def test_the_credential_is_actually_added(self):
myUserid = self.createRandomUserId()
credBefore = Credential.get("password", myUserid)
self.assertTrue(credBefore is None)
resp = self._createPasswordCredential(userid=myUserid)
self.assertEqual(200, resp.status_code)
credAfter = Credential.get("password", myUserid)
self.assertTrue(credAfter is not None)
def test_the_credential_used_for_login_cannot_be_cleared(self):
credential = self.createUserWithCredentials()
self.controller.loginInFramework(credential)
self.assertTrue(Credential.get("password", self.userCreationUserid))
form = FakeForm({
"identifier": self.userCreationUserid,
"credentialType": "password",
})
self.assertReportedError(self.controller.doRemoveCredential,[form], 400, ["You cannot delete the login you are using"])
self.assertTrue(Credential.get("password", self.userCreationUserid))
def the_credential_used_for_login_cannot_be_cleared(self):
with app.test_client() as c:
self.login(c)
self.assertTrue(Credential.get("password", self.usercreation_userid))
data = {
"identifier": self.usercreation_userid,
"credentialType": "password",
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(400, resp.status_code)
self.assertEqual('{"errors": ["You cannot delete the login you are using"]}', self.getResponseText(resp))
self.assertTrue(Credential.get("password", self.usercreation_userid))
def test_the_added_credential_should_contain_credentialType(self):
with app.test_client() as client:
self.login(client)
self.setupRandom()
username = "******".format(self.randString)
credBefore = Credential.get("password", username)
self.assertTrue(credBefore is None)
resp = self.addPasswordCredential(client, username=username, nofield="credentialType")
self.assertEqual(400, resp.status_code)
credAfter = Credential.get("password", username)
self.assertTrue(credAfter is None)
self.assertCredentialErrorresponse(resp)
def the_credential_is_actually_deleted(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"credentialType": "facebook",
"identifier": credId,
}
c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertFalse(Credential.get("facebook", credId))
def test_the_credential_is_actually_deleted(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"credentialType": "facebook",
"identifier": credId,
}
client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertFalse(Credential.get("facebook", credId))
def registerCertUser(self, cert, email):
if cert is None or cert == '':
raise ReportedError(["No certificate given"], 403)
identifier, digest = self.parseCert(cert)
cred = Credential.get("certificate", identifier)
if cred is None:
if email is None:
raise ReportedError(["You have to register first"], 403)
theEmail = email[0]
CredentialManager.create_user_with_creds("certificate", identifier, digest, theEmail)
cred = Credential.get("certificate", identifier)
self.sendPasswordVerificationEmail(cred.user)
cred.user.activate()
return cred
def password_reset_credential_have_4_hours_expiration_time(self):
now = time.time()
passwordResetLink = self.the_reset_link_is_in_the_reset_email()
secret = passwordResetLink.split('?secret=')[1]
cred = Credential.get('email_for_password_reset',secret)
expiry = float(cred.secret) - now
self.assertTrue(expiry > 14395 and expiry < 14405)
def do_remove_credential(self, form):
if self.isLoginCredentials(form):
raise ReportedError(["You cannot delete the login you are using"], 400)
cred=Credential.get(form.credentialType.data, form.identifier.data)
if cred is None:
raise ReportedError(['No such credential'], 404)
cred.rm()
return self.simple_response('credential removed')
def the_credential_is_actually_added(self):
with app.test_client() as c:
self.login(c)
self.setupRandom()
username = "******".format(self.randString)
data = {
"credentialType": "password",
"identifier": username,
"secret": "secret is {0}".format(self.mkRandomPassword())
}
uri = config.base_url + "/v1/add_credential"
credBefore = Credential.get("password", username)
self.assertTrue(credBefore is None)
resp = c.post(uri, data=data)
self.assertEqual(200, resp.status_code)
