def you_can_login_using_facebook(self):
if config.skipFacebookTests:
return
self.user = self.createUserWithCredentials("facebook", config.fbuserid, None, config.fbuser)
self.user.activate()
driver = self.driver
driver.get(self.base_url+"/static/login.html")
self.switchToTab("login")
driver.find_element_by_id("Facebook_login_button").click()
time.sleep(1)
self._switchWindow(driver)
driver.find_element_by_id("pass").clear()
driver.find_element_by_id("pass").send_keys(config.fbpassword)
driver.find_element_by_id("email").clear()
driver.find_element_by_id("email").send_keys(config.fbuser)
driver.find_element_by_id("u_0_2").click()
driver.switch_to.window(self.master)
time.sleep(1)
self.assertEqual(self.base_url + "/static/login.html", driver.current_url)
body = driver.find_element_by_id("message").text
self.assertEqual("", body)
body = driver.find_element_by_id("userdata").text
self.assertTrue("*****@*****.**"in body)
Credential.getByUser(self.user, "facebook").rm()
self.user.rm()
def test_timed_out_emailcheck_credentials_are_cleared_in_registration(self):
for someone in User.query.all()[:5]: # @UndefinedVariable
Credential.new(someone, 'emailcheck', str(time.time()-1)+":"+uuid4().hex, uuid4().hex)
self.assertTrue(self.countExpiredCreds('emailcheck')>=5)
form = self.prepareLoginForm()
self.controller.doRegistration(form)
self.assertTrue(self.countExpiredCreds('emailcheck')==0)
def unregistered_user_can_register_with_facebook_in_the_middle_of_login_procedure_of_a_served_application(self):
if config.skipFacebookTests:
return
driver = self.driver
self._gotoOauthPage(driver)
self.switchToTab('registration')
driver.find_element_by_id("Facebook_registration_button").click()
time.sleep(1)
self.master = driver.current_window_handle
timeCount = 1;
while (len(driver.window_handles) == 1 ):
time
timeCount += 1
if ( timeCount > 50 ):
break;
for handle in driver.window_handles:
if handle!=self.master:
driver.switch_to.window(handle)
driver.find_element_by_id("pass").clear()
driver.find_element_by_id("pass").send_keys(config.fbpassword2)
driver.find_element_by_id("email").clear()
driver.find_element_by_id("email").send_keys(config.fbuser2)
driver.find_element_by_id("u_0_2").click()
driver.switch_to.window(self.master)
time.sleep(5)
self.assertTrue(driver.current_url.startswith(self.redirect_uri.lower()))
self.user = User.getByEmail(config.fbuser2)
Credential.getByUser(self.user, "facebook").rm()
self.user.rm()
def do_add_credential(self, form):
user = self.getCurrentUser()
Credential.new(user,
form.credentialType.data,
form.identifier.data,
form.secret.data)
return self.as_dict(user)
def test_password_reset_creates_password_if_it_does_not_exists(self):
form = self.createPasswordResetFormWithSecret()
user = User.getByEmail(self.userCreationEmail)
passcred = Credential.getByUser(user, "password")
passcred.rm()
self.controller.doPasswordReset(form)
newPassCred = Credential.getByUser(user, "password")
self.assertEqual(newPassCred.secret, CredentialManager.protect_secret(self.newPassword))
def doConfirmChangeEmail(self, secret=None, confirm=True, useverifysecret=False):
self.controller.emailChangeInit(self.newEmailAddress, self.user)
if secret is None:
if useverifysecret:
secret = Credential.getByUser(self.user, 'changeemailandverify').secret
else:
secret = Credential.getByUser(self.user, 'changeemail').secret
return self.controller.confirmEmailChange(FakeForm(dict(confirm=confirm, secret=secret)))
def sendPasswordVerificationEmail(self, user):
secret=unicode(uuid4())
expiry = time.time() + 60*60*24*4
Credential.new(user, 'emailcheck', unicode(expiry), secret )
timeText = time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(expiry))
uri = "{0}/v1/verify_email/{1}".format(self.getConfig('BASE_URL'),secret)
text = """Hi, click on <a href="{0}">{0}</a> until {1} to verify your email""".format(uri, timeText)
self.mail.send_message(subject="verification", body=text, recipients=[user.email], sender=self.getConfig('SERVER_EMAIL_ADDRESS'))
def test_the_credential_is_actually_added(self):
myUserid = self.createRandomUserId()
credBefore = Credential.get("password", myUserid)
self.assertTrue(credBefore is None)
resp = self._createPasswordCredential(userid=myUserid)
self.assertEqual(200, resp.status_code)
credAfter = Credential.get("password", myUserid)
self.assertTrue(credAfter is not None)
def no_password_reset_for_timed_out_temporary_credential(self):
password = self.mkRandomPassword()
secret = unicode(uuid4())
