def test_s3_sync(): conn = boto3.resource("s3", region_name="us-east-1") conn.create_bucket(Bucket="bucket") app = create_kmactf() with app.app_context(): app.config["UPLOAD_PROVIDER"] = "s3" app.config["AWS_ACCESS_KEY_ID"] = "AKIAIOSFODNN7EXAMPLE" app.config["AWS_SECRET_ACCESS_KEY"] = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" app.config["AWS_S3_BUCKET"] = "bucket" uploader = S3Uploader() uploader.sync() fake_file = BytesIO("fakedfile".encode()) path = uploader.upload(fake_file, "fake_file.txt") full_path = os.path.join(app.config["UPLOAD_FOLDER"], path) try: uploader.sync() with open(full_path) as f: assert f.read() == "fakedfile" finally: rmdir(os.path.dirname(full_path)) destroy_kmactf(app)
def test_team_size_limit(): """Only team_size amount of members can join a team even via MLC""" app = create_kmactf(user_mode="teams") app.config.update({ "OAUTH_CLIENT_ID": "kmactf_testing_client_id", "OAUTH_CLIENT_SECRET": "kmactf_testing_client_secret", "OAUTH_AUTHORIZATION_ENDPOINT": "http://auth.localhost/oauth/authorize", "OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token", "OAUTH_API_ENDPOINT": "http://api.localhost/user", }) with app.app_context(): set_config("team_size", 1) team = gen_team(app.db, member_count=1, oauth_id=1234) team_id = team.id login_with_mlc(app, team_name="team_name", team_oauth_id=1234, raise_for_error=False) assert len(Teams.query.filter_by(id=team_id).first().members) == 1 set_config("team_size", 2) login_with_mlc(app, team_name="team_name", team_oauth_id=1234) assert len(Teams.query.filter_by(id=team_id).first().members) == 2 destroy_kmactf(app)
def test_lookup_user_token(): app = create_kmactf() with app.app_context(): user = gen_user(app.db) # Good Token token = gen_token(app.db, user_id=user.id) user = lookup_user_token(token.value) assert user.id == token.user_id # Expired Token expiration = datetime.datetime.utcnow() + datetime.timedelta(days=-1) token = gen_token(app.db, user_id=user.id, expiration=expiration) try: lookup_user_token(token.value) except UserTokenExpiredException: pass except Exception as e: raise e # Nonexistant token try: lookup_user_token("wat") except UserNotFoundException: pass except Exception as e: raise e destroy_kmactf(app)
def test_hidden_challenge_is_reachable(): """Test that hidden challenges are visible for admins""" app = create_kmactf() with app.app_context(): register_user(app) client = login_as_user(app, name="admin", password="******") chal = gen_challenge(app.db, state="hidden") gen_flag(app.db, challenge_id=chal.id, content="flag") chal_id = chal.id assert Challenges.query.count() == 1 r = client.get("/api/v1/challenges", json="") data = r.get_json().get("data") assert data == [] r = client.get("/api/v1/challenges/1", json="") assert r.status_code == 200 data = r.get_json().get("data") assert data["name"] == "chal_name" data = {"submission": "flag", "challenge_id": chal_id} r = client.post("/api/v1/challenges/attempt", json=data) assert r.status_code == 404 r = client.post("/api/v1/challenges/attempt?preview=true", json=data) assert r.status_code == 200 resp = r.get_json()["data"] assert resp.get("status") == "correct" destroy_kmactf(app)
def test_update_check_identifies_update(fake_get_request): """Update checks properly identify new versions""" app = create_kmactf() with app.app_context(): app.config["UPDATE_CHECK"] = True fake_response = Mock() fake_get_request.return_value = fake_response fake_response.json = lambda: { "resource": { "download_url": "https://api.github.com/repos/KMActf/KMActf/zipball/9.9.9", "html_url": "https://github.com/KMActf/KMActf/releases/tag/9.9.9", "id": 12, "latest": True, "next": 1542212248, "prerelease": False, "published_at": "Wed, 25 Oct 2017 19:39:42 -0000", "tag": "9.9.9", } } update_check() assert (get_config("version_latest") == "https://github.com/KMActf/KMActf/releases/tag/9.9.9") assert get_config("next_update_check") == 1542212248 destroy_kmactf(app)
