def setUp(self): self.factory = RequestFactory() self.middleware = LockoutMiddleware() self.user = User.objects.create_user(self.username, '*****@*****.**', self.password) self.badcredentials = dict(username=self.username, password=self.badpassword) self.goodcredentials = dict(username=self.username, password=self.password) self.MAX_ATTEMPTS_ORIG = lockout_settings.MAX_ATTEMPTS self.USE_USER_AGENT_ORIG = lockout_settings.USE_USER_AGENT self.LOCKOUT_TIME_ORIG = lockout_settings.LOCKOUT_TIME self.ENFORCEMENT_WINDOW_ORIG = lockout_settings.ENFORCEMENT_WINDOW lockout_settings.MAX_ATTEMPTS = 2 lockout_settings.USE_USER_AGENT = True lockout_settings.LOCKOUT_TIME = 2 lockout_settings.ENFORCEMENT_WINDOW = 3
def setUp(self): self.factory = RequestFactory() self.middleware = LockoutMiddleware() self.user = User.objects.create_user( self.username, '*****@*****.**', self.password) self.badcredentials = dict(username=self.username, password=self.badpassword) self.goodcredentials = dict(username=self.username, password=self.password) self.MAX_ATTEMPTS_ORIG = lockout_settings.MAX_ATTEMPTS self.USE_USER_AGENT_ORIG = lockout_settings.USE_USER_AGENT self.LOCKOUT_TIME_ORIG = lockout_settings.LOCKOUT_TIME self.ENFORCEMENT_WINDOW_ORIG = lockout_settings.ENFORCEMENT_WINDOW lockout_settings.MAX_ATTEMPTS = 2 lockout_settings.USE_USER_AGENT = True lockout_settings.LOCKOUT_TIME = 2 lockout_settings.ENFORCEMENT_WINDOW = 3
class LockoutTestCase(TestCase): """Test case for lockout functionality. Requires django.contrib.auth. """ username = '******' password = '******' badpassword = '******' ip1 = '64.147.222.137' ip2 = '168.212.226.204' useragent1 = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2' useragent2 = 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)' #################################################################### def setUp(self): self.factory = RequestFactory() self.middleware = LockoutMiddleware() self.user = User.objects.create_user( self.username, '*****@*****.**', self.password) self.badcredentials = dict(username=self.username, password=self.badpassword) self.goodcredentials = dict(username=self.username, password=self.password) self.MAX_ATTEMPTS_ORIG = lockout_settings.MAX_ATTEMPTS self.USE_USER_AGENT_ORIG = lockout_settings.USE_USER_AGENT self.LOCKOUT_TIME_ORIG = lockout_settings.LOCKOUT_TIME self.ENFORCEMENT_WINDOW_ORIG = lockout_settings.ENFORCEMENT_WINDOW lockout_settings.MAX_ATTEMPTS = 2 lockout_settings.USE_USER_AGENT = True lockout_settings.LOCKOUT_TIME = 2 lockout_settings.ENFORCEMENT_WINDOW = 3 #################################################################### def tearDown(self): # Clear the lockout keys from the cache and restore lockout settings for ip in (self.ip1, self.ip2): for useragent in (self.useragent1, self.useragent2): request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=ip, HTTP_USER_AGENT=useragent) reset_attempts(request) lockout_settings.MAX_ATTEMPTS = self.MAX_ATTEMPTS_ORIG lockout_settings.USE_USER_AGENT = self.USE_USER_AGENT_ORIG lockout_settings.LOCKOUT_TIME = self.LOCKOUT_TIME_ORIG lockout_settings.ENFORCEMENT_WINDOW = self.ENFORCEMENT_WINDOW_ORIG #################################################################### def authenticate(self, request, **credentials): """Wraps auth.authenticate with LockoutMiddleware, since the tests do not trigger the middleware. """ self.middleware.process_request(request) user = auth.authenticate(**credentials) self.middleware.process_response(None, None) return user #################################################################### def test_valid_login_allowed(self): """Sanity check that a valid login is not locked out. """ request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) #################################################################### def test_max_attempts(self): """Tests that the user is locked out after exceeding the max attempts. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) request = self.factory.post(settings.LOGIN_URL, **meta) # User should be locked out even with a valid login. self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_lockout_time(self): """Tests that the user is locked out for the appropriate length of time. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.badcredentials) # Let the lockout expire and retry. time.sleep(lockout_settings.LOCKOUT_TIME) request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) #################################################################### def test_enforcement_window(self): """Tests that, after the enforcement window ends, the user gets a fresh start. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # Let the enforcement window expire. time.sleep(lockout_settings.ENFORCEMENT_WINDOW) # The user is now allowed the max attempts without a lockout. for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) #################################################################### def test_different_ips(self): """Tests that a lockout of one IP does not affect requests from a different IP. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # IP2 is not locked out... request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip2, HTTP_USER_AGENT=self.useragent1) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) # ...even though IP1 is. request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_use_user_agent(self): """Tests that a user from the same IP but with a different user agent is not locked out, if USE_USER_AGENT is True. """ self.assertTrue(lockout_settings.USE_USER_AGENT) meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # User agent 2 is not locked out... request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent2) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) # ...even though user agent 1 is. request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_ignore_user_agent(self): """Tests that a user from the same IP but with a different user agent is locked out, if USE_USER_AGENT is False. """ lockout_settings.USE_USER_AGENT = False meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # User agent 2 from same IP is locked out request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent2) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials)