user = User.getByEmail(self.usercreation_email)
Credential.new(user, 'email_for_password_reset', secret, time.time()-1)
with app.test_client() as c:
data = dict(password=password, secret=secret)
resp = c.post("/v1/password_reset", data = data)
self.assertEqual(resp.status_code, 404)
def emailChangeInit(self, newEmailAddress, user):
if User.getByEmail(newEmailAddress):
raise ReportedError(thereIsAlreadyAUserWithThatEmail, 418)
secret, expiry = CredentialManager.createTemporaryCredential(user, "changeemail",additionalInfo=newEmailAddress )
self.sendEmail(user, secret, expiry, "CHANGE_EMAIL_OLD", newemail=newEmailAddress, oldemail=user.email )
secret, expiry = CredentialManager.createTemporaryCredential(user, "changeemailandverify",additionalInfo=newEmailAddress )
self.sendEmail(user, secret, expiry, "CHANGE_EMAIL_NEW", recipient=newEmailAddress, newemail=newEmailAddress, oldemail=user.email)
Credential.deleteExpired("changeemail")
Credential.deleteExpired("changeemailandverify")
def removeFbuser(self, user=None):
if user is None:
user = config.facebookUser2
self.user = User.getByEmail(user.email)
if self.user:
Credential.getByUser(self.user, "facebook").rm()
for appMap in AppMap.getForUser(self.user):
appMap.rm()
self.user.rm()
def _removeACredential(self, myUserid):
self.controller.loginInFramework(self.cred)
user = self.cred.user
Credential.new(user, "facebook", myUserid, "testsecret")
data = {"credentialType": "facebook",
"identifier": myUserid}
self.assertTrue(Credential.get("facebook", myUserid))
resp = self.controller.doRemoveCredential(FakeForm(data))
return resp
def test_expired_deregistration_certificates_are_deleted_in_deregistration_initiation(
self):
for someone in User.query.all()[:5]: # @UndefinedVariable
Credential.new(someone, 'deregister',
str(time.time() - 1) + ":" + uuid4().hex,
uuid4().hex)
self.assertTrue(self.countExpiredCreds('deregister') >= 5)
self._doDeregistrationDoit()
self.assertTrue(self.countExpiredCreds('deregister') == 0)
def createTemporaryCredential(user,
credentialType,
expiry=fourDaysInSeconds,
additionalInfo=None):
secret = uuid4().hex
expiry = time.time() + expiry
Credential.new(user, credentialType,
str(expiry) + ":" + str(additionalInfo), secret)
return secret, expiry
def removeFbuser(self,user=None):
if user is None:
user = config.facebookUser2
self.user = User.getByEmail(user.email)
if self.user:
Credential.getByUser(self.user, "facebook").rm()
for appMap in AppMap.getForUser(self.user):
appMap.rm()
self.user.rm()
def do_password_reset(self, form):
cred = Credential.get(passwordResetCredentialType, form.secret.data)
if cred is None or (float(cred.secret) < time.time()):
Credential.deleteExpired(passwordResetCredentialType)
raise ReportedError(['The secret has expired'], 404)
passcred = Credential.getByUser(cred.user, 'password')
passcred.secret = CredentialManager.protect_secret(form.password.data)
cred.rm()
return self.simple_response('Password successfully changed')
def test_bad_secret_clears_up_all_timed_out_temporary_credentials(self):
password = self.mkRandomPassword()
secret = uuid4().hex
for someone in User.query.all()[:5]: # @UndefinedVariable
Credential.new(someone, 'email_for_password_reset', str(time.time()-1)+":"+uuid4().hex, uuid4().hex)
self.assertTrue(self.countExpiredCreds()>=5)
data = dict(password=password, secret=secret)
self.assertReportedError(self.controller.doPasswordReset,(FakeForm(data),),
404, ['The secret has expired'])
self.assertEqual(self.countExpiredCreds(),0)
def test_the_credential_used_for_login_cannot_be_cleared(self):
credential = self.createUserWithCredentials()
self.controller.loginInFramework(credential)
self.assertTrue(Credential.get("password", self.userCreationUserid))
form = FakeForm({
"identifier": self.userCreationUserid,
"credentialType": "password",
})
self.assertReportedError(self.controller.doRemoveCredential,[form], 400, ["You cannot delete the login you are using"])
self.assertTrue(Credential.get("password", self.userCreationUserid))
def do_send_password_reset_email(self, email):
user = User.getByEmail(email)
if user is None:
raise ReportedError(['Invalid email address'])
passwordResetEmailExpiration = 14400
secret=unicode(uuid4())
expirationTime = time.time() + passwordResetEmailExpiration
Credential.new(user, passwordResetCredentialType, secret, unicode(expirationTime))
self.sendPasswordResetMail(user, secret, expirationTime)
return self.simple_response("Password reset email has successfully sent.")
