def test_user_with_permission_should_do_allowed_operations(self): self.sync_permissions() issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') logged_user = self.logged_user.user issue_read_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'read')) issue_create_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'create')) user_delete_permission = Perm.objects.get( codename='{}__{}'.format('user', 'delete')) user_update_permission = Perm.objects.get( codename='{}__{}'.format('user', 'update')) logged_user.fperms.add(issue_read_permission, issue_create_permission, user_delete_permission, user_update_permission) # API # Generic read, post assert_http_forbidden(self.get('/api/user/')) assert_http_ok(self.get('/api/issue/')) assert_http_forbidden(self.post('/api/user/', {})) assert_http_bad_request(self.post('/api/issue/', {})) # API # Generic read, put, patch, delete assert_http_forbidden(self.get('/api/user/{}/'.format(user.pk))) assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk))) assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {})) assert_http_forbidden(self.put('/api/issue/{}/'.format(issue.pk), {})) assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk))) assert_http_forbidden(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_group_permission_shound_not_be_over_limit(self): group_a = Group.objects.create(name='group A') group_b = Group.objects.create(name='group B') group_c = Group.objects.create(name='group C') resp = self.post( '/group/{}/'.format(group_a.pk), { 'detail-is-group-name': 'group A', 'detail-is-group-fgroups': [group_b.pk], 'detail-is-group-fperms': [] }) assert_http_redirect(resp) resp = self.post( '/group/{}/'.format(group_b.pk), { 'detail-is-group-name': 'group B', 'detail-is-group-fgroups': [group_c.pk], 'detail-is-group-fperms': [] }) assert_http_ok(resp) with override_settings(PERM_GROUP_MAX_LEVEL=3): resp = self.post( '/group/{}/'.format(group_b.pk), { 'detail-is-group-name': 'group B', 'detail-is-group-fgroups': [group_c.pk], 'detail-is-group-fperms': [] }) assert_http_redirect(resp)
def test_user_should_be_authorized_with_changed_cookie_name(self, user): resp = self.post(self.UI_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(resp) assert_in('ChangedAuthorization', self.c.cookies) assert_http_ok(self.get(self.INDEX_URL))
def test_user_should_be_authorized_from_token_and_shorter_uuid(self, user): device_token = DeviceKey.objects.get_or_create_token(uuid=SHORTER_UUID, user=user)[0] resp = self.post(self.API_MOBILE_LOGIN_URL, { 'uuid': SHORTER_UUID, 'login_device_token': device_token }) assert_http_ok(resp)
def test_user_should_be_logged_out_via_cookies(self, user): resp = self.post(self.UI_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(resp) assert_http_ok(self.get(self.INDEX_URL)) assert_http_ok(self.get(self.UI_LOGOUT_URL)) assert_http_redirect(self.get(self.INDEX_URL))
def test_user_may_edit_itself(self): user = self.logged_user.user resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk)) assert_http_ok(resp) CHANGED_USERNAME = '******' self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'edit-is-user-username': CHANGED_USERNAME}) assert_http_ok(resp) assert_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_user_may_edit_itself(self): user = self.logged_user.user resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk)) assert_http_ok(resp) CHANGED_USERNAME = '******' self.post('%s%s/' % (self.USER_UI_URL, user.pk), data={'detail-is-user-username': CHANGED_USERNAME}) assert_http_ok(resp) assert_equal(User.objects.get(pk=user.pk).username, CHANGED_USERNAME)
def test_user_should_log_and_logout_to_the_administration(self, user): assert_http_redirect(self.get(self.INDEX_URL)) resp = self.post(self.LOGIN_URL, {'username': '******', 'password': '******'}) assert_http_redirect(resp) assert_http_ok(self.get(self.INDEX_URL)) assert_in('Authorization', self.c.cookies) assert_false(Token.objects.last().allowed_header) assert_true(Token.objects.last().allowed_cookie) assert_http_ok(self.get(self.LOGOUT_URL)) assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_not_be_authorized_via_cookie_if_cookie_has_not_allowed_header( self, user): resp = self.post(self.UI_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(resp) assert_http_ok(self.get(self.INDEX_URL)) assert_in('Authorization', self.c.cookies) Token.objects.all().update(allowed_cookie=False) assert_http_redirect(self.get(self.INDEX_URL))
