def user_cannot_register_twice_with_same_email(self):
email = "k-{0}@example.com".format(self.randString)
with app.test_client() as c:
resp , outbox = self.register(c,email=email) # @UnusedVariable
logout_user()
self.assertUserResponse(resp)
self.setupRandom()
with app.test_client() as c:
resp, outbox = self.register(c, email=email) # @UnusedVariable
logout_user()
self.assertEquals(400, resp.status_code)
text = self.getResponseText(resp)
self.assertTrue(text.startswith('{"errors": ["email: There is already a user with that email'))
def test_you_need_csrf_token_and_secret_for_deregister_doit(self):
self._doDeregistration()
with app.test_client() as client:
resp = self._doDeregisterDoit(client)
self.assertEqual(resp.status_code, 200)
self.assertEqual('{"message": "you are deregistered"}',
self.getResponseText(resp))
def test_deregistration_doit_needs_a_logged_in_user(self):
self._doDeregistration()
with app.test_client() as client:
resp = self._doDeregisterDoit(client, nologin=True)
self.assertEqual(resp.status_code, 403)
self.assertEqual('{"errors": ["not logged in"]}',
self.getResponseText(resp))
def test_you_need_valid_deregister_secret_for_deregister_doit(self):
self._doDeregistration()
with app.test_client() as client:
resp = self._doDeregisterDoit(client, secret=uuid4())
self.assertEqual(resp.status_code, 400)
self.assertEqual('{"errors": ["bad deregistration secret"]}',
self.getResponseText(resp))
def old_password_for_self_should_be_correct(self):
with app.test_client() as c:
self._preparePasswordChangeTest(c)
resp = self._doPasswordChange(c, oldPassword=self.mkRandomPassword())
self.assertEquals(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertEqual(respdata['errors'], ["old password does not match"])
def password_login_works_with_correct_identifier_and_secret(self):
user = self.createUserWithCredentials()
user.activate()
with app.test_client() as c:
data = dict(identifier=self.usercreation_userid, secret=self.usercreation_password, credentialType='password')
resp = c.post(config.base_url + '/login', data=data)
self.assertUserResponse(resp)
def registration_should_give_a_credential_type(self):
data = self.prepareData()
data.pop('credentialType')
with app.test_client() as c:
resp = c.post(config.base_url + '/v1/register', data=data)
self.assertEquals(resp.status_code, 400)
self.assertTrue(self.getResponseText(resp).startswith('{"errors": ["credentialType: '))
def if_you_register_without_hash_it_will_be_null(self):
with app.test_client() as c:
data = self.prepareData()
data.pop('digest')
c.post(config.base_url + '/v1/register', data=data)
user = User.getByEmail(self.registered_email)
self.assertEqual(user.hash, None)
def password_registration_needs_good_password(self):
data = self.prepareData()
data['secret'] = '1234'
with app.test_client() as c:
resp = c.post(config.base_url + '/v1/register', data=data)
self.assertEquals(resp.status_code, 400)
self.assertTrue(self.getResponseText(resp).startswith('{"errors": ["secret: '))
def test_the_added_credential_should_contain_identifier(self):
with app.test_client() as client:
self.login(client)
self.setupRandom()
resp = self.addPasswordCredential(client,nofield="identifier")
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["identifier: Field must be between 4 and 250 characters long."]}', self.getResponseText(resp))
def if_you_log_out_you_will_be_logged_out(self):
with app.test_client() as c:
self.login(c)
resp = c.get(config.base_url + "/logout")
self.assertEquals(resp.status_code, 200)
resp = c.get(config.base_url + "/logout")
self.assertEquals(resp.status_code, 302)
def callMe(self, data):
headers = {'Authorization':'{0} {1}'.format(
data['token_type'],
data['access_token'])}
with app.test_client() as client:
resp = client.get('/v1/users/me', headers=headers)
return resp
def getCode(self):
with app.test_client() as client:
self.login(client)
baseUri = config.BASE_URL + '/v1/oauth2/auth'
uri = WebInterface.parametrizeUri(baseUri, self.authParams)
resp = client.get(uri)
return resp
def test_registration_should_give_a_credential_type(self):
data = self.prepareAuthInterfaceData()
data.pop('credentialType')
with app.test_client() as client:
resp = client.post(config.BASE_URL + '/v1/register', data=data)
self.assertEqual(resp.status_code, 400)
self.assertTrue(self.getResponseText(resp).startswith('{"errors": ["credentialType: '))
def test_password_registration_needs_good_password(self):
data = self.prepareAuthInterfaceData()
data['password'] = '******'
with app.test_client() as client:
resp = client.post(config.BASE_URL + '/v1/register', data=data)
self.assertEqual(resp.status_code, 400)
self.assertTrue(self.getResponseText(resp).startswith('{"errors": ["password: '))
