def setUp(self):
"""
create a new test client, initialise a database and activate TESTING mode
"""
self.db_fd, meterage.app.config['DATABASE'] = tempfile.mkstemp()
meterage.app.config['TESTING'] = True
self.app = meterage.app.test_client()
meterage.init_db()
global users
usernames = ["admin", "hari", "spock", "test"]
passwords = ["default", "seldon", "vulcan", "test"]
gravataremails = [
"*****@*****.**", "*****@*****.**",
"*****@*****.**", "*****@*****.**"
]
flag_admins = [True, False, False, True]
flag_approvals = [True, True, False, True]
users = zip(usernames, passwords, gravataremails, flag_admins,
flag_approvals)
# add an admin and a normal user to the database
with closing(meterage.connect_db()) as db:
for username, password, gravataremail, flag_admin, flag_approval in users:
user = User(username, password, gravataremail, flag_admin,
flag_approval)
db.execute(
'insert into userPassword (username, password, gravataremail, flag_admin, flag_approval) values (?, ?, ?, ?, ?)',
[
user.username, user.password, user.gravataremail,
user.flag_admin, user.flag_approval
])
db.commit()
def step_impl(context):
"""
User changes their Gravatar email to an empty string
:param context: behave context object
"""
# TODO implement the Gravatar removal such that rhe user does not have to enter an empty string
# TODO but can instead elect whether or not to show the Gravatar. This is more of a "setting"
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
context.app.post('/user/<username',
data=dict(gravataremail="",
username=sess['username'],
save="save"),
follow_redirects=True)
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select gravataremail from userPassword where username=?',
[sess['username']])
rows = [dict(gravataremail=row[0]) for row in cur.fetchall()]
assert rows, "userPassword table has not been populated"
assert len(
rows
) == 1, "There is more than one user with the logged in username."
assert rows[0][
"gravataremail"] == "", "Gravatar email has not been removed"
def setUp(self):
"""
create a new test client, initialise a database and activate TESTING mode
"""
self.db_fd, meterage.app.config['DATABASE'] = tempfile.mkstemp()
meterage.app.config['TESTING'] = True
self.app = meterage.app.test_client()
meterage.init_db()
global users
usernames = ["admin", "hari", "spock", "test"]
passwords = ["default", "seldon", "vulcan", "test"]
gravataremails = ["*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**"]
flag_admins=[True, False, False, True]
flag_approvals=[True, True, False, True]
users = zip(usernames, passwords, gravataremails, flag_admins, flag_approvals)
# add an admin and a normal user to the database
with closing(meterage.connect_db()) as db:
for username, password, gravataremail, flag_admin, flag_approval in users:
user = User(username, password, gravataremail, flag_admin, flag_approval)
db.execute('insert into userPassword (username, password, gravataremail, flag_admin, flag_approval) values (?, ?, ?, ?, ?)',
[user.username, user.password, user.gravataremail, user.flag_admin, user.flag_approval])
db.commit()
def test_username_unique(self):
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute('select count(username) from userPassword where username=?', [user[0]])
row = cur.fetchone()
self.assertTrue(row[0] == 1, "The username is unique")
cur.close()
def before_feature(context, feature):
"""
Create a new test client, initialise a database and activate TESTING mode
"""
context.db_fd, meterage.app.config['DATABASE'] = tempfile.mkstemp()
meterage.app.config['TESTING'] = True
context.app = meterage.app.test_client()
meterage.init_db()
#flat dictionary of users, so we have access to the plain text versions of the passwords