credAfter = Credential.get("password", username)
self.assertTrue(credAfter is not None)
def validate_from_form(cls, form):
cred = Credential.get('password', form.identifier.data)
if cred is None:
return None
hashed = cls.protect_secret(form.secret.data)
if cred.secret == hashed:
return cred.user
return None
def the_added_credential_should_contain_credentialType(self):
with app.test_client() as c:
self.login(c)
self.setupRandom()
username = "******".format(self.randString)
data = {
"identifier": username,
"secret": "secret is {0}".format(self.mkRandomPassword())
}
uri = config.base_url + "/v1/add_credential"
credBefore = Credential.get("password", username)
self.assertTrue(credBefore is None)
resp = c.post(uri, data=data)
self.assertEqual(400, resp.status_code)
credAfter = Credential.get("password", username)
self.assertTrue(credAfter is None)
self.assertEqual('{{"errors": [{0}]}}'.format(credErr), self.getResponseText(resp))
def test_change_password_does_change_password(self):
with app.test_client() as client:
self._preparePasswordChangeTest(client)
self._doPasswordChange(client)
cred = Credential.get('password', self.userCreationUserid)
self.assertEqual(
cred.secret,
CredentialManager.protect_secret(self.newPassword))
def with_keygen_you_get_back_a_certificate_for_the_given_email(self):
with app.test_client() as c:
resp = c.post("/keygen", data=self.data, headers=self.headers)
self.assertEquals(resp.status_code, 200)
cert = self.getResponseText(resp)
identifier, cn = self._getCertId(cert)
self.assertEqual(self.usercreation_email,cn)
cred = Credential.get("certificate", identifier)
cred.rm()
def registerCertUser(self, email, identifier, digest, cred):
if email is None:
raise ReportedError([youHaveToRegisterFirst], 403)
theEmail = email[0]
CredentialManager.create_user_with_creds("certificate", identifier,
digest, theEmail)
cred = Credential.get("certificate", identifier)
self.sendPasswordVerificationEmail(cred.user)
return cred
def doRemoveCredential(self, form):
session = self.getSession()
if self.isLoginCredential(form, session):
raise ReportedError([cannotDeleteLoginCred],400)
cred=Credential.get(form.credentialType.data, form.identifier.data)
if cred is None:
raise ReportedError([noSuchCredential], 404)
cred.rm()
return self.simple_response(credentialRemoved)
def doRemoveCredential(self, form):
session = self.getSession()
if self.isLoginCredential(form, session):
raise ReportedError([cannotDeleteLoginCred],400)
cred=Credential.get(form.credentialType.data, form.identifier.data)
if cred is None:
raise ReportedError([noSuchCredential], 404)
cred.rm()
return self.simple_response(credentialRemoved)
def do_password_reset(self, form):
cred = Credential.get(passwordResetCredentialType, form.secret.data)
if cred is None or (float(cred.secret) < time.time()):
Credential.deleteExpired(passwordResetCredentialType)
raise ReportedError(['The secret has expired'], 404)
passcred = Credential.getByUser(cred.user, 'password')
passcred.secret = CredentialManager.protect_secret(form.password.data)
cred.rm()
return self.simple_response('Password successfully changed')
def _removeACredential(self, myUserid):
self.controller.loginInFramework(self.cred)
user = self.cred.user
Credential.new(user, "facebook", myUserid, "testsecret")
data = {"credentialType": "facebook",
"identifier": myUserid}
self.assertTrue(Credential.get("facebook", myUserid))
resp = self.controller.doRemoveCredential(FakeForm(data))
return resp
def successful_password_clears_the_temporary_credential(self):
password = self.mkRandomPassword()
secret = unicode(uuid4())
user = User.getByEmail(self.usercreation_email)
Credential.new(user, 'email_for_password_reset', secret, time.time()+3600)
with app.test_client() as c:
data = dict(password=password, secret=secret)
c.post("/v1/password_reset", data = data)
newcred = Credential.get('email_for_password_reset', secret)
self.assertEquals(newcred, None)
def loginOrRegisterCertUser(self, cert, email):
if cert is None or cert == '':
raise ReportedError([noCertificateGiven], 403)