def test_api_submissions_get_non_admin(): app = create_kmactf() with app.app_context(): gen_challenge(app.db) gen_solve(app.db, user_id=1) with app.test_client() as client: # test_api_submissions_get_non_admin """Can a user get /api/v1/submissions if not admin""" r = client.get("/api/v1/submissions", json="") assert r.status_code == 403 # test_api_submissions_post_non_admin """Can a user post /api/v1/submissions if not admin""" r = client.post("/api/v1/submissions") assert r.status_code == 403 # test_api_submission_get_non_admin """Can a user get /api/v1/submissions/<submission_id> if not admin""" r = client.get("/api/v1/submissions/1", json="") assert r.status_code == 403 # test_api_submission_delete_non_admin """Can a user delete /api/v1/submissions/<submission_id> if not admin""" r = client.delete("/api/v1/submissions/1", json="") assert r.status_code == 403 destroy_kmactf(app)
def test_redis_event_manager_publish(): """Test that RedisEventManager publishing to clients works.""" class RedisConfig(TestingConfig): REDIS_URL = "redis://localhost:6379/3" CACHE_REDIS_URL = "redis://localhost:6379/3" CACHE_TYPE = "redis" try: app = create_kmactf(config=RedisConfig) except ConnectionError: print("Failed to connect to redis. Skipping test.") else: with app.app_context(): saved_data = { "user_id": None, "title": "asdf", "content": "asdf", "team_id": None, "user": None, "team": None, "date": "2019-01-28T01:20:46.017649+00:00", "id": 10, } event_manager = RedisEventManager() event_manager.publish(data=saved_data, type="notification", channel="ctf") destroy_kmactf(app)
def test_api_removing_members_deletes_information(): """If an admin removes a user, their score information should also be removed""" app = create_kmactf(user_mode="teams") with app.app_context(): team = gen_team(app.db) assert len(team.members) == 4 app.db.session.commit() user = Users.query.filter_by(id=2).first() simulate_user_activity(app.db, user) assert Solves.query.filter_by(user_id=2).count() == 1 assert Submissions.query.filter_by(user_id=2).count() == 6 assert Awards.query.filter_by(user_id=2).count() == 1 assert Unlocks.query.filter_by(user_id=2).count() == 1 with login_as_user(app, name="admin") as client: r = client.delete("/api/v1/teams/1/members", json={"user_id": 2}) assert r.status_code == 200 user = Users.query.filter_by(id=2).first() assert Solves.query.filter_by(user_id=2).count() == 0 assert Submissions.query.filter_by(user_id=2).count() == 0 assert Awards.query.filter_by(user_id=2).count() == 0 assert Unlocks.query.filter_by(user_id=2).count() == 0 destroy_kmactf(app)
def test_api_admin_can_change_captain(): """Can admins/captains change captains for teams""" app = create_kmactf(user_mode="teams") with app.app_context(): user1 = gen_user(app.db, name="user1", email="*****@*****.**") # ID 2 user2 = gen_user(app.db, name="user2", email="*****@*****.**") # ID 3 team = gen_team(app.db) team.members.append(user1) team.members.append(user2) team.captain_id = 2 user1.team_id = team.id user2.team_id = team.id app.db.session.commit() # I am not the captain with login_as_user(app, name="user2") as client: r = client.patch("/api/v1/teams/1", json={"captain_id": 3}) assert r.status_code == 403 # Look at me, I'm the captain now with login_as_user(app, name="user1") as client: r = client.patch("/api/v1/teams/1", json={"captain_id": 3}) # We should still receive a 403 because admins are the only people who can change captains for specific teams assert r.status_code == 403 # Escalate to admin with login_as_user(app, name="admin") as client: r = client.patch("/api/v1/teams/1", json={"captain_id": 3}) resp = r.get_json() assert resp["data"]["captain_id"] == 3 assert r.status_code == 200 destroy_kmactf(app)
