def fido2_keys_user_validate(user_id):
keys = list_fido2_keys(user_id)
credentials = list(map(lambda k: pickle.loads(base64.b64decode(k.key)), keys))
data = request.get_json()
cbor_data = cbor.decode(base64.b64decode(data["payload"]))
credential_id = cbor_data['credentialId']
client_data = ClientData(cbor_data['clientDataJSON'])
auth_data = AuthenticatorData(cbor_data['authenticatorData'])
signature = cbor_data['signature']
Config.FIDO2_SERVER.authenticate_complete(
get_fido2_session(user_id),
credentials,
credential_id,
client_data,
auth_data,
signature
)
user_to_verify = get_user_by_id(user_id=user_id)
user_to_verify.current_session_id = str(uuid.uuid4())
user_to_verify.logged_in_at = datetime.utcnow()
user_to_verify.failed_login_count = 0
save_model_user(user_to_verify)
return jsonify({'status': 'OK'})
def verify_user_code(user_id):
data = request.get_json()
validate(data, post_verify_code_schema)
user_to_verify = get_user_by_id(user_id=user_id)
code = get_user_code(user_to_verify, data['code'], data['code_type'])
if(verify_within_time(user_to_verify) >= 2):
raise InvalidRequest("Code already sent", status_code=400)
if user_to_verify.failed_login_count >= current_app.config.get('MAX_VERIFY_CODE_COUNT'):
raise InvalidRequest("Code not found", status_code=404)
if not code:
increment_failed_login_count(user_to_verify)
raise InvalidRequest("Code not found", status_code=404)
if datetime.utcnow() > code.expiry_datetime:
# sms and email
increment_failed_login_count(user_to_verify)
raise InvalidRequest("Code has expired", status_code=400)
if code.code_used:
increment_failed_login_count(user_to_verify)
raise InvalidRequest("Code has already been used", status_code=400)
user_to_verify.current_session_id = str(uuid.uuid4())
user_to_verify.logged_in_at = datetime.utcnow()
user_to_verify.failed_login_count = 0
save_model_user(user_to_verify)
use_user_code(code.id)
return jsonify({}), 204
def create_user():
user_to_create, errors = user_schema.load(request.get_json())
req_json = request.get_json()
if not req_json.get('password', None):
errors.update({'password': ['Missing data for required field.']})
raise InvalidRequest(errors, status_code=400)
save_model_user(user_to_create, pwd=req_json.get('password'))
return jsonify(data=user_schema.dump(user_to_create).data), 201
def activate_user(user_id):
user = get_user_by_id(user_id=user_id)
if user.state == 'active':
raise InvalidRequest('User already active', status_code=400)
user.state = 'active'
save_model_user(user)
return jsonify(data=user.serialize()), 200
def test_add_existing_user_to_another_service_doesnot_change_old_permissions(
notify_db_session, ):
user = create_user()
service_one = Service(
name="service_one",
email_from="service_one",
message_limit=1000,
restricted=False,
created_by=user,
)
dao_create_service(service_one, user)
assert user.id == service_one.users[0].id
test_user_permissions = Permission.query.filter_by(service=service_one,
user=user).all()
assert len(test_user_permissions) == 8
other_user = User(
name="Other Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+447700900987",
)
save_model_user(other_user)
service_two = Service(
name="service_two",
email_from="service_two",
message_limit=1000,
restricted=False,
created_by=other_user,
)
dao_create_service(service_two, other_user)
assert other_user.id == service_two.users[0].id
other_user_permissions = Permission.query.filter_by(service=service_two,
user=other_user).all()
assert len(other_user_permissions) == 8
other_user_service_one_permissions = Permission.query.filter_by(
service=service_one, user=other_user).all()
assert len(other_user_service_one_permissions) == 0
# adding the other_user to service_one should leave all other_user permissions on service_two intact
permissions = []
for p in ["send_emails", "send_texts", "send_letters"]:
permissions.append(Permission(permission=p))
dao_add_user_to_service(service_one, other_user, permissions=permissions)
other_user_service_one_permissions = Permission.query.filter_by(
service=service_one, user=other_user).all()
assert len(other_user_service_one_permissions) == 3
other_user_service_two_permissions = Permission.query.filter_by(
