def test_create_audit_event_separate_secrets():
secret = SecretFactory()
secret2 = SecretFactory()
user = UserFactory()
create_audit_event(
user,
Actions.view_secret,
description="I viewed a secret",
secret=secret,
report_once=True,
)
create_audit_event(
user,
Actions.view_secret,
description="I viewed another secret",
secret=secret2,
report_once=True,
)
assert Audit.objects.count() == 2
audit = Audit.objects.last()
assert audit.timestamp == timezone.now()
assert audit.description == "I viewed another secret"
def test_permission(self, start_permissions, input, expected):
secret = SecretFactory()
user = UserFactory()
for perm in start_permissions:
assign_perm(perm, user, secret)
secret.set_permission(user, input)
assert set(get_perms(user, secret)) == expected
def test_remove_permissions(self, start_permissions):
secret = SecretFactory()
user = UserFactory()
for perm in start_permissions:
assign_perm(perm, user, secret)
secret.remove_permissions(user)
assert get_perms(user, secret) == []
def test_invalid_code(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
response = client.post(
reverse("secret:mfa_setup", kwargs={"pk": secret.pk}),
{"mfa_string": "invalid-otp-code"},
)
secret.refresh_from_db()
assert response.status_code == 200
assert not secret.mfa_string
def test_setup_success(self, client):
mfa_string = "otpauth://totp/Someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=Someapp" # noqa
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
response = client.post(
reverse("secret:mfa_setup", kwargs={"pk": secret.pk}),
{"mfa_string": mfa_string})
secret.refresh_from_db()
assert response.status_code == 302
assert response.url == reverse("secret:mfa", kwargs={"pk": secret.pk})
assert secret.mfa_string == mfa_string
def test_audit_event_is_created(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
target_group = GroupFactory()
assign_perm("change_secret", target_group, secret)
assign_perm("view_secret", target_group, secret)
response = client.post(
reverse("secret:delete-permission", kwargs={"pk": secret.pk}),
{
"group": target_group.id,
"permission": "view_secret"
},
)
assert response.status_code == 302
assert Audit.objects.count() == 1
audit = Audit.objects.first()
assert audit.user == user
assert audit.timestamp == timezone.now()
assert audit.secret == secret
assert audit.description == f"Access removed for {target_group}"
def test_generate_token(self, client):
mfa_string = "otpauth://totp/someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=someapp" # noqa
user = login_and_verify_user(client)
secret = SecretFactory(mfa_string=mfa_string)
assign_perm("view_secret", user, secret)
response = client.get(reverse("secret:mfa", kwargs={"pk": secret.pk}))
content = response.content.decode("utf-8")
assert response.status_code == 200
code = re.search(r"\>(\d{6})\<", content).groups()[0]
assert secret.verify_otp(code)
def test_update_success(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
response = client.post(
reverse("secret:detail", kwargs={"pk": secret.pk}),
{"name": "hello world"})
assert response.status_code == 302
assert response.url == reverse("secret:detail",
kwargs={"pk": secret.pk})
secret.refresh_from_db()
assert secret.name == "hello world"
def test_verify_audit_events_are_created(self, client):
secret = SecretFactory()
permission_url = reverse("secret:permissions",
kwargs={"pk": secret.pk})
user = login_and_verify_user(client)
assign_perm("change_secret", user, secret)
target_user = UserFactory()
assert Audit.objects.count() == 0
response = client.post(
permission_url,
{
"user": target_user.id,
"permission": "change_secret"
},
)
assert response.status_code == 302
assert response.url == permission_url
assert Audit.objects.count() == 1
audit = Audit.objects.first()
assert audit.user == user
assert audit.timestamp == timezone.now()
assert audit.secret == secret
assert audit.action == Actions.add_permission.name
assert audit.description == f"Permission level to set change_secret for {target_user}"
def test_auth_required(self, client):
secret = SecretFactory()
url = reverse("secret:detail", kwargs={"pk": secret.pk})
response = client.get(url)
assert response.status_code == 302
qs = "?next=" + quote_plus(url)
assert response.url == reverse("authbroker_client:login") + qs
def test_page_requires_view_permission(self, client):
login_and_verify_user(client)
secret = SecretFactory()
response = client.get(
reverse("secret:mfa_setup", kwargs={"pk": secret.pk}))
assert response.status_code == 403
def test_superuer_can_view_instance(self):
user = UserFactory(is_superuser=True)
secret = SecretFactory()
assert user.has_perm("secret.view_secret", secret)
assert user.has_perm("secret.change_secret", secret)
def test_user_cannot_view_secret_without_permissions(self, client):
login_and_verify_user(client)
secret = SecretFactory()
response = client.get(
reverse("secret:detail", kwargs={"pk": secret.pk}))
assert response.status_code == 403
def test_audit(self, client):
mfa_string = "otpauth://totp/someapp%[email protected]?secret=SNVQHZZUNABGV7DP3M4UI57OH7YZWNFI&algorithm=SHA1&digits=6&period=30&issuer=someapp" # noqa
user = login_and_verify_user(client)
secret = SecretFactory(mfa_string=mfa_string)
assign_perm("view_secret", user, secret)
assert Audit.objects.count() == 0
def test_page_requires_2fa_verification(self, client):
secret = SecretFactory()
login_and_verify_user(client, verify=False)
response = client.get(
reverse("secret:mfa_setup", kwargs={"pk": secret.pk}))
assert response.status_code == 302