def test_api_users_can_change_captain_on_self_team(): """Can admins/captains change captains for their own team""" app = create_kmactf(user_mode="teams") with app.app_context(): user1 = gen_user(app.db, name="user1", email="*****@*****.**") # ID 2 user2 = gen_user(app.db, name="user2", email="*****@*****.**") # ID 3 team = gen_team(app.db) team.members.append(user1) team.members.append(user2) team.captain_id = 2 user1.team_id = team.id user2.team_id = team.id app.db.session.commit() # I am not the captain with login_as_user(app, name="user2") as client: r = client.patch("/api/v1/teams/me", json={"captain_id": 3}) assert r.status_code == 403 # Look at me, I'm the captain now with login_as_user(app, name="user1") as client: r = client.patch("/api/v1/teams/me", json={"captain_id": 3}) resp = r.get_json() assert resp["data"]["captain_id"] == 3 assert r.status_code == 200 destroy_kmactf(app)
def test_api_team_remove_members(): """Can a user remove /api/v1/teams/<team_id>/members only if admin""" app = create_kmactf(user_mode="teams") with app.app_context(): team = gen_team(app.db) assert len(team.members) == 4 app.db.session.commit() gen_user(app.db, name="user1") with login_as_user(app, name="user1") as client: r = client.delete("/api/v1/teams/1/members", json={"user_id": 2}) assert r.status_code == 403 with login_as_user(app, name="admin") as client: r = client.delete("/api/v1/teams/1/members", json={"user_id": 2}) assert r.status_code == 200 resp = r.get_json() # The following data is sorted b/c in Postgres data isn't necessarily returned ordered. assert sorted(resp["data"]) == sorted([3, 4, 5]) r = client.delete("/api/v1/teams/1/members", json={"user_id": 2}) resp = r.get_json() assert "User is not part of this team" in resp["errors"]["id"] assert r.status_code == 400 destroy_kmactf(app)
def test_unlocking_hints_with_cost_during_frozen_ctf(): """Test that hints with a cost are unlocked if the CTF is frozen.""" app = create_kmactf() with app.app_context(): set_config( "freeze", "1507262400" ) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST with freeze_time("2017-10-4"): register_user(app) chal = gen_challenge(app.db) chal_id = chal.id gen_hint(app.db, chal_id, cost=10) gen_award(app.db, user_id=2) with freeze_time("2017-10-8"): client = login_as_user(app) client.get("/api/v1/hints/1") client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) r = client.get("/api/v1/hints/1") resp = r.get_json()["data"] assert resp.get("content") == "This is a hint" user = Users.query.filter_by(id=2).first() assert user.score == 100 destroy_kmactf(app)
def test_unlocking_hints_with_cost_during_ended_ctf(): """Test that hints with a cost are not unlocked if the CTF has ended""" app = create_kmactf() with app.app_context(): register_user(app) chal = gen_challenge(app.db) chal_id = chal.id gen_hint(app.db, chal_id, cost=10) gen_award(app.db, user_id=2) set_config( "start", "1507089600" ) # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST set_config( "end", "1507262400" ) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST with freeze_time("2017-11-4"): client = login_as_user(app) r = client.get("/api/v1/hints/1") assert r.get_json().get("data") is None assert r.status_code == 403 r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) assert r.status_code == 403 assert r.get_json() r = client.get("/api/v1/hints/1") assert r.status_code == 403 user = Users.query.filter_by(id=2).first() assert user.score == 100 assert Unlocks.query.count() == 0 destroy_kmactf(app)