identifier = self.getIdentifier(cert)
cred = Credential.get("certificate", identifier)
if cred is None:
digest = self.getDigest(cert)
cred = self.registerCertUser(email, identifier, digest, cred)
cred.user.activate()
return cred
def test_if_the_user_is_logged_in__a_credential_is_added_to_the_user_for_the_cert(self):
with app.test_client() as client:
self.login(client)
resp = client.post("/v1/ca/signreq", data=self.data, headers=self.headers)
self.assertEqual(resp.status_code, 200)
cert = self.getCertFromResponse(resp)
cred = Credential.get("certificate", self.controller.getIdentifier(cert))
self.assertTrue(cred)
self.assertEqual(cred.user.email, self.userCreationEmail)
self.assertTrue(self.userCreationEmail != cert.get_subject().commonName)
self.deleteUser(cred.user)
def if_the_user_is_logged_in__a_credential_is_added_to_the_user_for_the_cert(self):
with app.test_client() as c:
self.login(c)
resp = c.post("/keygen", data=self.data, headers=self.headers)
self.assertEquals(resp.status_code, 200)
cert = self.getResponseText(resp)
identifier, cn = self._getCertId(cert) # @UnusedVariable
cred = Credential.get("certificate", identifier)
self.assertTrue(cred)
self.assertEqual(cred.user.email, self.usercreation_email)
self.assertTrue(self.usercreation_email != cn)
self.deleteUser(cred.user)
def do_deregister(self,form):
if not self.isLoginCredentials(form):
raise ReportedError(["You should use your login credentials to deregister"], 400)
cred = Credential.get(form.credentialType.data, form.identifier.data)
user = cred.user
creds = Credential.getByUser(user)
for cred in creds:
cred.rm()
assurances = Assurance.listByUser(user)
for assurance in assurances:
assurance.rm()
user.rm()
return self.simple_response('deregistered')
def getCredentialFromForm(cls, form):
cred = Credential.get('password', form.identifier.data)
if cred is None:
user = User.getByEmail(form.identifier.data)
if user is None:
return None
cred = Credential.getByUser(user, "password")
if cred is None:
return None
hashed = cls.protect_secret(form.password.data)
if cred.secret == hashed:
return cred
return None
def test_if_createUser_is_set__a_new_user_is_created_with_the_cert_and_logged_in(self):
with app.test_client() as client:
self.data['createUser']=True
self.assertEqual(None, User.getByEmail(self.userCreationEmail))
resp = client.post("/v1/ca/signreq", data=self.data, headers=self.headers)
self.assertEqual(resp.status_code, 200)
cert = self.getCertFromResponse(resp)
identifier = self.controller.getIdentifier(cert)
resp2 = client.get("/v1/users/me")
self.assertEqual(200, resp2.status_code)
cred = Credential.get("certificate", identifier)
self.assertTrue(cred)
self.assertEqual(cred.user.email, self.userCreationEmail)
self.deleteUser(cred.user)
def if_createUser_is_set__a_new_user_is_created_with_the_cert_and_logged_in(self):
with app.test_client() as c:
self.data['createUser']=True
self.assertEqual(None, User.getByEmail(self.usercreation_email))
resp = c.post("/keygen", data=self.data, headers=self.headers)
self.assertEquals(resp.status_code, 200)
cert = self.getResponseText(resp)
identifier, cn = self._getCertId(cert) # @UnusedVariable
resp2 = c.get("/v1/users/me")
self.assertEqual(200, resp2.status_code)
cred = Credential.get("certificate", identifier)
self.assertTrue(cred)
self.assertEquals(cred.user.email, self.usercreation_email)
self.deleteUser(cred.user)
def you_should_give_valid_identifier_for_credential_deletion(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"identifier": credId+"no",
"credentialType": "facebook",
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(404, resp.status_code)
self.assertEqual('{"errors": ["No such credential"]}', self.getResponseText(resp))
def a_credential_can_be_deleted(self):
with app.test_client() as c:
self.login(c)
user = User.getByEmail(self.usercreation_email)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"credentialType": "facebook",
"identifier": credId,
}
resp = c.post(config.base_url + "/v1/remove_credential", data=data)
self.assertEqual(200, resp.status_code)
