def test_password_reset_no_new_password(test_project, waf, create_users):
"""Test changing password via post."""
change_form_data = {
'username': '******',
}
selector, verifier = users._generate_split_token()
token = '{0}{1}'.format(selector.decode('utf-8'), verifier.decode('utf-8'))
with get_engine().connect() as con:
query = sa.select('*').select_from(user)
row = con.execute(query).fetchone()
change_form_data['username'] = row.username
stmt = user_password_reset.insert().values(
user_id=row.id,
selector=str(selector),
verifier=hashlib.sha256(verifier).hexdigest(),
expires=get_utc(datetime.datetime.now() +
datetime.timedelta(hours=3)),
)
con.execute(stmt)
encoded_user_id = users.encode_user_id(row.id)
request, response = testing.simulate_request(waf)
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post(
f'/auth/password_reset/{encoded_user_id}/{token}/',
json=change_form_data,
headers=testing.csrf_headers())
testing.injected_session_end(waf, middleware)
assert response.status == 401
def test_search_get_no_data(test_project, waf, admin_login_user):
"""Test search for a user"""
request, response = testing.simulate_login(waf, 'admin_search_test', 'admin_search_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.get('/admin/user/search/?field=username&value=waffles', headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 401
def test_data_get_no_data(test_project, waf, admin_login_user):
"""Test posting a new user"""
user_id, username, password = create_admin_test_data_user('admin_test_get')
request, response = testing.simulate_login(waf, 'admin_api_test', 'admin_api_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.get(f'/admin/user/?id=5000', headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 404
def test_logout_post_bad_csrf(test_project, waf, create_users):
"""Test logging out via post."""
request, response = testing.simulate_login(waf, 'admin', 'admin_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post('/auth/logout/',
headers={})
testing.injected_session_end(waf, middleware)
assert response.status == 403
def test_search_get_sort_limit_offset_reverse(test_project, waf, admin_login_user):
"""Test search for a user passing in a sort, limit, and offset"""
request, response = testing.simulate_login(waf, 'admin_search_test', 'admin_search_pass')
middleware = testing.injected_session_start(waf, request)
paramstring = 'field=username&value=admin_search_test&sort=-username&limit=10&offset=0'
request, response = waf.server.test_client.get(f'/admin/user/search/?{paramstring}', headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 200
def test_data_delete_no_id(test_project, waf, admin_login_user):
"""Test posting a new user"""
user_id, username, password = create_admin_test_data_user('admin_test_delete')
form_data = {}
request, response = testing.simulate_login(waf, 'admin_api_test', 'admin_api_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.delete('/admin/user/', json=form_data, headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 400
def test_read_only_permission_success(test_project, waf, create_groups):
"""Test has permission works with readonly"""
request, response = testing.simulate_login(waf, 'permission_test_admin',
'admin_pass_1')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.get(
'/test_app/read_only/', headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 200
def test_login_required(test_project, waf, create_users):
"""Test accessing a view behind the login_required decorator
while logged in."""
request, response = testing.simulate_login(waf, 'admin', 'admin_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.get('/test_app/protected/')
testing.injected_session_end(waf, middleware)
assert 'Protected!' in response.text
assert response.status == 200
def test_data_post_no_csrf(test_project, waf, admin_login_user):
"""Test posting a new user"""
form_data = {
'username': '******',
'password': '******',
'is_active': True,
'is_staff': True,
}
request, response = testing.simulate_login(waf, 'admin_api_test', 'admin_api_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post('/admin/user/', json=form_data, headers=testing.csrf_headers())
testing.injected_session_end(waf, middleware)
assert response.status == 403
def test_data_patch_bad_table(test_project, waf, admin_login_user):
"""Test posting a new user"""
user_id, username, password = create_admin_test_data_user('admin_test_put')
form_data = {
'id': user_id,
'username': '******',
'password': '******',
}
request, response = testing.simulate_login(waf, 'admin_api_test', 'admin_api_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.patch('/admin/cats/', json=form_data, headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 403
def test_password_change_bad_csrf(test_project, waf, create_users):
"""Test changing password via post."""
change_form_data = {
'username': '******',
'old_password': '******',
'new_password': '******',
}
request, response = testing.simulate_login(waf, 'casual_user',
'casual_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post('/auth/password_change/',
json=change_form_data,
headers={})
testing.injected_session_end(waf, middleware)
assert response.status == 403
def test_manage_access_post(test_project, waf, admin_login_user):
"""Test posting a new group and adding a user"""
data = {
'user_ids': [admin_login_user[0]],
'group_name': 'test_access',
'permissions': [
{'name': 'get', 'target': 'admin'},
{'name': 'post', 'target': 'admin'},
],
}
request, response = testing.simulate_login(waf, 'admin_manage_access_test', 'admin_manage_access_pass')
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post('/admin/manage_access/', json=data, headers=testing.csrf_headers(request))
testing.injected_session_end(waf, middleware)
assert response.status == 200
def test_data_patch(test_project, waf, admin_login_user):
"""Test posting a new user"""
user_id, username, password = create_admin_test_data_user('admin_test_put')
form_data = {
'id': user_id,
'username': '******',
'password': '******',
}
request, response = testing.simulate_login(waf, 'admin_api_test', 'admin_api_pass')
middleware = testing.injected_session_start(waf, request)
form_data[settings.CSRF_FIELD_NAME] = request['session']['csrf_token']
c_headers = testing.csrf_headers()
c_headers.pop(settings.CSRF_HEADER_NAME)
request, response = waf.server.test_client.patch('/admin/user/', json=form_data, headers=c_headers)
testing.injected_session_end(waf, middleware)
assert response.status == 200
with get_engine('default').connect() as con:
query = sa.select('*').select_from(tables.user).where(tables.user.c.id==user_id)
row = con.execute(query)
assert(row.fetchone().username == 'new')
