def tearDown():
"""Clean up from tests by deleting the user for this test"""
global added_user_id
# Log in with this user with SETUP_SESSION so we have authentication
# to delete later
login_json = {
'username': '******',
'password': '******'
}
resp = get_response_with_jwt(SETUP_SESSION, 'POST', '/login', login_json)
log_response_error(resp)
assert resp.status_code == 200
resp = get_response_with_jwt(SETUP_SESSION, 'DELETE', '/users/' + added_user_id)
log_response_error(resp)
assert resp.status_code == 204
def test_reset_finish_valid():
"""--> Test reset API success"""
# Look up reset code and reset expires to the future
# (We set it to the past in the last test)
session = DBSESSION()
user = session.query(User).filter(User.email == '*****@*****.**').one_or_none()
assert user
LOGGER.debug('1: user.reset_expires = ' + str(user.reset_expires))
# The below minutes value is a hack because while I set the time zone for the
# server to America/New York, it is still off by 4 hours from MacOS
# This should not result in a real issue, because in normal use casese all
# reading / updating of the reset_expires value will be in the server time zone
user.reset_expires = datetime.datetime.now() + datetime.timedelta(minutes=315)
LOGGER.debug('2: user.reset_expires = ' + str(user.reset_expires))
session.add(user)
session.commit()
reset_json = {
'email': '*****@*****.**',
'password': '******',
'reset_code': user.reset_code
}
session.close()
# Add optional fourth parameter to ensure we send the CSRF refresh token
resp = get_response_with_jwt(TEST_SESSION, 'PUT', '/pw_reset', reset_json, True)
log_response_error(resp)
assert resp.status_code == 200
session = DBSESSION()
new_password_user = session.query(User).filter(User.email == '*****@*****.**').one_or_none()
assert new_password_user.reset_code == None
assert new_password_user.reset_expires == None
assert new_password_user.verify_password('reset111')
def test_reset_start_valid():
"""--> Test getting a reset code that should work"""
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/pw_reset', {'email': '*****@*****.**'})
assert resp.status_code == 200
LOGGER.debug('refresh_token = ' + TEST_SESSION['session'].cookies['refresh_token_cookie'])
assert 'refresh_token_cookie' in TEST_SESSION['session'].cookies
assert 'csrf_refresh_token' in TEST_SESSION['session'].cookies
def test_update_user_success():
"""--> Update a user from a different user with Admin role"""
update_data = {
"username": "******",
'password': "******",
"email": "*****@*****.**",
"phone": "9197776666"
}
resp = get_response_with_jwt(TEST_SESSION, 'PUT', '/users/' + added_id,
update_data)
log_response_error(resp)
assert resp.status_code == 200
resp2 = get_response_with_jwt(TEST_SESSION, 'GET', '/users/' + added_id)
log_response_error(resp2)
assert resp2.status_code == 200
assert resp2.json()['phone'] == '9197776666'
def test_update_invalid_password():
"""--> Test update with incorrect password for logged in user"""
# Use a new session
new_session = get_new_session()
login_data = {'username': '******', 'password': '******'}
resp1 = get_response_with_jwt(new_session, 'POST', '/login', login_data)
log_response_error(resp1)
assert resp1.status_code == 200
assert 'csrf_access_token' in resp1.cookies
update_data = {
'username': '******',
'password': '******',
'email': '*****@*****.**',
'phone': 'it does not matter'
}
resp = get_response_with_jwt(new_session, 'PUT', '/users/' + testing_id,
update_data)
assert resp.status_code == 401
def test_user_list_with_query():
"""--> Test list users"""
resp = get_response_with_jwt(TEST_SESSION, 'GET', '/users?search_text=tal')
log_response_error(resp)
assert resp.status_code == 200
LOGGER.debug('Response text = %s', resp.text)
json = resp.json()
LOGGER.debug('Response json = %s', str(json))
assert len(json) == 1
assert json[0]['username'] == 'talw'
def test_unauthorized_update():