context.users = {"admin": "default", "hari": "seldon"}
# add users to the temporary database
# Note that an admin and a normal user are added.
with closing(meterage.connect_db()) as db:
admin = User('admin', 'default', '*****@*****.**', True, True)
db.execute('insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ? ,? ,?)',
[admin.username, admin.password, admin.gravataremail, admin.flag_admin, admin.flag_approval])
user = User('hari', 'seldon', '*****@*****.**', False, True)
db.execute('insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[user.username, user.password, user.gravataremail, user.flag_admin, user.flag_approval])
user2 = User('spock', 'vulcan', '*****@*****.**', True, True)
db.execute('insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[user2.username, user2.password, user2.gravataremail, user2.flag_admin, user2.flag_approval])
user3 = User('test', 'test', '*****@*****.**', False, True)
db.execute('insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[user3.username, user3.password, user3.gravataremail, user3.flag_admin, user3.flag_approval])
db.commit()
def userPassword_content(self):
"""
Get all the data in the userPassword table
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select username, password, gravataremail from userPassword')
return [dict(username=row[0], password=row[1], gravataremail=row[2]) for row in cur.fetchall()]
def step_impl(context):
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?', ['h'])
assert len(cur.fetchall()) == 0, "the username entered by the admin corresponds to a user in the database"
errorstring = "<p class=error><strong>Error:</strong>User does not exist</p>"
assert errorstring in context.rv.get_data(), "the error is not being displayed"
def step_impl(context):
"""
Check in the database to see that the new value for the user's password is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?', ['hari'])
assert len(cur.fetchall()) == 1, "username is not unique"
for pw in [row[0] for row in cur.fetchall()]:
assert pw == "potter", "Password has not been changed successfully"
def test_username_unique(self):
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute(
'select count(username) from userPassword where username=?',
[user[0]])
row = cur.fetchone()
self.assertTrue(row[0] == 1, "The username is unique")
cur.close()
def step_impl(context):
assert 'User is not an admin' in context.rv.get_data()
"""
Check in the database to see that the value for the user's flag_admin is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select flag_admin from userPassword where username=?', ['test'])
row = cur.fetchone()
assert row[0] == 0, "User is an admin"
def step_impl(context):
assert 'Successfully revoked admin privilege from user' in context.rv.get_data()
"""
Check in the database to see that the new value for the user's flag_admin is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select flag_admin from userPassword where username=?', ['spock'])
row = cur.fetchone()
assert row[0] == 0, "User is an admin"
def step_impl(context):
"""
Check in the database to see that the new value for the user's password is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select flag_approval from userPassword where username=?', ['jim'])
for ap in [row[0] for row in cur.fetchall()]:
assert ap == False, "Successfully grant access to user"
def step_impl(context):
# getting users in database
with closing(meterage.connect_db()) as db:
cur = db.execute('select username, password from userPassword')
context.hasheduser = [
dict(username=row[0], password=row[1]) for row in cur.fetchall()
]
assert context.hasheduser[0]['username'] == 'admin', print(
context.hasheduser)
def step_impl(context):
"""
Check in the database to see that the new value for the user's password is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select flag_approval from userPassword where username=?', ['jim'])
for ap in [row[0] for row in cur.fetchall()]:
assert ap == False, "Successfully grant access to user"
def step_impl(context):
assert 'User is not an admin' in context.rv.get_data()
"""
Check in the database to see that the value for the user's flag_admin is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select flag_admin from userPassword where username=?', ['test'])
row = cur.fetchone()
assert row[0] == 0, "User is an admin"
def test_hashed_password_added_to_database(self):
"""
Check that the hashed password is added to the database, not the plain text.
"""
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute('select username, password from userPassword where username=?', [user[0]])
row = cur.fetchone()
self.assertFalse(row[1] == user[1], "Hashed password has not been added to the database")
cur.close()
def step_impl(context):
"""
Check in the database to see that the new value for the user's password is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?',
['hari'])
assert len(cur.fetchall()) == 1, "username is not unique"
for pw in [row[0] for row in cur.fetchall()]:
assert pw == "potter", "Password has not been changed successfully"
def step_impl(context):
assert 'Successfully revoked admin privilege from user' in context.rv.get_data(
)
"""
Check in the database to see that the new value for the user's flag_admin is as it should be.
"""
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select flag_admin from userPassword where username=?', ['spock'])
row = cur.fetchone()
assert row[0] == 0, "User is an admin"
def userPassword_content(self):
"""
Get all the data in the userPassword table
"""
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select username, password, gravataremail from userPassword')
return [
dict(username=row[0], password=row[1], gravataremail=row[2])
for row in cur.fetchall()
]
def test_entering_hash_does_not_succeed(self):
"""
Test that entering the actual hash into the "password" box does not result in a successful login.
"""
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute('select username, password from userPassword where username=?', [user[0]])
row = cur.fetchone()
rv = self.login(row[0], row[1])
self.assertIn("Invalid password", rv.get_data(), "Login did not fail as it should have")
cur.close()
def step_impl(context):
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?',
['h'])
assert len(
cur.fetchall()
) == 0, "the username entered by the admin corresponds to a user in the database"
errorstring = "<p class=error><strong>Error:</strong>User does not exist</p>"
assert errorstring in context.rv.get_data(
), "the error is not being displayed"
def test_hashed_password_added_to_database(self):
"""
Check that the hashed password is added to the database, not the plain text.
"""
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute(
'select username, password from userPassword where username=?',
[user[0]])
row = cur.fetchone()
self.assertFalse(
row[1] == user[1],
"Hashed password has not been added to the database")
cur.close()
def step_impl(context, detail):
"""
POST a new value for {detail} to the change_{detail} page, then check if flaskr.USERS dicitonary
has been updated appropriately. Of all the methods written so far this is the least robust,
as it only deals with usernames and passwords (not any other details associated with a user's account)
and it is relying on usernames and passwords being in the flat little dictionary they are currently in.
This is bound to be one of the first things to change.