service=service_two, user=other_user).all()
assert len(other_user_service_two_permissions) == 8
def create_user():
user_to_create, errors = create_user_schema.load(request.get_json())
req_json = request.get_json()
if not req_json.get('password', None):
errors.update({'password': ['Missing data for required field.']})
raise InvalidRequest(errors, status_code=400)
save_model_user(user_to_create, pwd=req_json.get('password'))
result = user_to_create.serialize()
return jsonify(data=result), 201
def test_create_user_fails_when_violates_sms_auth_requires_mobile_number_constraint(
notify_db_session, test_email, test_name):
data = {
'name': test_name,
'email_address': test_email,
'auth_type': 'sms_auth'
}
with pytest.raises(IntegrityError):
user = User(**data)
save_model_user(user)
def update_user(user_id):
user_to_update = get_user_by_id(user_id=user_id)
req_json = request.get_json()
update_dct, errors = user_schema_load_json.load(req_json)
pwd = req_json.get('password', None)
# TODO password validation, it is already done on the admin app
# but would be good to have the same validation here.
if pwd is not None and not pwd:
errors.update({'password': ['Invalid data for field']})
raise InvalidRequest(errors, status_code=400)
save_model_user(user_to_update, update_dict=update_dct, pwd=pwd)
return jsonify(data=user_schema.dump(user_to_update).data), 200
def test_create_user(notify_api, notify_db, notify_db_session):
email = '*****@*****.**'
data = {
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': '+447700900986'
}
user = User(**data)
save_model_user(user)
assert User.query.count() == 1
assert User.query.first().email_address == email
assert User.query.first().id == user.id
def test_create_user(notify_api, notify_db, notify_db_session):
email = '*****@*****.**'
data = {
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': '+447700900986'
}
user = User(**data)
save_model_user(user)
assert User.query.count() == 1
assert User.query.first().email_address == email
assert User.query.first().id == user.id
def create_user():
user, errors = user_schema.load(request.get_json())
req_json = request.get_json()
# TODO password policy, what is valid password
if not req_json.get('password'):
errors = {'password': ['Missing data for required field.']}
return jsonify(result="error", message=errors), 400
if errors:
return jsonify(result="error", message=errors), 400
user.password = req_json.get('password')
save_model_user(user)
return jsonify(data=user_schema.dump(user).data), 201
def create_user():
user, errors = user_schema.load(request.get_json())
req_json = request.get_json()
# TODO password policy, what is valid password
if not req_json.get('password'):
errors = {'password': ['Missing data for required field.']}
return jsonify(result="error", message=errors), 400
if errors:
return jsonify(result="error", message=errors), 400
user.password = req_json.get('password')
save_model_user(user)
return jsonify(data=user_schema.dump(user).data), 201
def create_user(mobile_number="+61412345678", email="*****@*****.**", state='active', id_=None):
data = {
'id': id_ or uuid.uuid4(),
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': mobile_number,
'state': state
}
user = User.query.filter_by(email_address=email).first()
if not user:
user = User(**data)
save_model_user(user)
return user
def test_should_add_user_to_service(sample_user):
service = Service(
name="service_name", email_from="email_from", message_limit=1000, restricted=False, created_by=sample_user
)
dao_create_service(service, sample_user)
assert sample_user in Service.query.first().users
new_user = User(
name="Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+447700900986",
)
save_model_user(new_user)
dao_add_user_to_service(service, new_user)
assert new_user in Service.query.first().users
def test_create_user(notify_db_session, phone_number):
email = '*****@*****.**'
data = {
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': phone_number
}
user = User(**data)
save_model_user(user)
assert User.query.count() == 1
assert User.query.first().email_address == email
assert User.query.first().id == user.id
assert User.query.first().mobile_number == phone_number
