def reset_password():
"""Resets the password for the user in the post body """
user_management = UserManagement()
# Only and admin can reset a password
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can reset password'}
return jsonify(response), 403
else:
# Check the request body
if 'username' not in request.json:
response = {'message': 'username required in post body'}
return jsonify(response), 400
# Generate a password and post the update to the datase
username = request.json['username']
user = user_management.get_user(username)
email = user['email']
mode = request.args.get('mode')
send = False if mode and mode == 'test' else True
user_management.reset_password(username, email, send=send)
response = {
'message': 'role updated for %s' % (username),
'email': user['email']
}
return jsonify(response), 201
def test_reset_password():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update roles
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Username must be in the post body
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(password='******'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/reset-password?mode=test',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def run_url_tests(url, client, access=[]):
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
# User must be authenticated
response = client.get(url)
assert response.status_code == 401
response = client.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# The user must have access to the correct modules
response = client.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, access)
response = client.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
url = '/service/user/logout'
response = client.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert not user
def test_event():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
# User must be authenticated
url = '/service/event/7757038511'
response = CLIENT.get(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to events
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['events'])
# Success
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json) == dict
# Check to make sure the aggregates are present
assert 'average_age' in response.json
assert 'member_count' in response.json
assert 'non_member_count' in response.json
assert 'first_event_count' in response.json
assert 'age_groups' in response.json
for group in response.json['age_groups']:
count = response.json['age_groups'][group]
assert type(count) == int
# Check to make sure the attendees are present
for attendee in response.json['attendees']:
'member_id' in attendee
'first_name' in attendee
'last_name' in attendee
'name' in attendee
'age' in attendee
'is_member' in attendee
url = '/service/event/8675309'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 404
assert type(response.json) == dict
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_authorize():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Success!
response = CLIENT.get(
'/service/user/authorize',
headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert 'password' not in response.json
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_user_reset_password():
"""For the user reset password end point to work, the e-mail
in the post body must correspond to the e-mail that is on
record for the user's account."""
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER,
conf.TEST_PASSWORD,
email='*****@*****.**')
# Both the email and the username must appear in the post body
response = CLIENT.post('/service/user/user-reset-password?mode=test',
json=dict(username=conf.TEST_USER))
assert response.status_code == 400
# The email address in the post body must match the email address
# list for the user trying to reset their password
response = CLIENT.post('/service/user/user-reset-password?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**'))
assert response.status_code == 401
# Success!
response = CLIENT.post('/service/user/user-reset-password?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**'))
assert response.status_code == 201
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_map_event_group_options():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/map/event_options'
# The user must be authenticated
response = CLIENT.get(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json) == list
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_avg_attendance():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/trends/avg-attendance'
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to trends
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['trends'])
# Success!
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json['results']) == list
for result in response.json['results']:
assert 'day_of_week' in result
assert 'day_order' in result
assert 'avg_attendance' in result
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_map_authorize():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/map/authorize'
# User must be authenticated
response = CLIENT.get(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# The user must have access to the map module
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['map'])
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def update_access():
""" Updates the accesses for the user in the post body """
user_management = UserManagement()
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can update accesses'}
return jsonify(response), 403
else:
if 'username' not in request.json:
response = {'message': 'username required in post body'}
return jsonify(response), 400
if 'modules' not in request.json:
response = {'message': 'role required in post body'}
return jsonify(response), 400
username = request.json['username']
modules = request.json['modules']
user_management.update_access(username, modules)
response = {'message': 'role updated for %s' % (username)}
return jsonify(response), 201
def update_email():
""" Updates the role for the user in the post body """
user_management = UserManagement()
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can update emails'}
return jsonify(response), 403
else:
if 'username' not in request.json:
response = {'message': 'username required in post body'}
return jsonify(response), 400
if 'email' not in request.json:
response = {'message': 'email required in post body'}
return jsonify(response), 400
username = request.json['username']
email = request.json['email']
user_management.update_email(username, email)
response = {'message': 'email updated for %s' % (username)}
return jsonify(response), 201
def test_delete_user():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Only an admin can delete a user
response = CLIENT.delete('/service/user/unittestuser',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Success!