def test_registration_is_impossible_without_email(self):
with app.test_client() as client:
data = self.prepareAuthInterfaceData()
data.pop('email')
resp = client.post(config.BASE_URL + '/v1/register', data=data)
self.assertEqual(resp.status_code, 400)
self.assertEqual(self.getResponseText(resp),'{"errors": ["email: Invalid email address."]}')
def getCode(self):
with app.test_client() as client:
self.login(client)
baseUri = config.BASE_URL + '/v1/oauth2/auth'
uri = WebInterface.parametrizeUri(baseUri, self.authParams)
resp = client.get(uri)
return resp
def test_change_password_for_self_needs_old_password(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
resp = self._doPasswordChange(client, oldPassword='******')
self.assertEqual(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertTrue(u'oldPassword: '******'errors'][0])
def change_password_returns_200_and_a_success_message(self):
with app.test_client() as c:
self._preparePasswordChangeTest(c)
resp = self._doPasswordChange(c)
self.assertEquals(resp.status_code, 200)
respdata = self.fromJson(resp)
self.assertEqual(respdata['message'], 'password changed succesfully')
def password_login_needs_correct_identifier_and_secret(self):
with app.test_client() as c:
data = dict(identifier="userid", secret=self.mkRandomPassword(), credentialType='password')
resp = c.post(config.base_url + '/login', data=data)
self.assertEquals(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertEquals(text,'{"errors": ["Bad username or password"]}')
def email_verification_after_expiry_will_fail(self):
self.setupRandom()
with app.test_client() as c:
resp, outbox = self.register(c) # @UnusedVariable
email = self.registered_email
logout_user()
self.validateUri=re.search('href="([^"]*)',outbox[0].body).group(1)
with app.test_client() as c:
user = User.getByEmail(email)
creds = Credential.getByUser(user)
for cred in creds:
if cred.credentialType == 'emailcheck':
cred.identifier = unicode(time.time()- 1)
resp = c.get(self.validateUri)
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["expired token"]}', self.getResponseText(resp))
def change_password_needs_csrf(self):
with app.test_client() as c:
self._preparePasswordChangeTest(c)
resp = self._doPasswordChange(c,csrf="badcsrf")
self.assertEquals(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertEqual(respdata['errors'], [u'csrf_token: csrf validation error'])
def change_password_for_self_needs_old_password(self):
with app.test_client() as c:
self._preparePasswordChangeTest(c)
resp = self._doPasswordChange(c, oldPassword='******')
self.assertEquals(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertTrue(u'oldPassword: '******'errors'][0])
def test_the_password_should_be_at_least_8_characters_long(self):
with app.test_client() as client:
self.login(client)
self.setupRandom()
resp = self.addPasswordCredential(client,password="******")
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["password: Field must be at least 8 characters long."]}', self.getResponseText(resp))
def registration_is_impossible_without_email(self):
with app.test_client() as c:
data = self.prepareData()
data.pop('email')
resp = c.post(config.base_url + '/v1/register', data=data)
self.assertEquals(resp.status_code, 400)
self.assertEquals(self.getResponseText(resp),'{"errors": ["email: Invalid email address."]}')
def password_login_should_send_hidden_field_credentialType(self):
with app.test_client() as c:
data = dict(identifier="userid", secret=self.mkRandomPassword())
resp = c.post(config.base_url + '/login', data=data)
self.assertEquals(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertTrue(text.startswith('{"errors": ["credentialType: '))
def test_the_added_credential_should_contain_secret(self):
with app.test_client() as client:
self.login(client)
resp = self.addPasswordCredential(client,nofield="password")
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["password: Field must be at least 8 characters long.", "password: password should contain lowercase", "password: password should contain uppercase", "password: password should contain digit"]}',
self.getResponseText(resp))
def password_login_needs_identifier(self):
with app.test_client() as c:
data = dict(secret=self.mkRandomPassword())
resp = c.post(config.base_url + '/login', data=data)
self.assertEquals(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertTrue(text.startswith('{"errors": ["identifier: '))
def registerAndObtainValidationUri(self):
with app.test_client() as client:
resp = self.register(client)
email = self.registeredEmail
logout_user()
self.assertUserResponse(resp)
self.validateUri = self.getValidateUri()
return email
def registerAndObtainValidationUri(self):