def test_unlocking_hints_with_cost_during_ctf_without_points(): """Test that hints with a cost are not unlocked if you don't have the points""" app = create_kmactf() with app.app_context(): register_user(app) chal = gen_challenge(app.db) chal_id = chal.id gen_hint(app.db, chal_id, cost=10) client = login_as_user(app) r = client.get("/api/v1/hints/1") assert r.get_json()["data"].get("content") is None r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) assert ( r.get_json()["errors"]["score"] == "You do not have enough points to unlock this hint" ) r = client.get("/api/v1/hints/1") assert r.get_json()["data"].get("content") is None user = Users.query.filter_by(id=2).first() assert user.score == 0 destroy_kmactf(app)
def test_sendmail_with_smtp_from_db_config(mock_smtp): """Does sendmail work properly with simple SMTP mail servers using database configuration""" app = create_kmactf() with app.app_context(): set_config("mail_server", "localhost") set_config("mail_port", 25) set_config("mail_useauth", True) set_config("mail_username", "username") set_config("mail_password", "password") ctf_name = get_config("ctf_name") from_addr = get_config("mailfrom_addr") or app.config.get( "MAILFROM_ADDR") from_addr = "{} <{}>".format(ctf_name, from_addr) to_addr = "*****@*****.**" msg = "this is a test" sendmail(to_addr, msg) ctf_name = get_config("ctf_name") email_msg = MIMEText(msg) email_msg["Subject"] = "Message from {0}".format(ctf_name) email_msg["From"] = from_addr email_msg["To"] = to_addr mock_smtp.return_value.sendmail.assert_called_once_with( from_addr, [to_addr], email_msg.as_string()) destroy_kmactf(app)
def test_api_users_post_admin_with_attributes(): """Can a user post /api/v1/users with user settings""" app = create_kmactf() with app.app_context(): with login_as_user(app, "admin") as client: # Create user r = client.post( "/api/v1/users", json={ "name": "user", "email": "*****@*****.**", "password": "******", "banned": True, "hidden": True, "verified": True, }, ) assert r.status_code == 200 # Make sure password was hashed properly user = Users.query.filter_by(email="*****@*****.**").first() assert user assert verify_password("password", user.password) assert user.banned assert user.hidden assert user.verified destroy_kmactf(app)
def test_reset(): app = create_kmactf() with app.app_context(): base_user = "******" for x in range(10): chal = gen_challenge(app.db, name="chal_name{}".format(x)) gen_flag(app.db, challenge_id=chal.id, content="flag") for x in range(10): user = base_user + str(x) user_email = user + "@kmactf.io" user_obj = gen_user(app.db, name=user, email=user_email) gen_award(app.db, user_id=user_obj.id) gen_solve(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_fail(app.db, user_id=user_obj.id, challenge_id=random.randint(1, 10)) gen_tracking(app.db, user_id=user_obj.id) assert Users.query.count() == 11 # 11 because of the first admin user assert Challenges.query.count() == 10 register_user(app) client = login_as_user(app, name="admin", password="******") with client.session_transaction() as sess: data = {"nonce": sess.get("nonce")} client.post("/admin/reset", data=data) assert Users.query.count() == 0 assert Challenges.query.count() == 10 assert Solves.query.count() == 0 assert Fails.query.count() == 0 assert Tracking.query.count() == 0 destroy_kmactf(app)
def test_api_user_change_name(): """Can a user change their name via the API""" app = create_kmactf() with app.app_context(): register_user(app) with login_as_user(app) as client: r = client.patch("/api/v1/users/me", json={"name": "user2"}) assert r.status_code == 200 resp = r.get_json() assert resp["data"]["name"] == "user2" assert resp["success"] is True r = client.patch("/api/v1/users/me", json={"name": None}) resp = r.get_json() print(resp) assert r.status_code == 400 assert resp["errors"]["name"] == ["Field may not be null."] assert resp["success"] is False set_config("name_changes", False) r = client.patch("/api/v1/users/me", json={"name": "new_name"}) assert r.status_code == 400 resp = r.get_json() assert "name" in resp["errors"] assert resp["success"] is False set_config("name_changes", True) r = client.patch("/api/v1/users/me", json={"name": "new_name"}) assert r.status_code == 200 resp = r.get_json() assert resp["data"]["name"] == "new_name" assert resp["success"] is True destroy_kmactf(app)
