def test_user_with_permission_should_do_allowed_operations(self):
self.sync_permissions()
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
logged_user = self.logged_user.user
issue_read_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'read'))
issue_create_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'create'))
user_delete_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'delete'))
user_update_permission = Perm.objects.get(
codename='{}__{}'.format('user', 'update'))
logged_user.fperms.add(issue_read_permission, issue_create_permission,
user_delete_permission, user_update_permission)
# API
# Generic read, post
assert_http_forbidden(self.get('/api/user/'))
assert_http_ok(self.get('/api/issue/'))
assert_http_forbidden(self.post('/api/user/', {}))
assert_http_bad_request(self.post('/api/issue/', {}))
# API
# Generic read, put, patch, delete
assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk)))
assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk)))
assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {}))
assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {}))
assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk)))
assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_group_permission_shound_not_be_over_limit(self):
group_a = Group.objects.create(name='group A')
group_b = Group.objects.create(name='group B')
group_c = Group.objects.create(name='group C')
resp = self.post(
'/group/{}/'.format(group_a.pk), {
'detail-is-group-name': 'group A',
'detail-is-group-fgroups': [group_b.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_c.pk],
'detail-is-group-fperms': []
})
assert_http_ok(resp)
with override_settings(PERM_GROUP_MAX_LEVEL=3):
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_c.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
def test_user_should_be_authorized_with_changed_cookie_name(self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_in('ChangedAuthorization', self.c.cookies)
assert_http_ok(self.get(self.INDEX_URL))
def test_user_should_be_authorized_from_token_and_shorter_uuid(self, user):
device_token = DeviceKey.objects.get_or_create_token(uuid=SHORTER_UUID,
user=user)[0]
resp = self.post(self.API_MOBILE_LOGIN_URL, {
'uuid': SHORTER_UUID,
'login_device_token': device_token
})
assert_http_ok(resp)
def test_user_should_be_logged_out_via_cookies(self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_http_ok(self.get(self.UI_LOGOUT_URL))
assert_http_redirect(self.get(self.INDEX_URL))
def test_user_may_edit_itself(self):
user = self.logged_user.user
resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk))
assert_http_ok(resp)
CHANGED_USERNAME = '******'
self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME})
assert_http_ok(resp)
assert_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_user_may_edit_itself(self):
user = self.logged_user.user
resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk))
assert_http_ok(resp)
CHANGED_USERNAME = '******'
self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'detail-is-user-username': CHANGED_USERNAME})
assert_http_ok(resp)
assert_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_user_should_log_and_logout_to_the_administration(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.LOGIN_URL, {'username': '******', 'password': '******'})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
assert_false(Token.objects.last().allowed_header)
assert_true(Token.objects.last().allowed_cookie)
assert_http_ok(self.get(self.LOGOUT_URL))
assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_not_be_authorized_via_cookie_if_cookie_has_not_allowed_header(
self, user):
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
Token.objects.all().update(allowed_cookie=False)
assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_be_authorized_via_cookie(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.UI_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(resp)
assert_http_ok(self.get(self.INDEX_URL))
assert_in('Authorization', self.c.cookies)
assert_false(Token.objects.last().allowed_header)
assert_true(Token.objects.last().allowed_cookie)
def test_should_return_right_add_page_for_all_model_view(
self, model_view, model):
if 'add' in model_view.ui_patterns:
url = self.add_url(model_view.site_name,
model_view.get_menu_groups())
if model_view.ui_patterns.get('add').has_permission(
'get',
self.get_request_with_user(self.r_factory.get(url))):
assert_http_ok(self.get(url),
'{} should return 200'.format(url))
def test_should_return_right_edit_page_for_all_model_view(
self, model_view, model):
if 'detail' in model_view.ui_patterns:
inst = self.new_instance(model)
url = self.detail_url(model_view.site_name,
model_view.get_menu_groups(), inst)
request = self.get_request_with_user(self.r_factory.get(url))
if model_view.ui_patterns.get('detail').has_permission('get',
request,
obj=inst):
assert_http_ok(self.get(url),
'{} should return 200'.format(url))
def test_user_should_not_be_authorized_via_http_header_if_headers_are_turned_off(
self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_false(self.client.cookies)
def test_token_type_should_be_required(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': resp.json()['token']}))
def test_user_permissions_should_be_cached(self):
self.sync_permissions()
self.create_issue()
self.create_user('new_user', 'password', '*****@*****.**')
logged_user = self.logged_user.user
assert_http_forbidden(self.get('/api/issue/'))
issue_read_permission = Perm.objects.get(
codename='{}__{}'.format('issue', 'read'))
# Add permission but permissions are still cached
logged_user.fperms.add(issue_read_permission)
assert_http_forbidden(self.get('/api/issue/'))
# clear cache reset permissions
cache.clear()
assert_http_ok(self.get('/api/issue/'))
def test_user_should_be_authorized_via_http_header(self, user):
assert_http_redirect(self.get(self.INDEX_URL))
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_not_in('Authorization', self.c.cookies)
assert_true(Token.objects.last().allowed_header)