with app.test_client() as client:
resp = self.register(client)
email = self.registeredEmail
logout_user()
self.assertUserResponse(resp)
self.validateUri = self.getValidateUri()
return email
def test_password_reset_needs_secret(self):
password = self.mkRandomPassword()
with app.test_client() as client:
data = dict(password=password)
resp = client.post("/v1/password_reset", data = data)
self.assertEqual(resp.status_code, 400)
respData = self.fromJson(resp)
self.assertTrue("secret" in respData['errors'][0])
def test_auth_interface_redirects_to_redirect_uri(self):
uri, baseUrl, uriBase, queryString = self.buildUris(self.app2) # @UnusedVariable
targetUri = "{0}?next={1}".format(app.config.get('LOGIN_URL'), uritools.uriencode(uri).decode('utf-8'))
with app.test_client() as client:
resp = client.get(
uriBase, query_string=queryString, base_url=baseUrl)
self.assertEqual(resp.status_code, 302)
self.assertEqual(resp.headers['Location'],targetUri)
def the_reset_link_is_in_the_reset_email(self):
with app.test_client() as c:
with mail.record_messages() as outbox:
c.get("/v1/users/{0}/passwordreset".format(self.usercreation_email))
text = outbox[0].body
soup = BeautifulSoup(text)
passwordResetLink = soup.find("a")['href']
return passwordResetLink
def test_password_login_needs_identifier(self):
with app.test_client() as client:
data = dict(password=self.mkRandomPassword(),
credentialType='password')
resp = client.post(config.BASE_URL + '/v1/login', data=data)
self.assertEqual(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertTrue(text.startswith('{"errors": ["identifier: '))
def test_email_validation_email_can_be_resent(self):
with app.test_client() as client:
self.login(client)
client.get(config.BASE_URL + "/v1/send_verify_email")
user = User.get(self.userid)
self.assertEqual(
self.userCreationEmail,
Credential.getByUser(user, "emailcheck").user.email)
def test_password_login_needs_correct_credentialType(self):
with app.test_client() as client:
data = dict(identifier="userid",
password=self.mkRandomPassword(),
credentialType='incorrect')
resp = client.post(config.BASE_URL + '/v1/login', data=data)
self.assertEqual(resp.status_code, 403)
self.assertCredentialErrorresponse(resp)
def callMe(self, data):
headers = {
'Authorization':
'{0} {1}'.format(data['token_type'], data['access_token'])
}
with app.test_client() as client:
resp = client.get('/v1/users/me', headers=headers)
return resp
def test_password_login_needs_secret(self):
with app.test_client() as client:
data = dict(credentialType="password", identifier="userid")
resp = client.post(config.BASE_URL + '/v1/login', data=data)
self.assertEqual(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertTrue(
"password: Field must be at least 8 characters long." in text)
def test_you_need_valid_csrf_token_for_deregister_doit(self):
self._doDeregistration()
with app.test_client() as client:
resp = self._doDeregisterDoit(client, csrf="invalid")
self.assertEqual(resp.status_code, 400)
self.assertEqual(
'{"errors": ["csrf_token: csrf validation error"]}',
self.getResponseText(resp))
def test_password_reset_needs_password(self):
secret = uuid4().hex
with app.test_client() as client:
data = dict(secret=secret)
resp = client.post("/v1/password_reset", data = data)
self.assertEqual(resp.status_code, 400)
respData = self.fromJson(resp)
self.assertTrue("password" in respData['errors'][0])
def test_password_reset_needs_password(self):
secret = uuid4().hex
with app.test_client() as client:
data = dict(secret=secret)
resp = client.post("/v1/password_reset", data=data)
self.assertEqual(resp.status_code, 400)
respData = self.fromJson(resp)
self.assertTrue("password" in respData['errors'][0])
def test_you_need_deregister_secret_for_deregister_doit(self):
self._doDeregistration()
with app.test_client() as client:
resp = self._doDeregisterDoit(client, secret=False)
self.assertEqual(resp.status_code, 400)
self.assertEqual(
'{"errors": ["deregister_secret: Field must be at least 8 characters long.", "deregister_secret: secret should contain lowercase", "deregister_secret: secret should contain digit"]}',
self.getResponseText(resp))
def password_login_needs_correct_credentialType(self):
with app.test_client() as c:
data = dict(identifier="userid", secret=self.mkRandomPassword(), credentialType='incorrect')
resp = c.post(config.base_url + '/login', data=data)
self.assertEquals(resp.status_code, 403)
text = self.getResponseText(resp)
expected = '{{"errors": [{0}]}}'.format(credErr)
self.assertEquals(text,expected)
def test_password_reset_needs_secret(self):
password = self.mkRandomPassword()
with app.test_client() as client:
data = dict(password=password)
resp = client.post("/v1/password_reset", data=data)