def successful_password_reset_sets_the_password(self):
password = self.mkRandomPassword()
secret = unicode(uuid4())
user = User.getByEmail(self.usercreation_email)
Credential.new(user, 'email_for_password_reset', secret, time.time()+3600)
with app.test_client() as c:
data = dict(password=password, secret=secret)
c.post("/v1/password_reset", data = data)
cred = Credential.getByUser(user, "password")
self.assertEquals(cred.secret, CredentialManager.protect_secret(password))
def successful_password_clears_the_temporary_credential(self):
password = self.mkRandomPassword()
secret = unicode(uuid4())
user = User.getByEmail(self.usercreation_email)
Credential.new(user, 'email_for_password_reset', secret, time.time()+3600)
with app.test_client() as c:
data = dict(password=password, secret=secret)
c.post("/v1/password_reset", data = data)
newcred = Credential.get('email_for_password_reset', secret)
self.assertEquals(newcred, None)
def test_valid_secret_is_accepted(self):
password = self.mkRandomPassword()
secret = uuid4().hex
user = User.getByEmail(self.userCreationEmail)
Credential.new(user, 'email_for_password_reset', str(time.time()+3600), secret)
with app.test_client() as client:
data = dict(password=password, secret=secret)
resp = client.post("/v1/password_reset", data = data)
self.assertEqual(resp.status_code, 200)
respData = self.fromJson(resp)
self.assertEqual("Password successfully changed",respData['message'])
def findTemporaryEmailCredential(self, secret):
cred = Credential.getBySecret("changeemail", secret)
verify = False
if cred is None:
credverify = Credential.getBySecret("changeemailandverify", secret)
if credverify is None:
raise ReportedError(badChangeEmailSecret, 403)
else:
cred = credverify
verify = True
return cred, verify
def findTemporaryEmailCredential(self, secret):
cred = Credential.getBySecret("changeemail", secret)
verify = False
if cred is None:
credverify = Credential.getBySecret("changeemailandverify", secret)
if credverify is None:
raise ReportedError(badChangeEmailSecret, 403)
else:
cred = credverify
verify = True
return cred, verify
def doDeregistrationDoit(self, form):
Credential.deleteExpired('deregister')
secret = form.deregister_secret.data
if secret is None:
raise ReportedError(
[secretIsNeededForDeregistrationDoit],400)
deregistrationCredential = Credential.getBySecret('deregister', secret)
if deregistrationCredential is None:
raise ReportedError([badDeregistrationSecret],400)
user = deregistrationCredential.user
self.removeUser(user)
return self.simple_response(youAreDeregistered)
def doDeregistrationDoit(self, form):
Credential.deleteExpired('deregister')
secret = form.deregister_secret.data
if secret is None:
raise ReportedError(
[secretIsNeededForDeregistrationDoit],400)
deregistrationCredential = Credential.getBySecret('deregister', secret)
if deregistrationCredential is None:
raise ReportedError([badDeregistrationSecret],400)
user = deregistrationCredential.user
self.removeUser(user)
return self.simple_response(youAreDeregistered)
def the_credential_used_for_login_cannot_be_cleared(self):
with app.test_client() as c:
self.login(c)
self.assertTrue(Credential.get("password", self.usercreation_userid))
data = {
"identifier": self.usercreation_userid,
"credentialType": "password",
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["You cannot delete the login you are using"]}', self.getResponseText(resp))
self.assertTrue(Credential.get("password", self.usercreation_userid))
def test_the_added_credential_should_contain_credentialType(self):
with app.test_client() as client:
self.login(client)
self.setupRandom()
username = "******".format(self.randString)
credBefore = Credential.get("password", username)
self.assertTrue(credBefore is None)
resp = self.addPasswordCredential(client, username=username, nofield="credentialType")
self.assertEqual(400, resp.status_code)
credAfter = Credential.get("password", username)
self.assertTrue(credAfter is None)
self.assertCredentialErrorresponse(resp)
def test_valid_secret_is_accepted(self):
password = self.mkRandomPassword()
secret = uuid4().hex
user = User.getByEmail(self.userCreationEmail)
Credential.new(user, 'email_for_password_reset',
str(time.time() + 3600), secret)
with app.test_client() as client:
data = dict(password=password, secret=secret)
