def test_unlock(self): """ Resetting lockout data unlocks user """ pol = AuthenticationLockedUsername() text = unicode(pol.validation_msg) for x in xrange(0, pol.max_failed + 1): req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertFalse(form.is_valid()) # User locked out self.assertEqual(form.non_field_errors(), [text]) # Unlock user or address LoginAttempt.objects.all().update(lockout=False) req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertTrue(form.is_valid())
def test_unlock(self): """ Resetting lockout data unlocks user """ for x in xrange(0, dap_settings.FAILED_AUTH_USERNAME_MAX + 1): req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertFalse(form.is_valid()) # User locked out self.assertEqual(form.non_field_errors(), [form.error_messages['username_locked_out']]) # Unlock user or address LoginAttempt.objects.all().update(lockout=False) req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertTrue(form.is_valid())
def test_lock_period(self): pol = AuthenticationLockedUsername() text = unicode(pol.validation_msg) for x in xrange(0, pol.max_failed + 1): req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertFalse(form.is_valid()) # User locked out self.assertEqual(form.non_field_errors(), [text]) # Alter timestamps as if they happened longer ago period = datetime.timedelta(seconds=pol.lockout_duration) expire_at = timezone.now() - period LoginAttempt.objects.all().update(timestamp=expire_at) req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertTrue(form.is_valid()) # Successful login resets lock count locking_attempts = LoginAttempt.objects.filter(lockout=True) self.assertEqual(locking_attempts.count(), 0)
def test_expiry(self): pol = AuthenticationDisableExpiredUsers() req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertTrue(form.is_valid()) # Simulate user didn't log in for a long time period = datetime.timedelta(days=pol.inactive_period) expire_at = timezone.now() - period self.user.last_login = expire_at self.user.save() LoginAttempt.objects.all().update(timestamp=expire_at) # Login attempt disabled user req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertFalse(form.is_valid()) self.assertEqual(form.non_field_errors(), [ form.error_messages['invalid_login'] % { 'username': form.username_field.verbose_name }] ) # Check log messages self.assertEqual(self.logger.handlers[0].stream.getvalue(), ( u'INFO Authentication attempt, username=rf, address=127.0.0.1\n' u'INFO Authentication success, username=rf, address=127.0.0.1\n' u'INFO Authentication attempt, username=rf, address=127.0.0.1\n' u'INFO User rf disabled because last login was at %s\n' u'INFO Authentication failure, username=rf, address=127.0.0.1, ' u'user inactive.\n' % expire_at))
def test_lock_period(self): for x in xrange(0, dap_settings.FAILED_AUTH_USERNAME_MAX + 1): req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertFalse(form.is_valid()) # User locked out self.assertEqual(form.non_field_errors(), [form.error_messages['username_locked_out']]) # Alter timestamps as if they happened longer ago period = datetime.timedelta( seconds=dap_settings.FAILED_AUTH_LOCKOUT_PERIOD) expire_at = timezone.now() - period LoginAttempt.objects.all().update(timestamp=expire_at) req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertTrue(form.is_valid()) # Successful login resets lock count locking_attempts = LoginAttempt.objects.filter(lockout=True) self.assertEqual(locking_attempts.count(), 0)
def test_username_lockout(self): """ Test too many failed login attempts for one username """ pol = AuthenticationLockedUsername() text = str(pol.validation_msg) for x in xrange(0, pol.max_failed): self.assertFalse(self.lockout_policy.is_locked('rf')) req = self.factory.get(reverse('login')) req.META['REMOTE_ADDR'] = '10.0.0.%d' % (x + 1) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertEqual(form.non_field_errors(), [ form.error_messages['invalid_login'] % { 'username': form.username_field.verbose_name}] ) attempts = LoginAttempt.objects.filter(username=self.user.username, successful=False, lockout=True) self.assertEqual(attempts.count(), pol.max_failed) self.assertTrue(self.lockout_policy.is_locked('rf')) # Another failed authentication triggers lockout req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertEqual(form.non_field_errors(), [text]) self.assertEqual(attempts.count(), pol.max_failed + 1) # Even valid authentication will no longer work now req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertFalse(form.is_valid()) self.assertEqual(self.logger.handlers[0].stream.getvalue(), ( u'INFO Authentication attempt, username=rf, address=10.0.0.1\n' u'INFO Authentication failure, username=rf, address=10.0.0.1, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf, address=10.0.0.2\n' u'INFO Authentication failure, username=rf, address=10.0.0.2, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf, address=10.0.0.3\n' u'INFO Authentication failure, username=rf, address=10.0.0.3, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf, address=127.0.0.1\n' u'INFO Authentication failure, username=rf, address=127.0.0.1, ' u'username locked\n' u'INFO Authentication attempt, username=rf, address=127.0.0.1\n' u'INFO Authentication failure, username=rf, address=127.0.0.1, ' u'username locked\n'))