assert not user.platform_admin
def test_create_user(notify_db_session, phone_number):
email = "*****@*****.**"
data = {
"name": "Test User",
"email_address": email,
"password": "******",
"mobile_number": phone_number,
}
user = User(**data)
save_model_user(user)
assert User.query.count() == 1
assert User.query.first().email_address == email
assert User.query.first().id == user.id
assert User.query.first().mobile_number == phone_number
assert not user.platform_admin
def sample_user(notify_db,
notify_db_session,
email="*****@*****.**"):
data = {
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': '+447700900986',
'state': 'active'
}
usr = User.query.filter_by(email_address=email).first()
if not usr:
usr = User(**data)
save_model_user(usr)
return usr
def test_should_add_user_to_service(notify_db_session):
user = create_user()
service = Service(name="service_name",
email_from="email_from",
message_limit=1000,
restricted=False,
created_by=user)
dao_create_service(service, user)
assert user in Service.query.first().users
new_user = User(name='Test User',
email_address='*****@*****.**',
password='******',
mobile_number='+16502532222')
save_model_user(new_user)
dao_add_user_to_service(service, new_user)
assert new_user in Service.query.first().users
def test_create_user(notify_db_session, phone_number, test_name, test_email):
data = {
'name': test_name,
'email_address': test_email,
'password': '******',
'mobile_number': phone_number
}
user = User(**data)
save_model_user(user)
user_from_db = User.query.first()
assert not user.platform_admin
assert User.query.count() == 1
assert user_from_db.email_address == test_email
assert user_from_db.id == user.id
assert user_from_db.mobile_number == phone_number
def test_create_user_with_identity_provider(notify_db_session, test_name,
test_email):
identity_provider_user_id = 'test-user-id'
data = {
'name': test_name,
'email_address': test_email,
'identity_provider_user_id': identity_provider_user_id
}
user = User(**data)
save_model_user(user)
user_from_db = User.query.first()
assert not user.platform_admin
assert user_from_db.email_address == test_email
assert user_from_db.id == user.id
assert user_from_db.identity_provider_user_id == identity_provider_user_id
assert User.query.count() == 1
def update_user(user_id):
try:
user = get_model_users(user_id=user_id)
except DataError:
return jsonify(result="error", message="Invalid user id"), 400
except NoResultFound:
return jsonify(result="error", message="User not found"), 404
if request.method == 'DELETE':
status_code = 202
delete_model_user(user)
else:
# TODO removed some validation checking by using load
# which will need to be done in another way
status_code = 200
db.session.rollback()
save_model_user(user, update_dict=request.get_json())
return jsonify(data=user_schema.dump(user).data), status_code
def update_user(user_id):
try:
user = get_model_users(user_id=user_id)
except DataError:
return jsonify(result="error", message="Invalid user id"), 400
except NoResultFound:
return jsonify(result="error", message="User not found"), 404
if request.method == 'DELETE':
status_code = 202
delete_model_user(user)
else:
# TODO removed some validation checking by using load
# which will need to be done in another way
status_code = 200
db.session.rollback()
save_model_user(user, update_dict=request.get_json())
return jsonify(data=user_schema.dump(user).data), status_code
def test_create_user(notify_db_session, phone_number):
email = '*****@*****.**'
data = {
'name': 'Test User',
'email_address': email,
'password': '******',
'mobile_number': phone_number
}
user = User(**data)
save_model_user(user, password='******', validated_email_access=True)
assert User.query.count() == 1
user_query = User.query.first()
assert user_query.email_address == email
assert user_query.id == user.id
assert user_query.mobile_number == phone_number
assert user_query.email_access_validated_at == datetime.utcnow()
assert not user_query.platform_admin
def create_user(mobile_number="+447700900986",
email="*****@*****.**",
state='active',
id_=None,
name="Test User"):
data = {
'id': id_ or uuid.uuid4(),
'name': name,
'email_address': email,
'password': '******',