resp = client.post("/v1/password_reset", data=data)
self.assertEqual(resp.status_code, 200)
respData = self.fromJson(resp)
self.assertEqual("Password successfully changed",
respData['message'])
def getCredentialFromForm(cls, form):
cred = Credential.get('password', form.identifier.data)
if cred is None:
user = User.getByEmail(form.identifier.data)
if user is None:
return None
cred = Credential.getByUser(user, "password")
if cred is None:
return None
hashed = cls.protect_secret(form.password.data)
if cred.secret == hashed:
return cred
return None
def doConfirmChangeEmail(self,
secret=None,
confirm=True,
useverifysecret=False):
self.controller.emailChangeInit(self.newEmailAddress, self.user)
if secret is None:
if useverifysecret:
secret = Credential.getByUser(self.user,
'changeemailandverify').secret
else:
secret = Credential.getByUser(self.user, 'changeemail').secret
return self.controller.confirmEmailChange(
FakeForm(dict(confirm=confirm, secret=secret)))
def do_deregister(self,form):
if not self.isLoginCredentials(form):
raise ReportedError(["You should use your login credentials to deregister"], 400)
cred = Credential.get(form.credentialType.data, form.identifier.data)
user = cred.user
creds = Credential.getByUser(user)
for cred in creds:
cred.rm()
assurances = Assurance.listByUser(user)
for assurance in assurances:
assurance.rm()
user.rm()
return self.simple_response('deregistered')
def the_credential_is_actually_deleted(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"credentialType": "facebook",
"identifier": credId,
}
c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertFalse(Credential.get("facebook", credId))
def doPasswordReset(self, form):
Credential.deleteExpired(self.passwordResetCredentialType)
cred = Credential.getBySecret(
self.passwordResetCredentialType, form.secret.data)
if cred is None or (cred.getExpirationTime() < time.time()):
raise ReportedError([theSecretHasExpired], 404)
passcred = Credential.getByUser(cred.user, 'password')
protectedSecret = CredentialManager.protect_secret(form.password.data)
if not passcred:
passcred = Credential.new(cred.user, "password", cred.user.email, protectedSecret)
else:
passcred.secret = protectedSecret
cred.rm()
return self.simple_response(passwordSuccessfullyChanged)
def test_the_credential_is_actually_deleted(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"credentialType": "facebook",
"identifier": credId,
}
client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertFalse(Credential.get("facebook", credId))
def you_should_give_valid_identifier_for_credential_deletion(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"identifier": credId+"no",
"credentialType": "facebook",
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(404, resp.status_code)
self.assertEqual('{"errors": ["No such credential"]}', self.getResponseText(resp))
def a_credential_can_be_deleted(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"credentialType": "facebook",
"identifier": credId,
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(200, resp.status_code)
self.assertEqual('{"message": "credential removed"}', self.getResponseText(resp))
def doPasswordReset(self, form):
Credential.deleteExpired(self.passwordResetCredentialType)
cred = Credential.getBySecret(
self.passwordResetCredentialType, form.secret.data)
if cred is None or (cred.getExpirationTime() < time.time()):
raise ReportedError([theSecretHasExpired], 404)
passcred = Credential.getByUser(cred.user, 'password')
protectedSecret = CredentialManager.protect_secret(form.password.data)
if not passcred:
passcred = Credential.new(cred.user, "password", cred.user.email, protectedSecret)
else:
passcred.secret = protectedSecret
cred.rm()
return self.simple_response(passwordSuccessfullyChanged)
def registerCertUser(self, cert, email):
if cert is None or cert == '':
raise ReportedError(["No certificate given"], 403)
identifier, digest = self.parseCert(cert)
cred = Credential.get("certificate", identifier)
if cred is None:
if email is None:
raise ReportedError(["You have to register first"], 403)
theEmail = email[0]
CredentialManager.create_user_with_creds("certificate", identifier, digest, theEmail)
cred = Credential.get("certificate", identifier)
self.sendPasswordVerificationEmail(cred.user)
cred.user.activate()
return cred