class LockoutTestCase(TestCase): """Test case for lockout functionality. Requires django.contrib.auth. """ username = '******' password = '******' badpassword = '******' ip1 = '64.147.222.137' ip2 = '168.212.226.204' useragent1 = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2' useragent2 = 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)' #################################################################### def setUp(self): self.factory = RequestFactory() self.middleware = LockoutMiddleware() self.user = User.objects.create_user(self.username, '*****@*****.**', self.password) self.badcredentials = dict(username=self.username, password=self.badpassword) self.goodcredentials = dict(username=self.username, password=self.password) self.MAX_ATTEMPTS_ORIG = lockout_settings.MAX_ATTEMPTS self.USE_USER_AGENT_ORIG = lockout_settings.USE_USER_AGENT self.LOCKOUT_TIME_ORIG = lockout_settings.LOCKOUT_TIME self.ENFORCEMENT_WINDOW_ORIG = lockout_settings.ENFORCEMENT_WINDOW lockout_settings.MAX_ATTEMPTS = 2 lockout_settings.USE_USER_AGENT = True lockout_settings.LOCKOUT_TIME = 2 lockout_settings.ENFORCEMENT_WINDOW = 3 #################################################################### def tearDown(self): # Clear the lockout keys from the cache and restore lockout settings for ip in (self.ip1, self.ip2): for useragent in (self.useragent1, self.useragent2): request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=ip, HTTP_USER_AGENT=useragent) reset_attempts(request) lockout_settings.MAX_ATTEMPTS = self.MAX_ATTEMPTS_ORIG lockout_settings.USE_USER_AGENT = self.USE_USER_AGENT_ORIG lockout_settings.LOCKOUT_TIME = self.LOCKOUT_TIME_ORIG lockout_settings.ENFORCEMENT_WINDOW = self.ENFORCEMENT_WINDOW_ORIG #################################################################### def authenticate(self, request, **credentials): """Wraps auth.authenticate with LockoutMiddleware, since the tests do not trigger the middleware. """ self.middleware.process_request(request) user = auth.authenticate(**credentials) self.middleware.process_response(None, None) return user #################################################################### def test_valid_login_allowed(self): """Sanity check that a valid login is not locked out. """ request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) #################################################################### def test_max_attempts(self): """Tests that the user is locked out after exceeding the max attempts. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) request = self.factory.post(settings.LOGIN_URL, **meta) # User should be locked out even with a valid login. self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_lockout_time(self): """Tests that the user is locked out for the appropriate length of time. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.badcredentials) # Let the lockout expire and retry. time.sleep(lockout_settings.LOCKOUT_TIME) request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) #################################################################### def test_enforcement_window(self): """Tests that, after the enforcement window ends, the user gets a fresh start. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # Let the enforcement window expire. time.sleep(lockout_settings.ENFORCEMENT_WINDOW) # The user is now allowed the max attempts without a lockout. for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) #################################################################### def test_different_ips(self): """Tests that a lockout of one IP does not affect requests from a different IP. """ meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # IP2 is not locked out... request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip2, HTTP_USER_AGENT=self.useragent1) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) # ...even though IP1 is. request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_use_user_agent(self): """Tests that a user from the same IP but with a different user agent is not locked out, if USE_USER_AGENT is True. """ self.assertTrue(lockout_settings.USE_USER_AGENT) meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # User agent 2 is not locked out... request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent2) user = self.authenticate(request, **self.goodcredentials) self.assertEqual(user, self.user) # ...even though user agent 1 is. request = self.factory.post(settings.LOGIN_URL, **meta) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials) #################################################################### def test_ignore_user_agent(self): """Tests that a user from the same IP but with a different user agent is locked out, if USE_USER_AGENT is False. """ lockout_settings.USE_USER_AGENT = False meta = dict(REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent1) for i in range(lockout_settings.MAX_ATTEMPTS): request = self.factory.post(settings.LOGIN_URL, **meta) user = self.authenticate(request, **self.badcredentials) # User agent 2 from same IP is locked out request = self.factory.post(settings.LOGIN_URL, REMOTE_ADDR=self.ip1, HTTP_USER_AGENT=self.useragent2) self.assertRaises(LockedOut, self.authenticate, request, **self.goodcredentials)