def test_user_should_be_authorized_via_cookie(self, user): assert_http_redirect(self.get(self.INDEX_URL)) resp = self.post(self.UI_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(resp) assert_http_ok(self.get(self.INDEX_URL)) assert_in('Authorization', self.c.cookies) assert_false(Token.objects.last().allowed_header) assert_true(Token.objects.last().allowed_cookie)
def test_should_return_right_add_page_for_all_model_view( self, model_view, model): if 'add' in model_view.ui_patterns: url = self.add_url(model_view.site_name, model_view.get_menu_groups()) if model_view.ui_patterns.get('add').has_permission( 'get', self.get_request_with_user(self.r_factory.get(url))): assert_http_ok(self.get(url), '{} should return 200'.format(url))
def test_should_return_right_edit_page_for_all_model_view( self, model_view, model): if 'detail' in model_view.ui_patterns: inst = self.new_instance(model) url = self.detail_url(model_view.site_name, model_view.get_menu_groups(), inst) request = self.get_request_with_user(self.r_factory.get(url)) if model_view.ui_patterns.get('detail').has_permission('get', request, obj=inst): assert_http_ok(self.get(url), '{} should return 200'.format(url))
def test_user_should_not_be_authorized_via_http_header_if_headers_are_turned_off( self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_redirect( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_false(self.client.cookies)
def test_token_type_should_be_required(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_http_ok( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_http_redirect( self.get(self.INDEX_URL, headers={'HTTP_AUTHORIZATION': resp.json()['token']}))
def test_user_permissions_should_be_cached(self): self.sync_permissions() self.create_issue() self.create_user('new_user', 'password', '*****@*****.**') logged_user = self.logged_user.user assert_http_forbidden(self.get('/api/issue/')) issue_read_permission = Perm.objects.get( codename='{}__{}'.format('issue', 'read')) # Add permission but permissions are still cached logged_user.fperms.add(issue_read_permission) assert_http_forbidden(self.get('/api/issue/')) # clear cache reset permissions cache.clear() assert_http_ok(self.get('/api/issue/'))
def test_user_should_be_authorized_via_http_header(self, user): assert_http_redirect(self.get(self.INDEX_URL)) resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_ok( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_not_in('Authorization', self.c.cookies) assert_true(Token.objects.last().allowed_header) assert_false(Token.objects.last().allowed_cookie)
def test_user_should_be_authorized_from_token_and_uuid(self, user): device_token = DeviceKey.objects.create_token(uuid=UUID, user=user) resp = self.post(self.API_MOBILE_LOGIN_URL, { 'uuid': UUID, 'login_device_token': device_token }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_ok( self.get(INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_not_in('Authorization', self.c.cookies) assert_true(Token.objects.last().allowed_header) assert_false(Token.objects.last().allowed_cookie)
def test_token_should_be_expired(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) token = resp.json()['token'] resp = self.get( self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}) assert_in('X-Authorization-Expiration', resp) assert_true(resp['X-Authorization-Expiration'].startswith('0:59')) with freeze_time(timezone.now() + timedelta(hours=1), tick=True): assert_http_redirect( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(token), }))
def test_user_should_be_authorized_with_changed_header_name(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_ok( self.get(self.INDEX_URL, headers={ 'HTTP_X_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_http_redirect( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) }))
def test_user_should_be_logged_out_via_http_header(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) token = resp.json()['token'] assert_http_ok( self.get(self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})) assert_http_accepted( self.delete( self.API_LOGIN_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})) assert_http_redirect( self.get(self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}))
def test_user_should_get_token_when_device_registered_by_uuid(self, user): logged_in_resp = self.post(API_LOGIN_URL, { 'username': '******', 'password': '******' }) registration_mobile_resp = self.post( self.API_REQUEST_MOBILE_TOKEN_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(logged_in_resp.json()['token']) }, data={'uuid': UUID}) assert_http_ok(registration_mobile_resp) mobile_token = registration_mobile_resp.json()['device_login_token'] device_keys = DeviceKey.objects.all() assert_equal(1, device_keys.count()) device_key = device_keys[0] assert_true(device_key.check_password(mobile_token)) assert_false(device_key.check_password('XXX'))