'mobile_number': mobile_number,
'state': state
}
user = User.query.filter_by(email_address=email).first()
if not user:
user = User(**data)
save_model_user(user, validated_email_access=True)
return user
def test_get_all_only_services_user_has_access_to(service_factory, sample_user):
service_factory.get("service 1", sample_user, email_from="service.1")
service_factory.get("service 2", sample_user, email_from="service.2")
service_3 = service_factory.get("service 3", sample_user, email_from="service.3")
new_user = User(
name="Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+447700900986",
)
save_model_user(new_user)
dao_add_user_to_service(service_3, new_user)
assert len(dao_fetch_all_services_by_user(sample_user.id)) == 3
assert dao_fetch_all_services_by_user(sample_user.id)[0].name == "service 1"
assert dao_fetch_all_services_by_user(sample_user.id)[1].name == "service 2"
assert dao_fetch_all_services_by_user(sample_user.id)[2].name == "service 3"
assert len(dao_fetch_all_services_by_user(new_user.id)) == 1
assert dao_fetch_all_services_by_user(new_user.id)[0].name == "service 3"
def create_user():
# import pdb; pdb.set_trace()
user_to_create, errors = create_user_schema.load(request.get_json())
req_json = request.get_json()
password = req_json.get('password', None)
if not password:
errors.update({'password': ['Missing data for required field.']})
raise InvalidRequest(errors, status_code=400)
else:
response = pwnedpasswords.check(password)
if response > 0:
errors.update({'password': ['Password is not allowed.']})
raise InvalidRequest(errors, status_code=400)
save_model_user(user_to_create, pwd=req_json.get('password'))
result = user_to_create.serialize()
return jsonify(data=result), 201
def create_user():
user_to_create, errors = create_user_schema.load(request.get_json())
req_json = request.get_json()
identity_provider_user_id = req_json.get('identity_provider_user_id', None)
password = req_json.get('password', None)
if not password and not identity_provider_user_id:
errors.update({'password': ['Missing data for required field.']})
raise InvalidRequest(errors, status_code=400)
elif password:
response = pwnedpasswords.check(password)
if response > 0:
errors.update({'password': ['Password is blacklisted.']})
raise InvalidRequest(errors, status_code=400)
save_model_user(user_to_create, pwd=req_json.get('password'))
result = user_to_create.serialize()
return jsonify(data=result), 201
def test_get_all_user_services_only_returns_services_user_has_access_to(notify_db_session):
user = create_user()
create_service(service_name='service 1', user=user, email_from='service.1')
create_service(service_name='service 2', user=user, email_from='service.2')
service_3 = create_service(service_name='service 3', user=user, email_from='service.3')
new_user = User(
name='Test User',
email_address='*****@*****.**',
password='******',
mobile_number='+447700900986'
)
save_model_user(new_user, validated_email_access=True)
dao_add_user_to_service(service_3, new_user)
assert len(dao_fetch_all_services_by_user(user.id)) == 3
assert dao_fetch_all_services_by_user(user.id)[0].name == 'service 1'
assert dao_fetch_all_services_by_user(user.id)[1].name == 'service 2'
assert dao_fetch_all_services_by_user(user.id)[2].name == 'service 3'
assert len(dao_fetch_all_services_by_user(new_user.id)) == 1
assert dao_fetch_all_services_by_user(new_user.id)[0].name == 'service 3'
def test_add_existing_user_to_another_service_doesnot_change_old_permissions(sample_user):
service_one = Service(
name="service_one", email_from="service_one", message_limit=1000, restricted=False, created_by=sample_user
)
dao_create_service(service_one, sample_user)
assert sample_user.id == service_one.users[0].id
test_user_permissions = Permission.query.filter_by(service=service_one, user=sample_user).all()
assert len(test_user_permissions) == 8
other_user = User(
name="Other Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+447700900987",
)
save_model_user(other_user)
service_two = Service(
name="service_two", email_from="service_two", message_limit=1000, restricted=False, created_by=other_user
)
dao_create_service(service_two, other_user)
