def test_check_locked_identity(self):
user_id = ObjectId(
'012345678901234567890123') # [email protected] / hubba-bubba
user = self.amdb.get_user_by_id(user_id)
user.locked_identity.add(
LockedIdentityNin('197801011234', 'test', True))
self.amdb.save(user)
attributes = {
'$set': {
'nins': [{
'verified': True,
'number': '197801011234', # hubba-bubba's primary nin
'primary': True
}],
}
}
new_attributes = check_locked_identity(self.amdb, user_id, attributes,
'test')
locked_nin = LockedIdentityNin('197801011234', 'test', True)
locked_identities = LockedIdentityList({}).add(locked_nin)
attributes['$set'][
'locked_identity'] = locked_identities.to_list_of_dicts()
self.assertDictEqual(attributes, new_attributes)
def check_locked_identity(userdb, user_id, attributes, app_name):
"""
:param userdb: Central userdb
:param user_id: User document _id
:param attributes: attributes to update
:param app_name: calling application name, like 'eduid_signup'
:type userdb: eduid_userdb.userdb.UserDB
:type user_id: bson.ObjectId
:type attributes: dict
:type app_name: string
:return: attributes to update
:rtype: dict
"""
# Check verified nins that will be set against the locked_identity attribute,
# if that does not exist it should be created
set_attributes = attributes.get('$set', {})
nins = set_attributes.get('nins', [])
verified_nins = [nin for nin in nins if nin.get('verified') is True]
if not verified_nins:
return attributes # No verified nins will be set
# A user can not have more than one verified nin at this time
if len(verified_nins) > 1:
logger.error(
'Tried to set more than one verified nin for user with id {}'.
format(user_id))
raise UserDBValueError(
'Tried to set more than one verified nin for user.')
nin = verified_nins[0]
# Get the users locked identities
try:
user = userdb.get_user_by_id(user_id)
locked_identities = user.locked_identity
except DocumentDoesNotExist:
locked_identities = LockedIdentityList({})
locked_nin = locked_identities.find('nin')
# Create a new locked nin if it does not already exist
if not locked_nin:
locked_nin = LockedIdentityNin(nin['number'],
nin.get('created_by', app_name),
nin.get('created_ts', True))
locked_identities.add(locked_nin)
# Check nin to be set against locked nin
if nin['number'] != locked_nin.number:
logger.error(
'Verfied nin does not match locked identity for user with id {}'.
format(user_id))
raise LockedIdentityViolation(
'Verfied nin does not match locked identity for user with id {}'.
format(user_id))
attributes['$set']['locked_identity'] = locked_identities.to_list_of_dicts(
)
return attributes
def test_seleg_locked_identity(self, mock_request_user_sync,
mock_oidc_call):
mock_oidc_call.return_value = True
mock_request_user_sync.side_effect = self.request_user_sync
user = self.app.central_userdb.get_user_by_eppn(self.test_user_eppn)
with self.session_cookie(self.browser, self.test_user_eppn) as browser:
response = json.loads(browser.get('/proofing').data)
self.assertEqual(response['type'],
'GET_OIDC_PROOFING_PROOFING_SUCCESS')
csrf_token = response['payload']['csrf_token']
# User with no locked_identity
with self.session_cookie(self.browser, self.test_user_eppn) as browser:
data = {'nin': self.test_user_nin, 'csrf_token': csrf_token}
response = browser.post('/proofing',
data=json.dumps(data),
content_type=self.content_type_json)
response = json.loads(response.data)
self.assertEqual(response['type'],
'POST_OIDC_PROOFING_PROOFING_SUCCESS')
csrf_token = response['payload']['csrf_token']
# User with locked_identity and correct nin
user.locked_identity.add(
LockedIdentityNin.from_dict(
dict(number=self.test_user_nin,
created_by='test',
created_ts=True)))
self.app.central_userdb.save(user, check_sync=False)
with self.session_cookie(self.browser, self.test_user_eppn) as browser:
data = {'nin': self.test_user_nin, 'csrf_token': csrf_token}