def test_group_permission_shoud_not_have_cycles(self): group_a = Group.objects.create(name='group A') group_b = Group.objects.create(name='group B') resp = self.post( '/group/{}/'.format(group_a.pk), { 'detail-is-group-name': 'group A', 'detail-is-group-fgroups': [group_b.pk], 'detail-is-group-fperms': [] }) assert_http_redirect(resp) resp = self.post( '/group/{}/'.format(group_b.pk), { 'detail-is-group-name': 'group B', 'detail-is-group-fgroups': [group_a.pk], 'detail-is-group-fperms': [] }) assert_http_ok(resp)
def test_user_should_not_be_authorized_via_header_if_token_has_not_allowed_header( self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_http_ok( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) Token.objects.all().update(allowed_header=False) assert_http_redirect( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) }))
def test_user_should_not_be_logged_in_two_factor_for_invalid_code( self, user): login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(login_resp) # the code value needs to be overwritten, so that its value could be used for next request login_resp.wsgi_request.token.two_factor_code = make_password( '12345', salt=Token.TWO_FACTOR_CODE_SALT) login_resp.wsgi_request.token.save() code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL, {'code': 'other_code'}) assert_http_ok(code_check_resp) assert_in( _('The inserted value does not correspond to the sent code.'), code_check_resp._container[0].decode('utf8')) assert_false(code_check_resp.wsgi_request.token.is_authenticated)
def test_user_should_not_register_same_device_keys(self, user): logged_in_resp = self.post(API_LOGIN_URL, { 'username': '******', 'password': '******' }) registration_mobile_resp = self.post( self.API_REQUEST_MOBILE_TOKEN_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(logged_in_resp.json()['token']) }, data={'uuid': UUID}) assert_http_ok(registration_mobile_resp) registration_mobile_resp = self.post( self.API_REQUEST_MOBILE_TOKEN_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(logged_in_resp.json()['token']) }, data={'uuid': UUID}) assert_http_bad_request(registration_mobile_resp)
def test_token_should_not_be_updated_during_its_access_if_request_contains_specific_haeader( self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) token = resp.json()['token'] resp = self.get( self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}) assert_in('X-Authorization-Expiration', resp) assert_true(resp['X-Authorization-Expiration'].startswith('0:59')) with freeze_time(timezone.now() + timedelta(minutes=10), tick=True): resp = self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(token), 'HTTP_X_AUTHORIZATION_RENEWAL_EXEMPT': '1' }) assert_in('X-Authorization-Expiration', resp) assert_true(resp['X-Authorization-Expiration'].startswith('0:49'))
def test_superuser_should_do_all_operations(self): issue = self.create_issue() user = self.create_user('new_user', 'password', '*****@*****.**') # Generic read, post assert_http_ok(self.get('/api/user/')) assert_http_ok(self.get('/api/issue/')) assert_http_bad_request(self.post('/api/user/', {})) assert_http_bad_request(self.post('/api/issue/', {})) # Generic read, put, patch, delete assert_http_ok(self.get('/api/user/{}/'.format(user.pk))) assert_http_ok(self.get('/api/issue/{}/'.format(issue.pk))) assert_http_bad_request(self.put('/api/user/{}/'.format(user.pk), {})) assert_http_bad_request(self.put('/api/issue/{}/'.format(issue.pk), {})) assert_http_accepted(self.delete('/api/user/{}/'.format(user.pk))) assert_http_accepted(self.delete('/api/issue/{}/'.format(issue.pk)))
def test_home_view_should_return_ok(self): resp = self.get('/') assert_http_ok(resp)
def test_home_view_should_return_ok(self): resp = self.get('/') assert_http_ok(resp)
def test_superuser_may_read_users_grid(self): resp = self.get(self.USER_UI_URL) assert_http_ok(resp)
def test_ouser_can_read_users_grid(self): resp = self.get(self.USER_UI_URL) assert_http_ok(resp)
def test_ouser_can_read_users_grid(self): self.logged_user.user.perms.add_perm('core.issue_tracker.UserIsCore.read') resp = self.get(self.USER_UI_URL) assert_http_ok(resp)
def test_superuser_may_read_users_grid(self): resp = self.get(self.USER_UI_URL) assert_http_ok(resp)
def test_ouser_can_read_users_grid(self): resp = self.get(self.USER_UI_URL) assert_http_ok(resp)