def test_challenge_team_submit(): """Is a user's solved challenge reflected by other team members""" app = create_kmactf(user_mode="teams") with app.app_context(): user = gen_user(app.db) second_user = gen_user(app.db, name="user", email="*****@*****.**") team = gen_team(app.db) user.team_id = team.id second_user.team_id = team.id team.members.append(user) team.members.append(second_user) gen_challenge(app.db) gen_flag(app.db, 1) app.db.session.commit() with login_as_user(app, name="user_name") as client: flag = {"challenge_id": 1, "submission": "flag"} client.post("/api/v1/challenges/attempt", json=flag) with login_as_user(app) as second_client: flag = {"challenge_id": 1, "submission": "flag"} r = second_client.post("/api/v1/challenges/attempt", json=flag) assert r.json["data"]["status"] == "already_solved" standings = get_standings() assert standings[0][2] == "team_name" assert standings[0][3] == 100 destroy_kmactf(app)
def test_api_user_change_email(): """Test that users can change their email via the API""" app = create_kmactf() with app.app_context(): register_user(app) user = Users.query.filter_by(id=2).first() app.db.session.commit() with login_as_user(app) as client: # Test users can't submit null r = client.patch("/api/v1/users/me", json={ "email": None, "confirm": "password" }) resp = r.get_json() print(resp) assert r.status_code == 400 assert resp["errors"]["email"] == ["Field may not be null."] # Test users can exercise the API r = client.patch( "/api/v1/users/me", json={ "email": "*****@*****.**", "confirm": "password" }, ) assert r.status_code == 200 resp = r.get_json() assert resp["data"]["email"] == "*****@*****.**" assert resp["success"] is True user = Users.query.filter_by(id=2).first() assert user.email == "*****@*****.**" destroy_kmactf(app)
def test_hint_team_unlock(): """Is a user's unlocked hint reflected on other team members""" app = create_kmactf(user_mode="teams") with app.app_context(): user = gen_user(app.db) second_user = gen_user(app.db, name="user", email="*****@*****.**") team = gen_team(app.db) user.team_id = team.id second_user.team_id = team.id team.members.append(user) team.members.append(second_user) chal = gen_challenge(app.db) gen_hint(app.db, chal.id, content="hint", cost=1, type="standard") gen_award(app.db, 2, team.id) app.db.session.commit() with login_as_user(app, name="user_name") as client: client.get("/api/v1/hints/1") client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) client.get("/api/v1/hints/1") with login_as_user(app) as second_client: second_client.get("/api/v1/hints/1") second_client.post("/api/v1/unlocks", json={ "target": 1, "type": "hints" }) r = second_client.get("/api/v1/hints/1") assert r.json["data"]["content"] == "hint" standings = get_standings() assert standings[0][2] == "team_name" assert standings[0][3] == 99 destroy_kmactf(app)
def test_api_user_change_email_under_whitelist(): """Test that users can only change emails to ones in the whitelist""" app = create_kmactf() with app.app_context(): register_user(app) set_config("domain_whitelist", "whitelisted.com, whitelisted.org, whitelisted.net") with login_as_user(app) as client: r = client.patch( "/api/v1/users/me", json={ "email": "*****@*****.**", "confirm": "password" }, ) assert r.status_code == 400 resp = r.get_json() assert resp["errors"]["email"] assert resp["success"] is False r = client.patch( "/api/v1/users/me", json={ "email": "*****@*****.**", "confirm": "password" }, ) assert r.status_code == 200 resp = r.get_json() assert resp["data"]["email"] == "*****@*****.**" assert resp["success"] is True destroy_kmactf(app)