response = browser.post('/proofing',
data=json.dumps(data),
content_type=self.content_type_json)
response = json.loads(response.data)
self.assertEqual(response['type'],
'POST_OIDC_PROOFING_PROOFING_SUCCESS')
csrf_token = response['payload']['csrf_token']
# User with locked_identity and incorrect nin
with self.session_cookie(self.browser, self.test_user_eppn) as browser:
data = {'nin': '200102031234', 'csrf_token': csrf_token}
response = browser.post('/proofing',
data=json.dumps(data),
content_type=self.content_type_json)
response = json.loads(response.data)
self.assertEqual(response['type'], 'POST_OIDC_PROOFING_PROOFING_FAIL')
def test_locked_identity_correct_nin(self, mock_get_postal_address, mock_request_user_sync):
mock_get_postal_address.return_value = self.mock_address
mock_request_user_sync.side_effect = self.request_user_sync
user = self.app.central_userdb.get_user_by_eppn(self.test_user_eppn)
# User with locked_identity and correct nin
user.locked_identity.add(LockedIdentityNin(number=self.test_user_nin, created_by='test', created_ts=True))
self.app.central_userdb.save(user, check_sync=False)
with self.session_cookie(self.browser, self.test_user_eppn):
json_data = self.get_state()
csrf_token = json_data['payload']['csrf_token']
response = self.send_letter(self.test_user_nin, csrf_token)
self.assertEqual(response['type'], 'POST_LETTER_PROOFING_PROOFING_SUCCESS')
def test_locked_identity_correct_nin(self, mock_get_postal_address,
mock_request_user_sync):
mock_get_postal_address.return_value = self.mock_address
mock_request_user_sync.side_effect = self.request_user_sync
user = self.app.central_userdb.get_user_by_eppn(self.test_user_eppn)
# User with locked_identity and correct nin
user.locked_identity.add(
LockedIdentityNin.from_dict(
dict(number=self.test_user_nin,
created_by='test',
created_ts=True)))
self.app.central_userdb.save(user, check_sync=False)
with self.session_cookie(self.browser, self.test_user_eppn):
response = self.send_letter(self.test_user_nin)
def test_check_locked_identity_wrong_nin(self):
user_id = ObjectId(
'901234567890123456789012') # [email protected] / babba-labba
user = self.amdb.get_user_by_id(user_id)
user.locked_identity.add(
LockedIdentityNin('200102031234', 'test', True))
self.amdb.save(user)
attributes = {
'$set': {
'nins': [{
'verified': True,
'number': '200506076789',
'primary': True
}],
}
}
with self.assertRaises(EduIDUserDBError):
check_locked_identity(self.amdb, user_id, attributes, 'test')
def test_create_locked_identity(self):
user_id = ObjectId(
'901234567890123456789012') # [email protected] / babba-labba
attributes = {
'$set': {
'nins': [{
'verified': True,
'number': '200102031234',
'primary': True
}],
}
}
new_attributes = check_locked_identity(self.amdb, user_id, attributes,
'test')
locked_nin = LockedIdentityNin('200102031234', 'test', True)
locked_identities = LockedIdentityList({}).add(locked_nin)
attributes['$set'][
'locked_identity'] = locked_identities.to_list_of_dicts()
self.assertDictEqual(attributes, new_attributes)
def test_locked_identity_incorrect_nin(self, mock_get_postal_address,
mock_request_user_sync):
mock_get_postal_address.return_value = self.mock_address
mock_request_user_sync.side_effect = self.request_user_sync
user = self.app.central_userdb.get_user_by_eppn(self.test_user_eppn)
user.locked_identity.add(
LockedIdentityNin.from_dict(
dict(number=self.test_user_nin,
created_by='test',
created_ts=True)))
self.app.central_userdb.save(user, check_sync=False)
# User with locked_identity and incorrect nin
with self.session_cookie(self.browser, self.test_user_eppn):
response = self.send_letter('200102031234',
validate_response=False)
self._check_error_response(
response,
type_='POST_LETTER_PROOFING_PROOFING_FAIL',
payload={
'message': 'Another nin is already registered for this user'
},
)