"""
# create the data to be sent in the POST to the user/<username>/ page's POST method
if detail == "Gravatar email":
data = dict(gravataremail="xXx_New_Detail_xXx",
username="******",
save="save")
elif detail == "username":
data = dict(gravataremail="*****@*****.**",
username="******",
save="save")
# This should take the new value of <detail> and put it through the
# POST method of /users/<username>/
rv = context.app.post('/user/<username>', data=data, follow_redirects=True)
# print(rv.get_data())
# this ensures that the session's username is still functioning
context.execute_steps(u'''
when the User navigates to the web interface
then account details are displayed
''')
with closing(meterage.connect_db()) as db:
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
cur = db.execute(
'select username, gravataremail from userPassword')
rows = [
dict(username=row[0], gravataremail=row[1])
for row in cur.fetchall()
]
assert rows, "userPassword table has not been populated"
for row in rows:
if row["username"] == sess["username"]:
if detail == "Gravatar email":
assert data["gravataremail"] == row[
"gravataremail"], "new Gravatar email is not in the database"
elif detail == "username":
assert data[detail] == row[
"username"], "new username is not in the database"
def test_entering_hash_does_not_succeed(self):
"""
Test that entering the actual hash into the "password" box does not result in a successful login.
"""
with closing(meterage.connect_db()) as db:
for user in users:
cur = db.execute(
'select username, password from userPassword where username=?',
[user[0]])
row = cur.fetchone()
rv = self.login(row[0], row[1])
self.assertIn("Invalid password", rv.get_data(),
"Login did not fail as it should have")
cur.close()
def test_can_change_gravatar_email(self):
self.login(username='******', password='******')
rv = self.app.post('/user/<username>', data=dict(
username='******',
gravataremail='*****@*****.**',
save='save',
), follow_redirects=True)
self.assertIn('*****@*****.**', rv.get_data())
with closing(meterage.connect_db()) as db:
cur = db.execute('select username, gravataremail from userPassword where username=?', ['hary'])
row = cur.fetchone()
self.assertFalse(row[1] == "*****@*****.**", "gravataremail has not been added to the database")
cur.close()
def test_normal_granting_privilege(self):
self.login('admin', 'default')
rv = self.app.post('/add_new_admin', data=dict(
username='******'
), follow_redirects=True)
self.assertIn("Successfully granted admin privilege to user" ,rv.get_data())
with closing(meterage.connect_db()) as db:
cur = db.execute('select flag_admin from userPassword where username=?', ['hari'])
row = cur.fetchone()
self.assertTrue(row[0] == 1, "User has been granted with admin privilege")
cur.close()
self.logout()
self.login('hari', 'seldon')
with self.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
self.assertTrue(sess['admin']==True, "You are logged in as admin")
def step_impl(context):
"""
log in as user "hari"
"""
# TODO finish this. Used to test that this user was not somehow created in the change password method.
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?', ['h'])
context.app.post('/login', data=dict(
username='******',
password='******'
), follow_redirects=True)
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
assert sess['logged_in'], "The user is not logged in."
def step_impl(context):
"""
log in as user "hari"
"""
# TODO finish this. Used to test that this user was not somehow created in the change password method.
with closing(meterage.connect_db()) as db:
cur = db.execute('select password from userPassword where username=?',
['h'])
context.app.post('/login',
data=dict(username='******', password='******'),
follow_redirects=True)
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
assert sess['logged_in'], "The user is not logged in."
def test_add_new_user(self):
# test for normal adding new user
self.login('admin', 'default')
rv = self.app.post('/add_new_user', data=dict(
username='******',
password='******',
confirm_password='******',
email='*****@*****.**'
), follow_redirects=True)
self.assertIn('Successfully added new user', rv.get_data())
self.logout()
with closing(meterage.connect_db()) as db:
cur = db.execute('select count(username) from userPassword where username=?', ['another'])
row = cur.fetchone()
self.assertTrue(row[0] == 1, "User another has been added to the database")
cur.close()
def before_feature(context, feature):
"""
Create a new test client, initialise a database and activate TESTING mode
"""
context.db_fd, meterage.app.config['DATABASE'] = tempfile.mkstemp()
meterage.app.config['TESTING'] = True
context.app = meterage.app.test_client()
meterage.init_db()
#flat dictionary of users, so we have access to the plain text versions of the passwords