assert other_user.id == service_two.users[0].id
other_user_permissions = Permission.query.filter_by(service=service_two, user=other_user).all()
assert len(other_user_permissions) == 8
other_user_service_one_permissions = Permission.query.filter_by(service=service_one, user=other_user).all()
assert len(other_user_service_one_permissions) == 0
# adding the other_user to service_one should leave all other_user permissions on service_two intact
permissions = []
for p in ["send_emails", "send_texts", "send_letters"]:
permissions.append(Permission(permission=p))
dao_add_user_to_service(service_one, other_user, permissions=permissions)
other_user_service_one_permissions = Permission.query.filter_by(service=service_one, user=other_user).all()
assert len(other_user_service_one_permissions) == 3
other_user_service_two_permissions = Permission.query.filter_by(service=service_two, user=other_user).all()
assert len(other_user_service_two_permissions) == 8
def test_should_remove_user_from_service(notify_db_session):
user = create_user()
service = Service(
name="service_name",
email_from="email_from",
message_limit=1000,
restricted=False,
created_by=user,
)
dao_create_service(service, user)
new_user = User(
name="Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+16502532222",
)
save_model_user(new_user)
dao_add_user_to_service(service, new_user)
assert new_user in Service.query.first().users
dao_remove_user_from_service(service, new_user)
assert new_user not in Service.query.first().users
def verify_user_password(user_id):
user_to_verify = get_user_by_id(user_id=user_id)
txt_pwd = None
try:
txt_pwd = request.get_json()['password']
except KeyError:
message = 'Required field missing data'
errors = {'password': [message]}
raise InvalidRequest(errors, status_code=400)
if user_to_verify.check_password(txt_pwd):
user_to_verify.logged_in_at = datetime.utcnow()
save_model_user(user_to_verify)
reset_failed_login_count(user_to_verify)
return jsonify({}), 204
else:
increment_failed_login_count(user_to_verify)
message = 'Incorrect password'
errors = {'password': [message]}
raise InvalidRequest(errors, status_code=400)
def create_user(
mobile_number="+16502532222",
email="*****@*****.**",
state="active",
id_=None,
name="Test User",
blocked=False,
):
data = {
"id": id_ or uuid.uuid4(),
"name": name,
"email_address": email,
"password": "******",
"mobile_number": mobile_number,
"state": state,
"blocked": blocked,
}
user = User.query.filter_by(email_address=email).first()
if not user:
user = User(**data)
save_model_user(user)
return user
def create_user(
mobile_number="+16502532222",
email="*****@*****.**",
state='active',
id_=None,
name="Test User",
blocked=False,
):
data = {
'id': id_ or uuid.uuid4(),
'name': name,
'email_address': email,
'password': '******',
'mobile_number': mobile_number,
'state': state,
'blocked': blocked
}
user = User.query.filter_by(email_address=email).first()
if not user:
user = User(**data)
save_model_user(user)
return user
def test_get_all_user_services_only_returns_services_user_has_access_to(
notify_db_session, ):
user = create_user()
create_service(service_name="service 1", user=user, email_from="service.1")
create_service(service_name="service 2", user=user, email_from="service.2")
service_3 = create_service(service_name="service 3",
user=user,
email_from="service.3")
new_user = User(
name="Test User",
email_address="*****@*****.**",
password="******",
mobile_number="+16502532222",
)
save_model_user(new_user)
dao_add_user_to_service(service_3, new_user)
assert len(dao_fetch_all_services_by_user(user.id)) == 3
assert dao_fetch_all_services_by_user(user.id)[0].name == "service 1"
assert dao_fetch_all_services_by_user(user.id)[1].name == "service 2"
assert dao_fetch_all_services_by_user(user.id)[2].name == "service 3"
assert len(dao_fetch_all_services_by_user(new_user.id)) == 1
assert dao_fetch_all_services_by_user(new_user.id)[0].name == "service 3"
def test_create_user_fails_when_violates_password_or_identity_provider_constraint(
notify_db_session, test_email, test_name):
data = {'name': test_name, 'email_address': test_email}
with pytest.raises(IntegrityError):
user = User(**data)
save_model_user(user)