assert_false(Token.objects.last().allowed_cookie)
def test_user_should_be_authorized_from_token_and_uuid(self, user):
device_token = DeviceKey.objects.create_token(uuid=UUID, user=user)
resp = self.post(self.API_MOBILE_LOGIN_URL, {
'uuid': UUID,
'login_device_token': device_token
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_not_in('Authorization', self.c.cookies)
assert_true(Token.objects.last().allowed_header)
assert_false(Token.objects.last().allowed_cookie)
def test_token_should_be_expired(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
resp = self.get(
self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
with freeze_time(timezone.now() + timedelta(hours=1), tick=True):
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION': 'Bearer {}'.format(token),
}))
def test_user_should_be_authorized_with_changed_header_name(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_X_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
def test_user_should_be_logged_out_via_http_header(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
assert_http_ok(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION':
'Bearer {}'.format(token)}))
assert_http_accepted(
self.delete(
self.API_LOGIN_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={'HTTP_AUTHORIZATION':
'Bearer {}'.format(token)}))
def test_user_should_get_token_when_device_registered_by_uuid(self, user):
logged_in_resp = self.post(API_LOGIN_URL, {
'username': '******',
'password': '******'
})
registration_mobile_resp = self.post(
self.API_REQUEST_MOBILE_TOKEN_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(logged_in_resp.json()['token'])
},
data={'uuid': UUID})
assert_http_ok(registration_mobile_resp)
mobile_token = registration_mobile_resp.json()['device_login_token']
device_keys = DeviceKey.objects.all()
assert_equal(1, device_keys.count())
device_key = device_keys[0]
assert_true(device_key.check_password(mobile_token))
assert_false(device_key.check_password('XXX'))
def test_group_permission_shoud_not_have_cycles(self):
group_a = Group.objects.create(name='group A')
group_b = Group.objects.create(name='group B')
resp = self.post(
'/group/{}/'.format(group_a.pk), {
'detail-is-group-name': 'group A',
'detail-is-group-fgroups': [group_b.pk],
'detail-is-group-fperms': []
})
assert_http_redirect(resp)
resp = self.post(
'/group/{}/'.format(group_b.pk), {
'detail-is-group-name': 'group B',
'detail-is-group-fgroups': [group_a.pk],
'detail-is-group-fperms': []
})
assert_http_ok(resp)
def test_user_should_not_be_authorized_via_header_if_token_has_not_allowed_header(
self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
Token.objects.all().update(allowed_header=False)
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
def test_user_should_not_be_logged_in_two_factor_for_invalid_code(
self, user):
login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(login_resp)
# the code value needs to be overwritten, so that its value could be used for next request
login_resp.wsgi_request.token.two_factor_code = make_password(
'12345', salt=Token.TWO_FACTOR_CODE_SALT)
login_resp.wsgi_request.token.save()
code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL,
{'code': 'other_code'})
assert_http_ok(code_check_resp)
assert_in(
_('The inserted value does not correspond to the sent code.'),
code_check_resp._container[0].decode('utf8'))
assert_false(code_check_resp.wsgi_request.token.is_authenticated)
def test_user_should_not_register_same_device_keys(self, user):
logged_in_resp = self.post(API_LOGIN_URL, {
'username': '******',
'password': '******'
})
registration_mobile_resp = self.post(
self.API_REQUEST_MOBILE_TOKEN_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(logged_in_resp.json()['token'])
},
data={'uuid': UUID})
assert_http_ok(registration_mobile_resp)
registration_mobile_resp = self.post(
self.API_REQUEST_MOBILE_TOKEN_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(logged_in_resp.json()['token'])
},
data={'uuid': UUID})
assert_http_bad_request(registration_mobile_resp)
def test_token_should_not_be_updated_during_its_access_if_request_contains_specific_haeader(
self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
resp = self.get(
self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
with freeze_time(timezone.now() + timedelta(minutes=10), tick=True):
resp = self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(token),
'HTTP_X_AUTHORIZATION_RENEWAL_EXEMPT': '1'
})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:49'))
def test_superuser_should_do_all_operations(self):
issue = self.create_issue()
user = self.create_user('new_user', 'password', '*****@*****.**')
# Generic read, post
assert_http_ok(self.get('/api/user/'))
assert_http_ok(self.get('/api/issue/'))
assert_http_bad_request(self.post('/api/user/', {}))
assert_http_bad_request(self.post('/api/issue/', {}))
# Generic read, put, patch, delete
assert_http_ok(self.get('/api/user/{}/'.format(user.pk)))
assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk)))
assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {}))
assert_http_bad_request(self.put('/api/issue/{}/'.format(issue.pk),
{}))
assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk)))
assert_http_accepted(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_home_view_should_return_ok(self):
resp = self.get('/')
assert_http_ok(resp)
def test_home_view_should_return_ok(self):
resp = self.get('/')
assert_http_ok(resp)
def test_superuser_may_read_users_grid(self):
resp = self.get(self.USER_UI_URL)
assert_http_ok(resp)
def test_ouser_can_read_users_grid(self):
resp = self.get(self.USER_UI_URL)
assert_http_ok(resp)
def test_ouser_can_read_users_grid(self):
self.logged_user.user.perms.add_perm('core.issue_tracker.UserIsCore.read')
resp = self.get(self.USER_UI_URL)
assert_http_ok(resp)
def test_superuser_may_read_users_grid(self):
resp = self.get(self.USER_UI_URL)
assert_http_ok(resp)
def test_ouser_can_read_users_grid(self):
resp = self.get(self.USER_UI_URL)
assert_http_ok(resp)