self.assertEqual(resp.status_code, 400)
respData = self.fromJson(resp)
self.assertTrue("secret" in respData['errors'][0])
def password_login_needs_secret(self):
with app.test_client() as c:
data = dict(credentialType=self.mkRandomPassword(), identifier="userid")
resp = c.post(config.base_url + '/login', data=data)
self.assertEquals(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertEqual('{{"errors": ["secret: Field must be at least 8 characters long.", "secret: password should contain lowercase", "secret: password should contain uppercase", "secret: password should contain digit", {0}]}}'.format(credErr),
text)
def test_change_password_needs_csrf(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
resp = self._doPasswordChange(client, csrf="badcsrf")
self.assertEqual(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertEqual(respdata['errors'],
[u'csrf_token: csrf validation error'])
def test_change_password_does_change_password(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
self._doPasswordChange(client)
cred = Credential.get('password', self.userCreationUserid)
self.assertEqual(
cred.secret,
CredentialManager.protect_secret(self.newPassword))
def test_change_password_returns_200_and_a_success_message(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
resp = self._doPasswordChange(client)
self.assertEqual(resp.status_code, 200)
respdata = self.fromJson(resp)
self.assertEqual(respdata['message'],
'password changed succesfully')
def test_password_login_needs_correct_identifier_and_secret(self):
with app.test_client() as client:
data = dict(identifier="userid",
password=self.mkRandomPassword(),
credentialType='password')
resp = client.post(config.BASE_URL + '/v1/login', data=data)
self.assertEqual(resp.status_code, 403)
text = self.getResponseText(resp)
self.assertEqual(text, '{"errors": ["Bad username or password"]}')
def test_password_reset_secret_have_to_be_valid(self):
password = self.mkRandomPassword()
secret = uuid4().hex
with app.test_client() as client:
data = dict(password=password, secret=secret)
resp = client.post("/v1/password_reset", data=data)
self.assertEqual(resp.status_code, 404)
respData = self.fromJson(resp)
self.assertEqual('The secret has expired', respData['errors'][0])
def test_old_password_for_self_should_be_correct(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
resp = self._doPasswordChange(client,
oldPassword=self.mkRandomPassword())
self.assertEqual(resp.status_code, 400)
respdata = self.fromJson(resp)
self.assertEqual(respdata['errors'],
["old password does not match"])
def test_you_should_give_the_identifier_for_credential_deletion(self):
with app.test_client() as client:
self.login(client)
data = {
"csrf_token": self.getCSRF(client),
"credentialType": "facebook",
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["identifier: Field must be between 4 and 250 characters long."]}', self.getResponseText(resp))
def test_for_access_token_you_need_a_refresh_token(self):
with app.test_client() as client:
self.app = self.createApp()
appid = self.app.appid
appsecret = self.app.secret
tokenParams = dict(grant_type="refresh_token",
client_id=appid,
client_secret=appsecret)
resp = client.post("/v1/oauth2/token", data=tokenParams)
self.assertEqual(400, resp.status_code)
def test_wrong_data_generates_error_response(self):
data = dict(
pubkey = wrong_pubkey,
email = "*****@*****.**"
)
with app.test_client() as client:
resp = client.post("/v1/ca/signreq", data=data)
self.assertEqual(400,resp.status_code)
respData = self.fromJson(resp)
self.assertEqual("error in cert",respData['errors'])
def test_without_login_it_is_not_possible_to_update_the_hash(self):
self.setupRandom()
with app.test_client() as client:
csrf = self.getCSRF(client)
data = dict(
digest= self.createHash(),
csrf_token= csrf
)
resp = client.post(config.BASE_URL+'/v1/users/me/update_hash', data=data)
self.assertEqual(403,resp.status_code)
def test_error_message_on_hash_collision(self):
anotheruser = self.createUserWithCredentials().user
digest = self.createHash()
anotheruser.hash = digest
Assurance.new(anotheruser, "test", anotheruser)
anotheruser.save()
with app.test_client() as client:
resp = self.doUpdateHashForUser(client, digest=digest)
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["another user is using your hash"]}', resp.data.decode('utf-8'))
def test_you_should_give_the_credentialType_for_credential_deletion(self):
with app.test_client() as client:
self.login(client)
credId = self.randString
data = {
"csrf_token": self.getCSRF(client),
"identifier": credId,
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(400, resp.status_code)
self.assertCredentialErrorresponse(resp)
