def test_recovery_codes_regenerate(self, email_log):
interface = RecoveryCodeInterface()
interface.enroll(self.user)
url = reverse(
"sentry-api-0-user-authenticator-details",
kwargs={"user_id": self.user.id, "auth_id": interface.authenticator.id},
)
resp = self.client.get(url)
assert resp.status_code == 200
old_codes = resp.data["codes"]
old_created_at = resp.data["createdAt"]
resp = self.client.get(url)
assert old_codes == resp.data["codes"]
assert old_created_at == resp.data["createdAt"]
# regenerate codes
tomorrow = timezone.now() + datetime.timedelta(days=1)
with mock.patch.object(timezone, "now", return_value=tomorrow):
resp = self.client.put(url)
resp = self.client.get(url)
assert old_codes != resp.data["codes"]
assert old_created_at != resp.data["createdAt"]
self._assert_security_email_sent("recovery-codes-regenerated", email_log)
def test_recovery_codes_regenerate(self):
interface = RecoveryCodeInterface()
interface.enroll(self.user)
resp = self.get_success_response(self.user.id,
interface.authenticator.id)
old_codes = resp.data["codes"]
old_created_at = resp.data["createdAt"]
resp = self.get_success_response(self.user.id,
interface.authenticator.id)
assert old_codes == resp.data["codes"]
assert old_created_at == resp.data["createdAt"]
# regenerate codes
tomorrow = timezone.now() + datetime.timedelta(days=1)
with mock.patch.object(timezone, "now", return_value=tomorrow):
with self.tasks():
self.get_success_response(self.user.id,
interface.authenticator.id,
method="put")
resp = self.get_success_response(self.user.id,
interface.authenticator.id)
assert old_codes != resp.data["codes"]
assert old_created_at != resp.data["createdAt"]
assert_security_email_sent("recovery-codes-regenerated")
def test_get_recovery_codes(self):
interface = RecoveryCodeInterface()
interface.enroll(self.user)
with self.tasks():
resp = self.get_success_response(self.user.id,
interface.authenticator.id)
assert resp.data["id"] == "recovery"
assert resp.data["authId"] == str(interface.authenticator.id)
assert len(resp.data["codes"])
assert len(mail.outbox) == 0
def test_get_recovery_codes(self, email_log):
interface = RecoveryCodeInterface()
interface.enroll(self.user)
url = reverse(
"sentry-api-0-user-authenticator-details",
kwargs={"user_id": self.user.id, "auth_id": interface.authenticator.id},
)
resp = self.client.get(url)
assert resp.status_code == 200
assert resp.data["id"] == "recovery"
assert resp.data["authId"] == six.text_type(interface.authenticator.id)
assert len(resp.data["codes"])
assert email_log.info.call_count == 0
def test_owner_can_only_reset_member_2fa(self):
self.login_as(self.owner)
path = reverse("sentry-api-0-user-authenticator-details",
args=[self.member.id, self.interface_id])
resp = self.client.get(path)
assert resp.status_code == 403
# cannot regenerate recovery codes
recovery = RecoveryCodeInterface()
recovery.enroll(self.user)
path = reverse(
"sentry-api-0-user-authenticator-details",
args=[self.member.id, recovery.authenticator.id],
)
resp = self.client.put(path)
assert resp.status_code == 403
def test_correct_redirect_as_2fa_user_no_membership(self):
user = self.create_user("*****@*****.**")
RecoveryCodeInterface().enroll(user)
TotpInterface().enroll(user)
resp = self.client.post(
self.path, {"username": user, "password": "******", "op": "login"}, follow=True
)
assert resp.redirect_chain == [("/auth/2fa/", 302)]
def test_user_has_2fa(self):
user = self.create_user("*****@*****.**")
assert Authenticator.objects.user_has_2fa(user) is False
assert Authenticator.objects.filter(user=user).count() == 0
RecoveryCodeInterface().enroll(user)
assert Authenticator.objects.user_has_2fa(user) is False
assert Authenticator.objects.filter(user=user).count() == 1
TotpInterface().enroll(user)
assert Authenticator.objects.user_has_2fa(user) is True
assert Authenticator.objects.filter(user=user).count() == 2
def test_correct_redirect_as_2fa_user_invited_member(self):
user = self.create_user("*****@*****.**")
RecoveryCodeInterface().enroll(user)
TotpInterface().enroll(user)
self.create_member(organization=self.organization, user=user)
member = OrganizationMember.objects.get(organization=self.organization, user=user)
member.email = "*****@*****.**"
member.save()
resp = self.client.post(
self.path, {"username": user, "password": "******", "op": "login"}, follow=True
)
assert resp.redirect_chain == [("/auth/2fa/", 302)]
def test_login_valid_credentials_2fa_redirect(self):
user = self.create_user("*****@*****.**")
RecoveryCodeInterface().enroll(user)
TotpInterface().enroll(user)
self.create_member(organization=self.organization, user=user)
self.client.get(self.path)
resp = self.client.post(
self.path,
{
"username": user.username,
"password": "******",
"op": "login"
},
)
assert resp.url == "/auth/2fa/"
assert resp.status_code == 302