')))
sl_operator.find_element_by_xpath(
'//a[contains(text(), "Toggle via_target")]').click()
webdriver_waituntil(sl_operator, EC.alert_is_present())
sl_operator.switch_to.alert.accept()
webdriver_waituntil(sl_operator, JsDocumentReloaded())
dt_rendered(sl_operator, 'vuln_list_table', vuln.comment)
webdriver_waituntil(
sl_operator,
EC.visibility_of_element_located(
(By.XPATH, '//th[contains(text(), "via_target")]')))
def test_user_apikey_route(live_server, sl_admin, test_user): # pylint: disable=unused-argument
"""apikey generation/revoking feature tests"""
sl_admin.get(url_for('auth.user_list_route', _external=True))
dt_rendered(sl_admin, 'user_list_table', test_user.username)
# disable fade, the timing interferes with the test
sl_admin.execute_script('$("div#modal-global").toggleClass("fade")')
sl_admin.find_element_by_xpath('//a[@data-url="%s"]' % url_for(
'auth.user_apikey_route', user_id=test_user.id,
action='generate')).click()
webdriver_waituntil(
sl_admin,
EC.visibility_of_element_located(
(By.XPATH,
'//h4[@class="modal-title" and text()="Apikey operation"]')))
sl_admin.find_element_by_xpath(
'//div[@id="modal-global"]//button[@class="close"]').click()
webdriver_waituntil(
sl_admin,
EC.invisibility_of_element_located(
(By.XPATH, '//div[@class="modal-global"')))
dt_rendered(sl_admin, 'user_list_table', test_user.username)
user = User.query.get(test_user.id)
assert user.apikey
db.session.expunge(user)
sl_admin.find_element_by_xpath('//a[@data-url="%s"]' % url_for(
'auth.user_apikey_route', user_id=test_user.id,
action='revoke')).click()
webdriver_waituntil(
sl_admin,
EC.visibility_of_element_located(
(By.XPATH,
'//h4[@class="modal-title" and text()="Apikey operation"]')))
sl_admin.find_element_by_xpath(
'//div[@id="modal-global"]//button[@class="close"]').click()
webdriver_waituntil(
sl_admin,
EC.invisibility_of_element_located(
(By.XPATH, '//div[@class="modal-global"')))
dt_rendered(sl_admin, 'user_list_table', test_user.username)
assert not User.query.get(test_user.id).apikey
def check_service_endpoint_dropdown(sclnt, parent_elem, dropdown_value):
"""check service endpoint_dropdown"""
parent_elem.find_element_by_xpath(f'//div[contains(@class, "dropdown")]/a[text()="{dropdown_value}"]').click()
webdriver_waituntil(sclnt, EC.visibility_of_element_located((By.XPATH, '//h6[text()="Service endpoint URIs"]')))