context.users = {"admin": "default", "hari": "seldon"}
# add users to the temporary database
# Note that an admin and a normal user are added.
with closing(meterage.connect_db()) as db:
admin = User('admin', 'default', '*****@*****.**', True, True)
db.execute(
'insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ? ,? ,?)',
[
admin.username, admin.password, admin.gravataremail,
admin.flag_admin, admin.flag_approval
])
user = User('hari', 'seldon', '*****@*****.**', False, True)
db.execute(
'insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[
user.username, user.password, user.gravataremail,
user.flag_admin, user.flag_approval
])
user2 = User('spock', 'vulcan', '*****@*****.**', True, True)
db.execute(
'insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[
user2.username, user2.password, user2.gravataremail,
user2.flag_admin, user2.flag_approval
])
user3 = User('test', 'test', '*****@*****.**', False, True)
db.execute(
'insert into userPassword (username, password, gravataremail,flag_admin,flag_approval) values (?, ?, ?,? ,?)',
[
user3.username, user3.password, user3.gravataremail,
user3.flag_admin, user3.flag_approval
])
db.commit()
def step_impl(context):
"""
User changes their Gravatar email to an empty string
:param context: behave context object
"""
# TODO implement the Gravatar removal such that rhe user does not have to enter an empty string
# TODO but can instead elect whether or not to show the Gravatar. This is more of a "setting"
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
context.app.post('/user/<username', data=dict(gravataremail="", username=sess['username'], save="save"),
follow_redirects=True)
with closing(meterage.connect_db()) as db:
cur = db.execute('select gravataremail from userPassword where username=?', [sess['username']])
rows = [dict(gravataremail=row[0]) for row in cur.fetchall()]
assert rows, "userPassword table has not been populated"
assert len(rows) == 1, "There is more than one user with the logged in username."
assert rows[0]["gravataremail"] == "", "Gravatar email has not been removed"
def test_add_new_user(self):
# test for normal adding new user
self.login('admin', 'default')
rv = self.app.post('/add_new_user',
data=dict(username='******',
password='******',
confirm_password='******',
email='*****@*****.**'),
follow_redirects=True)
self.assertIn('Successfully added new user', rv.get_data())
self.logout()
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select count(username) from userPassword where username=?',
['another'])
row = cur.fetchone()
self.assertTrue(row[0] == 1,
"User another has been added to the database")
cur.close()
def step_impl(context, detail):
"""
POST a new value for {detail} to the change_{detail} page, then check if flaskr.USERS dicitonary
has been updated appropriately. Of all the methods written so far this is the least robust,
as it only deals with usernames and passwords (not any other details associated with a user's account)
and it is relying on usernames and passwords being in the flat little dictionary they are currently in.
This is bound to be one of the first things to change.
"""
# create the data to be sent in the POST to the user/<username>/ page's POST method
if detail == "Gravatar email":
data = dict(gravataremail="xXx_New_Detail_xXx", username="******", save="save")
elif detail == "username":
data = dict(gravataremail="*****@*****.**", username="******", save="save")
# This should take the new value of <detail> and put it through the
# POST method of /users/<username>/
rv = context.app.post('/user/<username>', data=data, follow_redirects=True)
# print(rv.get_data())
# this ensures that the session's username is still functioning
context.execute_steps(u'''
when the User navigates to the web interface
then account details are displayed
''')
with closing(meterage.connect_db()) as db:
with context.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
cur = db.execute('select username, gravataremail from userPassword')
rows = [dict(username=row[0], gravataremail=row[1]) for row in cur.fetchall()]
assert rows, "userPassword table has not been populated"
for row in rows:
if row["username"] == sess["username"]:
if detail == "Gravatar email":
assert data["gravataremail"] == row["gravataremail"], "new Gravatar email is not in the database"
elif detail == "username":
assert data[detail] == row["username"], "new username is not in the database"
def test_can_change_username(self):
self.login(username='******', password='******')
rv = self.app.post('/user/<username>',
data=dict(
username='******',
gravataremail='*****@*****.**',
save='save',
),
follow_redirects=True)
self.assertIn('hary', rv.get_data())
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select username, gravataremail from userPassword where username=?',
['hary'])
row = cur.fetchone()
self.assertFalse(row[0] == 'hari',
"username has not been added to the database")
cur.close()
def test_normal_granting_privilege(self):
self.login('admin', 'default')
rv = self.app.post('/add_new_admin',
data=dict(username='******'),
follow_redirects=True)
self.assertIn("Successfully granted admin privilege to user",
rv.get_data())
with closing(meterage.connect_db()) as db:
cur = db.execute(
'select flag_admin from userPassword where username=?',
['hari'])
row = cur.fetchone()
self.assertTrue(row[0] == 1,
"User has been granted with admin privilege")
cur.close()
self.logout()
self.login('hari', 'seldon')
with self.app.session_transaction() as sess:
# see http://flask.pocoo.org/docs/0.10/testing/#accessing-and-modifying-sessions for
# an explanation of accessing sessions during testing.
self.assertTrue(sess['admin'] == True,
"You are logged in as admin")
def step_impl(context):
# getting users in database
with closing(meterage.connect_db()) as db:
cur = db.execute('select username, password from userPassword')
context.hasheduser = [dict(username=row[0], password=row[1]) for row in cur.fetchall()]
assert context.hasheduser[0]['username']=='admin', print (context.hasheduser)