"""--> Test that a user without Admin role cannot update another user"""
# Use a new session
new_session = get_new_session()
# Login with talw
login_data = {'username': '******', 'password': '******'}
resp1 = get_response_with_jwt(new_session, 'POST', '/login', login_data)
log_response_error(resp1)
assert resp1.status_code == 200
assert 'csrf_access_token' in resp1.cookies
update_data = {
'username': '******',
'password': '******',
"email": "*****@*****.**",
'phone': 'This should not work'
}
resp2 = get_response_with_jwt(new_session, 'PUT', '/users/' + testing_id,
update_data)
assert resp2.status_code == 401
def test_logout():
"""--> Test logging out of session"""
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/logout', {})
log_response_error(resp)
LOGGER.debug('TEST_SESSION.cookies = ' +
str(TEST_SESSION['session'].cookies))
assert resp.status_code == 200
assert 'csrf_access_token' not in TEST_SESSION['session'].cookies
assert 'access_token_cookie' not in TEST_SESSION['session'].cookies
assert 'refresh_token_cookie' not in TEST_SESSION['session'].cookies
def test_update_invalid_user():
"""--> Test updating an invalid user (code coverage)"""
update_data = {
'username': '******',
'password': '******',
'phone': '9999999999',
'email': 'zxxxx'
}
resp = get_response_with_jwt(
TEST_SESSION, 'PUT', '/users/e1ca7ec1-c7a1-49be-b60c-90c3b7281512',
update_data)
assert resp.status_code == 404
def test_rehydrate():
"""--> Test application rehydrate for authenticated user"""
# Note that this assumes that test_initial_login_jwt() succeeds
resp = get_response_with_jwt(TEST_SESSION, 'GET', '/login')
log_response_error(resp)
json = resp.json()
assert json['email'] == '*****@*****.**'
assert json['first_name'] == 'Test'
assert json['last_name'] == 'User'
assert json['phone'] == '9199999999'
assert json['user_id']
assert json['username'] == 'testing'
assert 'preferences' in json
def test_add_duplicate_user():
"""--> Test adding a duplicate user for code coverage"""
user_json = {
'username': "******",
'password': "******",
'email': "*****@*****.**",
'phone': '9194753336',
'reCaptchaResponse': 'Dummy',
'preferences': {
'color': 'red'
}
}
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/users', user_json)
assert resp.status_code == 400
def test_self_update():
"""--> Update the same user that is authenticated"""
# Use a new session
my_session = get_new_session()
# Login in with talw
login_data = {'username': '******', 'password': '******'}
resp1 = get_response_with_jwt(my_session, 'POST', '/login', login_data)
log_response_error(resp1)
assert resp1.status_code == 200
assert 'csrf_access_token' in resp1.cookies
update_data = {
"username": "******",
"password": "******",
"email": "*****@*****.**",
"phone": "9109999999",
"newPassword": "******"
}
resp2 = get_response_with_jwt(my_session, 'PUT', '/users/' + added_id,
update_data)
assert resp2.status_code == 200
log_response_error(resp2)
resp3 = get_response_with_jwt(my_session, 'GET', '/users/' + added_id)
log_response_error(resp3)
assert resp3.json()['phone'] == '9109999999'
def test_reset_fails_email():
"""--> Test that reset fails due to email difference"""
# Look up reset code and reset expires to the future
# (We set it to the past in the last test)
session = DBSESSION()
user = session.query(User).filter(User.email == '*****@*****.**').one_or_none()
assert user
reset_json = {
'email': '*****@*****.**',
'password': '******',
'reset_code': user.reset_code
}
session.close()
# Add optional fourth parameter to ensure we send the CSRF refresh token
resp = get_response_with_jwt(TEST_SESSION, 'PUT', '/pw_reset', reset_json, True)
assert resp.status_code == 400
def test_initial_login_jwt():
"""--> Test initial user login with JWT"""
login_data = {'username': '******', 'password': '******'}
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/login', login_data)
log_response_error(resp)
json = resp.json()
assert 'csrf_access_token' in resp.cookies