response = CLIENT.delete('/service/user/unittestuser',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 204
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
def user_register():
""" Registers a new user """
user_management = UserManagement()
# Only and admin can create a new user
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can add users'}
return jsonify(response), 403
# Check to make sure there is a request body
if not request.json:
response = {'message': 'no post body'}
return jsonify(response), 400
# The username must be in there request
new_user = request.json
if 'username' not in new_user:
response = {'message': 'missing key in post body'}
return jsonify(response), 400
# Use default roles and modules if they are not present
if 'role' not in new_user:
new_user['role'] = 'standard'
if 'modules' not in new_user:
new_user['modules'] = []
if 'temporary_password' not in new_user:
new_user['temporary_password'] = False
# Generate a password for the user
new_user['password'] = user_management.generate_password()
mode = request.args.get('mode')
send = False if mode and mode == 'test' else True
status = user_management.add_user(username=new_user['username'],
password=new_user['password'],
email=new_user['email'],
role=new_user['role'],
modules=new_user['modules'],
send=send)
# Status returns false if user already exists
if status:
response = {'message': 'user %s created' % (new_user['username'])},
return jsonify(response), 201
else:
response = {'message': 'bad request'}
return jsonify(response), 400
def user_authenticate():
"""
Authenticates a user and returns a json web token
In the response body, refresh_token is the refresh token
and jwt is the access token
"""
if not request.json:
response = {'message': 'no post body'}
return jsonify(response), 400
auth_user = request.json
if 'username' not in auth_user or 'password' not in auth_user:
response = {'message': 'missing key in post body'}
return jsonify(response), 400
username = auth_user['username']
password = auth_user['password']
user_management = UserManagement()
user = user_management.get_user(username)
if not user:
authorized = False
else:
authorized = user_management.authenticate_user(username=username,
password=password)
last_reset = str(user['pw_update_ts'])
domain = conf.SUBDOMAIN
bad_attempts = count_bad_login_attempts(username, 'dev', last_reset)
if bad_attempts > 10:
msg = 'account locked for user %s' % (auth_user['username'])
response = {'message': msg}
return jsonify(response), 423
log_request(request, username, authorized)
if authorized:
access_token = create_access_token(identity=username)
refresh_token = create_refresh_token(identity=username)
response = jsonify({'login': True})
set_access_cookies(response,
access_token,
max_age=conf.JWT_ACCESS_TOKEN_EXPIRES)
set_refresh_cookies(response,
refresh_token,
max_age=conf.JWT_REFRESH_TOKEN_EXPIRES)
return response, 200
else:
msg = 'authentication failed for user %s' % (auth_user['username'])
response = {'message': msg}
return jsonify(response), 401
def list_users():
""" Returns a list of the current active users """
user_management = UserManagement()
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can reset password'}
return jsonify(response), 403
else:
users = user_management.list_users()
return jsonify(users), 200
def user_authorize():
"""Returns user authorization and role metadata"""
username = get_jwt_identity()
user_management = UserManagement()
user = user_management.get_user(username)
if not user:
response = {'message': 'user not found'}
return jsonify(response), 400
else:
if user['role'] == 'admin':
user['available_modules'] = conf.AVAILABLE_MODULES
modules = [x for x in user['modules'] if x in conf.AVAILABLE_MODULES]
user['modules'] = modules
del user['password']
user['temporary_password'] = int(user['temporary_password'])
return jsonify(user), 200
def delete_user(username):
""" Deletes a user """
user_management = UserManagement()
jwt_user = get_jwt_identity()
admin_user = user_management.get_user(jwt_user)
authorized = admin_user['role'] == 'admin'
log_request(request, jwt_user, authorized)
if not authorized:
response = {'message': 'only admins can delete users'}
return jsonify(response), 403
user_management.delete_user(username)
response = {'message': 'user %s has been removed' % (username)}
return jsonify(response), 204
def test_events():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
# User must be authenticated
response = CLIENT.get('/service/events?limit=25')
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
url = '/service/events?limit=25&page=2'
url += '&sort=start_datetime&order=desc'
url += '&q=a&start_datetime=1900-01-01'
url += '&end_datetime=2100-01-01'
user_management.update_access(conf.TEST_USER, ['events'])
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json['results']) == list
assert len(response.json['results']) == 25
assert 'count' in response.json
assert 'pages' in response.json
# Make sure input validation is working
url = '/service/events?limit=30&page=2'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 422
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_year_group_attendees():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/trends/age-group-attendance'
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to trends
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['trends'])
# Success!
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json) == dict
for key in response.json:
assert 'group' in response.json[key]
assert 'count' in response.json[key]
# And now let's try grouping by month
url += '?groupBy=month'
assert response.status_code == 200
assert type(response.json) == dict
for key in response.json:
assert 'group' in response.json[key]
assert 'count' in response.json[key]
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_participation():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/trends/participation/Young Professional'
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to the trends page
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['trends'])
response = CLIENT.get(
url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json['results']) == list
for item in response.json['results']:
assert 'id' in item
assert 'name' in item
assert 'total' in item
url += '?top=event'
assert response.status_code == 200
assert type(response.json['results']) == list
for item in response.json['results']:
assert 'id' in item
assert 'name' in item
assert 'total' in item
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_all_geometries():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/map/geometries'
# The user must be authenticated
response = CLIENT.get(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# The user must have access to the map
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['map'])
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
for key in response.json:
layer = response.json[key]
assert 'id' in layer
assert 'type' in layer
assert 'source' in layer
assert layer['source']['type'] == 'geojson'
assert type(layer['source']['data']) == dict
assert 'paint' in layer
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_member_upload():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
url = '/service/members/upload'
# The user must be authenticated
response = CLIENT.post(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# The user must have access to members
response = CLIENT.post(url,
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role(conf.TEST_USER, 'admin')
# Uh oh! Bad file
response = CLIENT.post(url,
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_export_event_aggregates():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
# User must be authenticated
url = '/service/events/export?q=trsty'
response = CLIENT.get(url)
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to events
url = '/service/events/export?q=trsty'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['events'])