self.assertEqual('{"message": "credential removed"}', self.getResponseText(resp))
def test_you_should_give_valid_identifier_for_credential_deletion(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"identifier": credId+"no",
"credentialType": "facebook",
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(404, resp.status_code)
self.assertEqual('{"errors": ["No such credential"]}', self.getResponseText(resp))
def test_a_credential_can_be_deleted(self):
with app.test_client() as client:
self.login(client)
user = User.getByEmail(self.userCreationEmail)
credId = self.randString
Credential.new(user, "facebook", credId, "testsecret")
self.assertTrue(Credential.get("facebook", credId))
data = {
"csrf_token": self.getCSRF(client),
"credentialType": "facebook",
"identifier": credId,
}
resp = client.post(config.BASE_URL + "/v1/remove_credential", data=data)
self.assertEqual(200, resp.status_code)
self.assertEqual('{"message": "credential removed"}', self.getResponseText(resp))
def test_you_can_register_and_login_using_an_unregistered_ssl_cert_with_email(
self):
certAttr = self.getCertAttributes()
params = dict(email="*****@*****.**")
parts = uritools.urisplit(Config.BASE_URL)
url = uritools.uricompose(parts.scheme, parts.host, parts.path, params)
self.controller.interface.set_request_context(url)
self.controller.mail = FakeMail()
resp = self.sslLoginWithCert(certAttr.cert)
cred = Credential.get("certificate", certAttr.identifier)
self.deleteUser(cred.user)
self.assertEqual(resp.status_code, 200)
responseText = self.getResponseText(resp)
self.assertTrue(CREDENTIAL_REPRESENTATION in responseText)
self.assertTrue(
'{"credentialType": "emailcheck", "identifier":' in responseText)
def removeCertUser(self):
certAttrs = self.getCertAttributes()
cred = Credential.get('certificate', certAttrs.identifier)
if cred:
cred.rm()
cred.user.rm()
def facebookLogin(self, form):
self.checkIdAgainstFacebookMe(form)
cred = Credential.get("facebook", form.identifier.data)
if cred is None:
raise ReportedError([youHaveToRegisterFirst], 403)
return self.finishLogin(cred)
def setUp(self):
self.setupRandom()
self.user = self.createUserWithCredentials().user
self.cred=Credential.get('password', self.userCreationUserid)
def facebookLogin(self, form):
self.checkIdAgainstFacebookMe(form)
cred = Credential.get("facebook", form.identifier.data)
if cred is None:
raise ReportedError(["You have to register first"], 403)
return self.finishLogin(cred.user)
def validate_identifier(self, field):
if Credential.get(self.credentialType.data, self.identifier.data):
raise ValidationError(thereIsAlreadyAUserWithThatUsername)
def test_password_is_stored_using_sha256_hash(self):
resp = self._createPasswordCredential()
self.assertEqual(resp.status_code, 200)
cred = Credential.get('password', self.userCreationUserid)
self.assertEqual(cred.secret, SHA256Hash(self.usercreationPassword.encode('utf-8')).hexdigest())
def test_an_already_existing_credential_cannot_be_addedd(self):
self.createUserWithCredentials(userid="existinguser")
self.assertReportedError(self.createUserWithCredentials, ['password', 'existinguser'], 400, 'Already existing credential')
cred = Credential.get("password", "existinguser")
cred.rm()
def setUp(self):
self.createUserWithCredentials()
self.cred=Credential.get('password', self.userCreationUserid)
PDUnitTest.setUp(self)
def test_password_is_stored_hashed_in_registration(self):
form = self.prepareLoginForm()
self.controller.doRegistration(form)
cred = Credential.get('password', self.userCreationUserid)
theSecret = SHA256Hash(self.usercreationPassword.encode('utf-8')).hexdigest()
self.assertEqual(cred.secret, theSecret)
def validate_identifier(self, field):
if Credential.get(self.credentialType.data, self.identifier.data):
raise ValidationError(thereIsAlreadyAUserWithThatUsername)
def test_successful_password_clears_the_temporary_credential(self):
form = self.createPasswordResetFormWithSecret()
self.controller.doPasswordReset(form)
self.assertEqual(Credential.get('email_for_password_reset', self.secret), None)