def test_you_should_give_valid_identifier_for_credential_deletion(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"identifier": credId+"no",
"credentialType": "facebook",
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(404, resp.status_code)
self.assertEqual('{"errors": ["No such credential"]}', self.getResponseText(resp))
def test_a_credential_can_be_deleted(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"credentialType": "facebook",
"identifier": credId,
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(200, resp.status_code)
self.assertEqual('{"message": "credential removed"}', self.getResponseText(resp))
def doRegistration(self, form):
Credential.deleteExpired('emailcheck')
cred = CredentialManager.create_user_with_creds(
form.credentialType.data,
form.identifier.data,
form.password.data,
form.email.data,
None)
user = cred.user
additionalInfo = self.checkAndUpdateHash(form, user)
self.sendPasswordVerificationEmail(user)
user.set_authenticated()
user.activate()
success = self.loginInFramework(cred)
if success:
return self.returnUserAndLoginCookie(user, additionalInfo)
def test_the_emailcheck_secret_is_not_shown_in_the_registration_answer(self):
form = self.prepareLoginForm()
resp = self.controller.doRegistration(form)
text = self.getResponseText(resp)
current_user = self.controller.getCurrentUser()
cred = Credential.getByUser(current_user, 'emailcheck')
self.assertTrue(not cred.secret in text)
def shownDataForUser(self, user):
return dict(
email=user.email,
userid=user.userid,
assurances=Assurance.getByUser(user),
hash=user.hash,
credentials=Credential.getByUser_as_dictlist(user))
def doPasswordResetWithNewPassword(self, password):
self.goToLoginPage()
emailAddress = TE.assurerUser.email # @UndefinedVariable
self.initiatePasswordReset(emailAddress)
cred = Credential.getByUser(TE.assurerUser, "email_for_password_reset")
passwordResetLink = TE.pwresetUrl + "?secret=" + cred.secret
self.clickPasswordResetLink(password, passwordResetLink)
def test_registration_email_contains_registration_uri_with_secret(self):
msg = self._registerAndGetEmail()
self.assertTrue(msg)
current_user = self.controller.getCurrentUser()
cred = Credential.getByUser(current_user, 'emailcheck')
base_url = self.controller.getConfig('BASE_URL')
uri = "{0}/v1/verify_email/{1}".format(base_url,cred.secret)
self.assertEmailContains(uri, msg)
def test_email_validation_email_can_be_resent(self):
with app.test_client() as client:
self.login(client)
client.get(config.BASE_URL + "/v1/send_verify_email")
user = User.get(self.userid)
self.assertEqual(
self.userCreationEmail,
Credential.getByUser(user, "emailcheck").user.email)
def test_change_password_does_change_password(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
self._doPasswordChange(client)
cred = Credential.get('password', self.userCreationUserid)
self.assertEqual(
cred.secret,
CredentialManager.protect_secret(self.newPassword))
def registerCertUser(self, email, identifier, digest, cred):
if email is None:
raise ReportedError([youHaveToRegisterFirst], 403)
theEmail = email[0]
CredentialManager.create_user_with_creds("certificate", identifier,
digest, theEmail)
cred = Credential.get("certificate", identifier)
self.sendPasswordVerificationEmail(cred.user)
return cred
def the_reset_link_is_in_the_reset_email(self):
self._sendPasswordResetEmail()
text = self.outbox[0].html
soup = BeautifulSoup(text, "lxml")
passwordResetLink = soup.find("a")['href']
self.secret = passwordResetLink.split('secret=')[1]
self.tempcred = Credential.getBySecret('email_for_password_reset',
self.secret)
return passwordResetLink
def assertEmailChangeIsInitiated(self, resp):
text = self.getResponseText(resp)
self.assertEqual(200, resp.status_code)
self.assertEqual(emailChangeEmailSent, json.loads(text)['message'])
user = User.getByEmail(self.userCreationEmail)
self.userid = user.userid
tempCredential = Credential.getByUser(user, "changeemail")
self.secret = tempCredential.secret
self.assertEqual(self.newEmail, tempCredential.getAdditionalInfo())
def _getDeregistrationSecret(self):
self._loginAndDeregister()
user = self.cred.user
if self.addAppMapToUser == True:
app = Application.query.first() # @UndefinedVariable
AppMap.new(app, user)
deregistrationCredential = Credential.getByUser(user, 'deregister')
secret = deregistrationCredential.secret
return secret