def test_api_configs_get_non_admin(): """Can a user get /api/v1/configs if not admin""" app = create_kmactf() with app.app_context(): with app.test_client() as client: r = client.get("/api/v1/configs") assert r.status_code == 302 # test_api_configs_post_non_admin """Can a user post /api/v1/configs if not admin""" r = client.post("/api/v1/configs", json="") assert r.status_code == 403 # test_api_configs_patch_non_admin """Can a user patch /api/v1/configs if not admin""" r = client.patch("/api/v1/configs", json="") assert r.status_code == 403 # test_api_config_get_non_admin """Can a user get /api/v1/configs/<config_key> if not admin""" r = client.get("/api/v1/configs/ctf_name") assert r.status_code == 302 # test_api_config_patch_non_admin """Can a user patch /api/v1/configs/<config_key> if not admin""" r = client.patch("/api/v1/configs/ctf_name", json="") assert r.status_code == 403 # test_api_config_delete_non_admin """Can a user delete /api/v1/configs/<config_key> if not admin""" r = client.delete("/api/v1/configs/ctf_name", json="") assert r.status_code == 403 assert get_config("ctf_name") == "KMActf" destroy_kmactf(app)
def test_api_users_post_admin(): """Can a user post /api/v1/users if admin""" app = create_kmactf() with app.app_context(): with login_as_user(app, "admin") as client: # Create user r = client.post( "/api/v1/users", json={ "name": "user", "email": "*****@*****.**", "password": "******" }, ) assert r.status_code == 200 # Make sure password was hashed properly user = Users.query.filter_by(email="*****@*****.**").first() assert user assert verify_password("password", user.password) # Make sure user can login with the creds client = login_as_user(app) r = client.get("/profile") assert r.status_code == 200 destroy_kmactf(app)
def test_api_files_get_non_admin(): app = create_kmactf() with app.app_context(): chal = gen_challenge(app.db) gen_file( app.db, location="0bf1a55a5cd327c07af15df260979668/bird.swf", challenge_id=chal.id, ) with app.test_client() as client: # test_api_files_get_non_admin """Can a user get /api/v1/files if not admin""" r = client.get("/api/v1/files", json="") assert r.status_code == 403 # test_api_files_post_non_admin """Can a user post /api/v1/files if not admin""" r = client.post("/api/v1/files") assert r.status_code == 403 # test_api_file_get_non_admin """Can a user get /api/v1/files/<file_id> if not admin""" r = client.get("/api/v1/files/1", json="") assert r.status_code == 403 # test_api_file_delete_non_admin """Can a user delete /api/v1/files/<file_id> if not admin""" r = client.delete("/api/v1/files/1", json="") assert r.status_code == 403 destroy_kmactf(app)
def test_sendmail_with_smtp_from_config_file(mock_smtp): """Does sendmail work properly with simple SMTP mail servers using file configuration""" app = create_kmactf() with app.app_context(): app.config["MAIL_SERVER"] = "localhost" app.config["MAIL_PORT"] = "25" app.config["MAIL_USEAUTH"] = "True" app.config["MAIL_USERNAME"] = "******" app.config["MAIL_PASSWORD"] = "******" ctf_name = get_config("ctf_name") from_addr = get_config("mailfrom_addr") or app.config.get( "MAILFROM_ADDR") from_addr = "{} <{}>".format(ctf_name, from_addr) to_addr = "*****@*****.**" msg = "this is a test" sendmail(to_addr, msg) ctf_name = get_config("ctf_name") email_msg = MIMEText(msg) email_msg["Subject"] = "Message from {0}".format(ctf_name) email_msg["From"] = from_addr email_msg["To"] = to_addr mock_smtp.return_value.sendmail.assert_called_once_with( from_addr, [to_addr], email_msg.as_string()) destroy_kmactf(app)