def test_address_lockout(self): """ Test too many failed login attempts for one address """ addr = '1.2.3.4' for x in xrange(0, dap_settings.FAILED_AUTH_ADDRESS_MAX): req = self.factory.get(reverse('login')) req.META['REMOTE_ADDR'] = addr form = StrictAuthenticationForm(request=req, data={ 'username': '******' % x, 'password': '******' }) self.assertEqual(form.non_field_errors(), [ form.error_messages['invalid_login'] % { 'username': form.username_field.verbose_name } ]) attempts = LoginAttempt.objects.filter(source_address=addr, successful=False, lockout=True) self.assertEqual(attempts.count(), dap_settings.FAILED_AUTH_ADDRESS_MAX) # Another failed authentication triggers lockout req = self.factory.get(reverse('login')) req.META['REMOTE_ADDR'] = addr form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertEqual(form.non_field_errors(), [form.error_messages['address_locked_out']]) self.assertEqual(attempts.count(), dap_settings.FAILED_AUTH_ADDRESS_MAX + 1) self.assertEqual( self.logger.handlers[0].stream.getvalue(), (u'INFO Authentication attempt, username=rf0, address=1.2.3.4\n' u'WARNING Authentication failure, username=rf0, address=1.2.3.4, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf1, address=1.2.3.4\n' u'WARNING Authentication failure, username=rf1, address=1.2.3.4, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf2, address=1.2.3.4\n' u'WARNING Authentication failure, username=rf2, address=1.2.3.4, ' u'invalid authentication.\n' u'INFO Authentication attempt, username=rf, address=1.2.3.4\n' u'WARNING Authentication failure, username=rf, address=1.2.3.4, ' u'address locked\n'))
def test_address_lockout(self): """ Test too many failed login attempts for one address """ pol = AuthenticationLockedRemoteAddress() text = str(pol.validation_msg) addr = '1.2.3.4' for x in range(0, pol.max_failed): req = self.factory.get(reverse('login')) req.META['REMOTE_ADDR'] = addr form = StrictAuthenticationForm(request=req, data={ 'username': '******' % x, 'password': '******'}) self.assertEqual(form.non_field_errors(), [ form.error_messages['invalid_login'] % { 'username': form.username_field.verbose_name}] ) attempts = LoginAttempt.objects.filter(source_address=addr, successful=False, lockout=True) self.assertEqual(attempts.count(), pol.max_failed) # Another failed authentication triggers lockout req = self.factory.get(reverse('login')) req.META['REMOTE_ADDR'] = addr form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertEqual(form.non_field_errors(), [text]) self.assertEqual(attempts.count(), pol.max_failed + 1) self.assertEqual(self.logger.handlers[0].stream.getvalue(), ( 'INFO Authentication attempt, username=rf0, address=1.2.3.4\n' 'INFO Authentication failure, username=rf0, address=1.2.3.4, ' 'invalid authentication.\n' 'INFO Authentication attempt, username=rf1, address=1.2.3.4\n' 'INFO Authentication failure, username=rf1, address=1.2.3.4, ' 'invalid authentication.\n' 'INFO Authentication attempt, username=rf2, address=1.2.3.4\n' 'INFO Authentication failure, username=rf2, address=1.2.3.4, ' 'invalid authentication.\n' 'INFO Authentication attempt, username=rf, address=1.2.3.4\n' 'INFO Authentication failure, username=rf, address=1.2.3.4, ' 'address locked\n'))
def test_inactive_user(self): self.user.is_active = False self.user.save() # Valid authentication data, but user is inactive req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******'}) self.assertFalse(form.is_valid()) self.assertEqual(form.non_field_errors(), [ form.error_messages['invalid_login'] % { 'username': form.username_field.verbose_name }] ) self.assertEqual(self.logger.handlers[0].stream.getvalue(), ( u'INFO Authentication attempt, username=rf, address=127.0.0.1\n' u'INFO Authentication failure, username=rf, address=127.0.0.1, ' u'user inactive.\n'))
def test_backend_locked_username(self): # Authentication works backend = StrictModelBackend() user = backend.authenticate(username='******', password='******') self.assertEqual(user, self.user) # Lock user for x in xrange(0, dap_settings.FAILED_AUTH_USERNAME_MAX + 1): req = self.factory.get(reverse('login')) form = StrictAuthenticationForm(request=req, data={ 'username': '******', 'password': '******' }) self.assertFalse(form.is_valid()) # Authentication must no longer work for this user user = backend.authenticate(username='******', password='******') self.assertEqual(user, None)