assert json['email'] == '*****@*****.**'
assert json['phone'] == '9199999999'
assert json['user_id']
global testing_id
testing_id = json['user_id']
assert json['username'] == 'testing'
assert json['roles'] == 'Admin'
assert json['source'] == 'Local'
assert 'preferences' in json
def test_refresh_finish_expired_code():
"""--> Test reset API failure due to expired code"""
# Look up the user in the database and set the reset_expires to now
session = DBSESSION()
user = session.query(User).filter(User.email == '*****@*****.**').one_or_none()
assert user
user.reset_expires = datetime.datetime.now()
session.add(user)
session.commit()
reset_json = {
'email': '*****@*****.**',
'password': '******',
'reset_code': user.reset_code
}
session.close()
resp = get_response_with_jwt(TEST_SESSION, 'PUT', '/pw_reset', reset_json, True)
assert resp.status_code == 400
def setUp():
"""Set up for tests by creating a new user"""
global added_user_id
new_user_json = {
'username': "******",
'password': "******",
'email': "*****@*****.**",
'first_name': "Reset",
'last_name': "User",
'phone': '9195746655',
'reCaptchaResponse': 'Dummy',
'preferences': {'color': 'red'},
'roles': 'User'
}
resp = get_response_with_jwt(None, 'POST', '/users', new_user_json)
log_response_error(resp)
assert resp.status_code == 201
# Save the user ID so we can delete it later
json = resp.json()
assert json['user_id']
added_user_id = json['user_id']
def test_user_add_api_success():
"""--> Test add API success"""
#pylint: disable=W0603
global added_id
user_json = {
'username': "******",
'password': "******",
'email': "*****@*****.**",
'first_name': 'Tal',
'last_name': 'Lewin Wittle',
'phone': '9194753337',
'reCaptchaResponse': 'Dummy',
'preferences': {
'color': 'red'
},
'roles': 'User'
}
resp = get_response_with_jwt(None, 'POST', '/users', user_json)
log_response_error(resp)
assert resp.status_code == 201
json = resp.json()
assert json['user_id']
added_id = json['user_id']
def test_user_add_no_username():
"""--> Test add API failure due to json with missing username"""
user_json = {'preferences': {'color': 'red'}}
resp = get_response_with_jwt(None, 'POST', '/users', user_json)
assert resp.status_code == 400
def test_rest_start_fails_existing_code():
"""--> Test getting a second reset code when existing one has not expired fails"""
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/pw_reset', {'email': '*****@*****.**'})
assert resp.status_code == 400
def test_user_add_no_json():
"""--> Test add API failure due to no json"""
resp = get_response_with_jwt(None, 'POST', '/users')
assert resp.status_code == 400
def test_reset_invalid_email():
"""--> Test add API failure due to invalid email"""
resp = get_response_with_jwt(None, 'POST', '/pw_reset', {'email': '*****@*****.**'})
assert resp.status_code == 404
def test_shutdown_bad_key():
"""--> Test shutdown with bad key for code coverage"""
resp = get_response_with_jwt(None, 'POST', '/shutdown', {'key': 'Junk'})
assert resp.status_code == 400
def test_lookup_invalid_user():
"""--> Test looking up an invalid user (code coverage)"""
resp = get_response_with_jwt(
TEST_SESSION, 'GET', '/users/e1ca7ec1-c7a1-49be-b60c-90c3b7281512')
assert resp.status_code == 404
def test_delete_invalid_user():
""" --> Test deleting an indvalid user (code coverage)"""
resp = get_response_with_jwt(
TEST_SESSION, 'DELETE', '/users/e1ca7ec1-c7a1-49be-b60c-90c3b7281512')
assert resp.status_code == 404
def test_login_fail_jwt():
"""--> Test login returns 401 for invalid username/password"""
bad_login = {'username': '******', 'password': '******'}
resp = get_response_with_jwt(TEST_SESSION, 'POST', '/login', bad_login)
log_response_error(resp)
assert resp.status_code == 401
def test_delete_user():
"""--> Test deleting a user"""
resp = get_response_with_jwt(TEST_SESSION, 'DELETE', '/users/' + added_id)
log_response_error(resp)
assert resp.status_code == 204