assert response.url.startswith(reverse("twofactor:verify"))
def test_page_requires_auth(self, client):
secret = SecretFactory()
url = reverse("secret:delete-permission", kwargs={"pk": secret.pk})
response = client.get(url)
qs = "?next=" + quote_plus(url)
assert response.status_code == 302
assert response.url == reverse("authbroker_client:login") + qs
def test_requires_change_permission_to_add_permission(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("view_secret", user, secret)
response = client.post(
reverse("secret:permissions", kwargs={"pk": secret.pk}), {})
assert response.status_code == 403
def test_load_page(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
response = client.get(
reverse("secret:delete-permission", kwargs={"pk": secret.pk}) +
f"?user={user.id}&permission=change_secret")
assert response.status_code == 200
def test_page_load(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("view_secret", user, secret)
response = client.get(reverse("secret:audit", kwargs={"pk":
secret.pk}))
assert response.status_code == 200
assert response.template_name == ["secret/secret_audit.html"]
def test_page_requires_change_permission(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
response = client.get(
reverse("secret:mfa_delete", kwargs={"pk": secret.pk}))
assert response.status_code == 403
assign_perm("view_secret", user, secret)
response = client.get(
reverse("secret:mfa_delete", kwargs={"pk": secret.pk}))
assert response.status_code == 403
def test_view_audit_entry(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("view_secret", user, secret)
client.get(reverse("secret:detail", kwargs={"pk": secret.pk}))
assert Audit.objects.count() == 1
audit = Audit.objects.first()
assert audit.action == Actions.view_secret.name
assert audit.timestamp == timezone.now()
assert audit.user == user
assert audit.secret == secret
def test_shows_setup_link_if_no_mfa_configured(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("view_secret", user, secret)
assign_perm("change_secret", user, secret)
response = client.get(reverse("secret:mfa", kwargs={"pk": secret.pk}))
assert response.status_code == 200
link_html = '<a class="btn btn-danger" href="{}" role="button">Setup MFA client</a>'.format(
reverse("secret:mfa_setup", kwargs={"pk": secret.pk}))
assert link_html in response.content.decode("utf-8")
def test_update_audit_entry(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
client.post(reverse("secret:detail", kwargs={"pk": secret.pk}),
{"name": "hello world"})
assert Audit.objects.count() == 1
audit = Audit.objects.first()
assert audit.action == Actions.update_secret.name
assert audit.timestamp == timezone.now()
assert audit.user == user
assert audit.secret == secret
def test_success(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
secret.mfa_string = "test-string"
secret.save()
assign_perm("change_secret", user, secret)
response = client.post(
reverse("secret:mfa_delete", kwargs={"pk": secret.pk}))
secret.refresh_from_db()
assert response.status_code == 302
assert response.url == reverse("secret:mfa", kwargs={"pk": secret.pk})
assert not secret.mfa_string
def test_superuser_can_view_and_edit_secrets(self, client):
login_and_verify_user(client, is_superuser=True)
secret = SecretFactory()
response = client.get(
reverse("secret:detail", kwargs={"pk": secret.pk}))
assert response.status_code == 200
response = client.post(
reverse("secret:detail", kwargs={"pk": secret.pk}),
{"name": "hello world"})
assert response.status_code == 302
assert response.url == reverse("secret:detail",
kwargs={"pk": secret.pk})
assert Secret.objects.first().name == "hello world"
def test_delete_group_permissions(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
target_group = GroupFactory()
assign_perm("change_secret", target_group, secret)
assign_perm("view_secret", target_group, secret)
response = client.post(
reverse("secret:delete-permission", kwargs={"pk": secret.pk}),
{"group": target_group.id},
)
assert response.status_code == 302
assert response.url == reverse("secret:permissions",
kwargs={"pk": secret.id})
assert get_perms(target_group, secret) == []
def test_user_cannot_change_view_without_permissions(self, client):
user = login_and_verify_user(client)
secret = SecretFactory()
response = client.post(
reverse("secret:detail", kwargs={"pk": secret.pk}),
{"name": "testing 123"})
assert response.status_code == 403
# 'change_secret' permissions are needed
assign_perm("view_secret", user, secret)
response = client.post(
reverse("secret:detail", kwargs={"pk": secret.pk}),
{"name": "testing 123"})
assert response.status_code == 403
def test_add_user_permissions(self, permission, expected, client):
user = login_and_verify_user(client)
secret = SecretFactory()
assign_perm("change_secret", user, secret)
target_user = UserFactory()
response = client.post(
reverse("secret:permissions", kwargs={"pk": secret.pk}),
{
"user": target_user.id,
"permission": permission
},
)
assert response.status_code == 302
assert set(get_perms(target_user, secret)) == expected
def test_add_group_permissions(self, permission, expected, client):
secret = SecretFactory()
permission_url = reverse("secret:permissions",
kwargs={"pk": secret.pk})
target_group = GroupFactory()
user = login_and_verify_user(client)
assign_perm("change_secret", user, secret)
response = client.post(
permission_url,
{
"group": target_group.id,
"permission": permission
},
)
assert response.status_code == 302
assert response.url == permission_url
assert set(get_perms(target_group, secret)) == expected