def test_oauth_login_upgrade(): """Test that users who use MLC after having registered will be associated with their MLC account""" app = create_kmactf(user_mode="teams") app.config.update({ "OAUTH_CLIENT_ID": "kmactf_testing_client_id", "OAUTH_CLIENT_SECRET": "kmactf_testing_client_secret", "OAUTH_AUTHORIZATION_ENDPOINT": "http://auth.localhost/oauth/authorize", "OAUTH_TOKEN_ENDPOINT": "http://auth.localhost/oauth/token", "OAUTH_API_ENDPOINT": "http://api.localhost/user", }) with app.app_context(): register_user(app) assert Users.query.count() == 2 set_config("registration_visibility", "private") # Users should still be able to login client = login_as_user(app) client.get("/logout") user = Users.query.filter_by(id=2).first() assert user.oauth_id is None assert user.team_id is None login_with_mlc(app) assert Users.query.count() == 2 # Logging in with MLC should insert an OAuth ID and team ID user = Users.query.filter_by(id=2).first() assert user.oauth_id assert user.verified assert user.team_id destroy_kmactf(app)
def test_successful_registration_email(mock_smtp): """Does successful_registration_notification send emails""" app = create_kmactf() with app.app_context(): set_config("mail_server", "localhost") set_config("mail_port", 25) set_config("mail_useauth", True) set_config("mail_username", "username") set_config("mail_password", "password") set_config("verify_emails", True) ctf_name = get_config("ctf_name") from_addr = get_config("mailfrom_addr") or app.config.get( "MAILFROM_ADDR") from_addr = "{} <{}>".format(ctf_name, from_addr) to_addr = "*****@*****.**" successful_registration_notification(to_addr) msg = "You've successfully registered for KMActf!" email_msg = MIMEText(msg) email_msg["Subject"] = "Successfully registered for {ctf_name}".format( ctf_name=ctf_name) email_msg["From"] = from_addr email_msg["To"] = to_addr # Need to freeze time to predict the value of the itsdangerous token. # For now just assert that sendmail was called. mock_smtp.return_value.sendmail.assert_called_with( from_addr, [to_addr], email_msg.as_string()) destroy_kmactf(app)
def test_user_token_access(): app = create_kmactf() with app.app_context(): with app.test_client() as client: r = client.get("/api/v1/users/me", json="") assert r.status_code == 403 with app.test_client() as client: user = gen_user(app.db, name="user2", email="*****@*****.**") expiration = datetime.datetime.utcnow() + datetime.timedelta( days=-1) token = generate_user_token(user, expiration=expiration) headers = {"Authorization": "token " + token.value} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 401 with app.test_client() as client: headers = {"Authorization": "token invalid_token"} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 401 with app.test_client() as client: user = gen_user(app.db, name="user1", email="*****@*****.**") token = generate_user_token(user, expiration=None) headers = {"Authorization": "token " + token.value} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 200 resp = r.get_json() assert resp["data"]["email"] == "*****@*****.**" assert resp["data"]["name"] == "user1" destroy_kmactf(app)
def test_email_cannot_be_changed_without_password(): """Test that a user can't update their email address without current password""" app = create_kmactf() with app.app_context(): register_user(app) client = login_as_user(app) data = {"name": "user", "email": "*****@*****.**"} r = client.patch("/api/v1/users/me", json=data) assert r.status_code == 400 user = Users.query.filter_by(id=2).first() assert user.email == "*****@*****.**" data = {"name": "user", "email": "*****@*****.**", "confirm": "asdf"} r = client.patch("/api/v1/users/me", json=data) assert r.status_code == 400 user = Users.query.filter_by(id=2).first() assert user.email == "*****@*****.**" data = {"name": "user", "email": "*****@*****.**", "confirm": "password"} r = client.patch("/api/v1/users/me", json=data) assert r.status_code == 200 user = Users.query.filter_by(id=2).first() assert user.email == "*****@*****.**" assert verify_password(plaintext="password", ciphertext=user.password) destroy_kmactf(app)