# Success!
url = '/service/events/export?q=trsty'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
csv = StringIO(response.data.decode('utf-8'))
df = pd.read_csv(csv)
assert len(df) > 0
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_event_cities():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
# User must be authenticated
response = CLIENT.get('/service/events?limit=25')
assert response.status_code == 401
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to events
url = '/service/events/cities'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['map'])
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json['results']) == dict
for city in response.json['results']['cities']:
assert type(response.json['results']['cities'][city]) == list
for city in response.json['results']['counts']:
assert type(response.json['results']['counts'][city]) == str
assert type(response.json['count']) == str
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_list_users():
user_management = UserManagement()
user_management.delete_user('unittestadmin')
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update roles
response = CLIENT.get('/service/users/list',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Success!
response = CLIENT.get(
'/service/users/list',
headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
users = response.json
for user in users:
assert 'id' in user
assert 'role' in user
assert 'modules' in user
assert 'password' not in user
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def test_event_locations():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
# User must have access to events
url = '/service/events/locations'
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 403
user_management.update_access(conf.TEST_USER, ['map'])
# Success!
response = CLIENT.get(
url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert type(response.json['results']) == list
for result in response.json['results']:
assert type(result['type']) == str
assert type(result['geometry']['type']) == str
assert type(result['geometry']['coordinates'][0]) == float
assert type(result['geometry']['coordinates'][1]) == float
assert type(result['properties']['title']) == str
assert type(result['properties']['icon']) == str
assert type(result['properties']['description']) == str
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_add_user():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Only an admin can register a user
response = CLIENT.post('/service/user?mode=test',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# JSON body is required to register a user
response = CLIENT.post('/service/user?mode=test',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**',
role='standard',
modules=['events', 'map']),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
user = user_management.get_user(conf.TEST_USER)
assert 'events' in user['modules']
assert 'map' in user['modules']
assert user['role'] == 'standard'
assert user['email'] == '*****@*****.**'
# Can't register the same user twice
response = CLIENT.post('/service/user?mode=test',
json=dict(username=conf.TEST_USER,
email='*****@*****.**',
password=conf.TEST_PASSWORD),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None
def test_user_authenticate(monkeypatch):
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
# Username and password are required to authenticate
response = CLIENT.post('/service/user/authenticate')
assert response.status_code == 400
# Password is required to authenticate
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER))
assert response.status_code == 400
# Password must be correct to authenticate
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password='******'))
assert response.status_code == 401
# Success !
monkeypatch.setattr('shir_connect.services.utils.count_bad_login_attempts',
lambda *args, **kwargs: 2)
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
refresh_jwt = utils._get_cookie_from_response(response,
'refresh_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Tests that authenticate is also working with cookies
response = CLIENT.get('/service/user/authorize',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 200
assert response.json['id'] == conf.TEST_USER
# Success!
response = CLIENT.get(
'/service/user/refresh',
headers={
'Cookies':
'access_token_cookie=%s;refresh_token_cookie=%s' %
(jwt, refresh_jwt),
'X-CSRF-TOKEN':
csrf['csrf_access_token']
})
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'refresh_token_cookie')
refresh_jwt = utils._get_cookie_from_response(response,
'refresh_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# Make sure the refreshed token works
response = CLIENT.get(
'/service/user/authorize',
headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
assert response.status_code == 200
assert response.json['id'] == conf.TEST_USER
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_change_password():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# JSON body is required to update password
response = CLIENT.post('/service/user/change-password',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Old password must be correct to change password
response = CLIENT.post('/service/user/change-password',
json=dict(old_password='******',
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!1'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# New passwords must match to update password
response = CLIENT.post('/service/user/change-password',
json=dict(old_password=conf.TEST_PASSWORD,
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!2'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/change-password',
json=dict(old_password=conf.TEST_PASSWORD,
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!1'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
# Make sure password update worked
authorized = user_management.authenticate_user(
username=conf.TEST_USER, password='******')
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
def test_update_email():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.delete_user('unittestadmin')
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
user_management.add_user('unittestadmin', conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username='******',
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# User must be an admin to update email
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER, role='admin'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 403
user_management.update_role('unittestadmin', 'admin')
# Username must be in the post body
response = CLIENT.post('/service/user/update-email',
json=dict(email='*****@*****.**'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Email must be in the post body
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/update-email',
json=dict(username=conf.TEST_USER,
email='*****@*****.**'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
unittestuser = user_management.get_user(conf.TEST_USER)
assert unittestuser['email'] == '*****@*****.**'
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None
user_management.delete_user('unittestadmin')
user = user_management.get_user('unittestadmin')
assert user == None