def test_api_tag_detail_get(): """Can a user get /api/v1/tokens/<token_id>""" app = create_ctfd() with app.app_context(): user = gen_user(app.db, name="user") generate_user_token(user) with login_as_user(app) as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 200 resp = r.get_json() assert sorted(resp["data"].keys()) == sorted( TokenSchema().views["user"]) with login_as_user(app, "admin") as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 200 resp = r.get_json() assert sorted(resp["data"].keys()) == sorted( TokenSchema().views["admin"]) gen_user(app.db, name="user2", email="*****@*****.**") with login_as_user(app, "user2") as client: r = client.get("/api/v1/tokens/1", json="") assert r.status_code == 404 destroy_ctfd(app)
def test_user_token_access(): app = create_ctfd() with app.app_context(): with app.test_client() as client: r = client.get("/api/v1/users/me", json="") assert r.status_code == 403 with app.test_client() as client: user = gen_user(app.db, name="user2", email="*****@*****.**") expiration = datetime.datetime.utcnow() + datetime.timedelta( days=-1) token = generate_user_token(user, expiration=expiration) headers = {"Authorization": "token " + token.value} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 401 with app.test_client() as client: headers = {"Authorization": "token invalid_token"} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 401 with app.test_client() as client: user = gen_user(app.db, name="user1", email="*****@*****.**") token = generate_user_token(user, expiration=None) headers = {"Authorization": "token " + token.value} r = client.get("/api/v1/users/me", headers=headers, json="") assert r.status_code == 200 resp = r.get_json() assert resp["data"]["email"] == "*****@*****.**" assert resp["data"]["name"] == "user1" destroy_ctfd(app)
def test_generate_user_token(): app = create_ctfd() with app.app_context(): user = gen_user(app.db) token = generate_user_token(user, expiration=None) token.user_id == user.id assert token.expiration > datetime.datetime.utcnow() assert Tokens.query.count() == 1 destroy_ctfd(app)
def test_api_token_delete(): """Can tokens be deleted by owners, and admins""" app = create_ctfd() with app.app_context(): # Can be deleted by the user user = gen_user(app.db) user_id = user.id username = user.name token = generate_user_token(user) token_id = token.id with login_as_user(app, username) as client: r = client.delete("/api/v1/tokens/" + str(token_id), json="") assert r.status_code == 200 assert Tokens.query.count() == 0 # Can be deleted by admins user = Users.query.filter_by(id=user_id).first() token = generate_user_token(user) token_id = token.id with login_as_user(app, "admin") as client: r = client.delete("/api/v1/tokens/" + str(token_id), json="") assert r.status_code == 200 assert Tokens.query.count() == 0 # First user first_user = Users.query.filter_by(id=user_id).first() token = generate_user_token(first_user) token_id = token.id # Second user second_user = gen_user(app.db, name="user2", email="*****@*****.**") username2 = second_user.name with login_as_user(app, username2) as client: r = client.delete("/api/v1/tokens/" + str(token_id), json="") assert r.status_code == 404 assert Tokens.query.count() == 1 destroy_ctfd(app)
def post(self): req = request.get_json() expiration = req.get("expiration") if expiration: expiration = datetime.datetime.strptime(expiration, "%Y-%m-%d") user = get_current_user() token = generate_user_token(user, expiration=expiration) # Explicitly use admin view so that user's can see the value of their token schema = TokenSchema(view="admin") response = schema.dump(token) if response.errors: return {"success": False, "errors": response.errors}, 400 return {"success": True, "data": response.data}
def test_api_tag_list_get(): """Can a user get /api/v1/tokens""" app = create_ctfd() with app.app_context(): user = gen_user(app.db, name="user") generate_user_token(user) user2 = gen_user(app.db, name="user2", email="*****@*****.**") generate_user_token(user2) generate_user_token(user2) with login_as_user(app) as client: r = client.get("/api/v1/tokens", json="") assert r.status_code == 200 resp = r.get_json() len(resp["data"]) == 1 with login_as_user(app, name="user2") as client: r = client.get("/api/v1/tokens", json="") assert r.status_code == 200 resp = r.get_json() len(resp["data"]) == 2 destroy_ctfd(app)