def test_login_bad_data(self, app, db):
"""login should flash an error message if login is incorrect."""
with app.test_client() as tc:
rv = login('not', 'themama', tc=tc)
assert 'Error: Login information' in str(rv.data)
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
rv2 = login(user.name, 'badpassword', tc=tc)
assert 'Error: Login information' in str(rv2.data)
with app.test_client() as tc:
rv3 = login('badusername', 'hunter2', tc=tc)
assert 'Error: Login information' in str(rv3.data)
def test_login_success(self, app, db):
"""login should flash a success message on success."""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
rv = login(user.name, 'hunter2', tc=tc)
assert 'You are now logged in' in str(rv.data)
def test_index(app):
ma = Marshmallow(app)
views.index
app.register_blueprint(bp)
with app.test_client() as client:
resp = client.get('/index')
data = json.loads(resp.data.decode())
db.session.remove()
assert resp.status_code == 200
def test_count(app):
ma = Marshmallow(app)
views.create_short_url
app.register_blueprint(bp)
with app.test_client() as client:
test_link = Url.query.filter_by(long_url=link).delete()
db.session.commit()
db.session.remove()
assert Url.query.filter_by(long_url=link).first() == None
def test_login_not_confirmed(self, app, db):
"""login should flash an error message if account isn't confirmed."""
user = make_dummy_user()
user.confirmed = False
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
rv = login(user.name, 'hunter2', tc=tc)
assert 'Error: Account not confirmed!' in str(rv.data)
def test_confirm_account_confirms_account_with_valid_token(self, app, db):
"""User.confirmed is true if confirm_account given a valid token."""
user = make_dummy_user()
db.session.add(user)
db.session.commit()
assert not user.confirmed
token = user.generate_account_confirmation_token()
with app.test_client() as tc:
tc.get(url_for('auth.confirm_account', token=token))
assert user.confirmed
def test_delete_user_nonexistent(self, app, db):
"""Flash an error if user does not exist."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.delete_user', uid=42),
follow_redirects=True)
assert 'Error: No user exists with that ID number!' in str(rv.data)
def test_manage_user_no_user_with_user_id(self, app, db):
"""manage_user flashes an error if no matching user.id found in db."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.manage_user', user_id=999),
follow_redirects=True)
assert 'Error: No user exists with' in str(rv.data)
def test_manage_user_user_id_not_integer(self, app, db):
"""manage_user flashes an error if user_id is not an integer."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.manage_user', user_id='3d'),
follow_redirects=True)
assert 'Error: User id must be an integer!' in str(rv.data)
def test_delete_user_malformed_uid(self, app, db):
"""Flash an error when uid is not an integer."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.delete_user', uid='frogs'),
follow_redirects=True)
assert 'Error: Invalid or malformed user ID!' in str(rv.data)
def test_delete_user_delete_self(self, app, db):
"""Flash an error when user tries to delete their own account."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.delete_user', uid=user.id),
follow_redirects=True)
assert 'Error: You cannot delete yourself!' in str(rv.data)
def test_logout(self, app, db):
"""logout flashes a message telling the user they logged out."""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.logout'), follow_redirects=True)
assert 'You have been logged out.' in str(rv.data)
def test_manage_user_no_user_id(self, app, db):
"""manage_user redirects to /auth/select_user if given no user_id."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.manage_user'), follow_redirects=False)
print(rv.data)
assert '/auth/select_user' in str(rv.location)
def test_add_to_app(self, app):
"""Add a url_rule for redirect to given app."""
rd = Redirect('/old/path', '/new/path', 302)
with app.test_client():
assert '/old/path' not in [rule.rule for
rule in
app.url_map.iter_rules()]
rd.add_to_app(app)
assert '/old/path' in [rule.rule for
rule in
app.url_map.iter_rules()]
def test_resend_confirmation_success_message(self, app, db):
"""resend_confirmation flashes a success message on successful sub."""
user = make_dummy_user()
user.confirmed = False
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
rv = tc.post(url_for('auth.resend_confirmation'),
data=dict(email=user.email),
follow_redirects=True)
assert 'Confirmation email sent to' in str(rv.data)
def test_delete_user_renders_page(self, app, db):
"""The page for deleting a user is presented if uid is valid."""
user = make_smart_user()
cavy = make_guinea_pig()
db.session.add(cavy)
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.delete_user', uid=cavy.id),
follow_redirects=True)
assert 'THIS CANNOT BE UNDONE' in str(rv.data)
def test_reset_password_request_email_request_too_soon(self, app, db):
"""Flash an error if request made too soon after previous one."""
app.config['ERFP_MINUTES_BETWEEN_REQUESTS'] = 5
user = make_dummy_user()
user.log_email_request('reset password')
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
rv = tc.post(url_for('auth.reset_password_request'),
data=dict(email=user.email),
follow_redirects=True)
assert 'Error: A request to reset your password has' in str(rv.data)
def test_manage_user_change_username(self, app, db):
"""manage_user changes username if not in use already."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
data = self.make_form_data(user, username='******')
tc.post(url_for('auth.manage_user', user_id=user.id),
data=data,
follow_redirects=True)
assert user.name == 'BlueZirconia'
def test_confirm_new_email_with_bad_token(self, app, db):
"""confirm_new_email given a bad token redirects w/ error message."""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.confirm_new_email',
token='badtoken'),
follow_redirects=True)
assert 'Error: could not change email' in str(rv.data)
def test_manage_user_no_changes(self, app, db):
"""manage_user flashes a message if no changes are made."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
data = self.make_form_data(user)
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.post(url_for('auth.manage_user', user_id=user.id),
data=data,
follow_redirects=True)
assert 'No changes made' in str(rv.data)
def test_reset_password_request_success_message(self, app, db):
"""reset_password_request flashes a success message on success."""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
data = dict(email=user.email)
with app.test_client() as tc:
rv = tc.post(url_for('auth.reset_password_request'),
data=data,
follow_redirects=True)
assert 'An email with instructions' in str(rv.data)
def test_manage_user_prevents_confirmed_lockout(self, app, db):
"""Flash error if user tries to revoke own account confirmation."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
data = self.make_form_data(user, confirmed=False)
rv = tc.post(url_for('auth.manage_user', user_id=user.id),
data=data,
follow_redirects=True)
assert user.confirmed
assert 'Error: You cannot revoke your own' in str(rv.data)
def test_confirm_new_email_with_valid_token(self, app, db):
"""confirm_new_email sets new email address w/ valid token."""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
new_email = '*****@*****.**'
token = user.generate_new_email_token(new_email)
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
tc.get(url_for('auth.confirm_new_email', token=token))
user2 = User.query.get(user.id)
assert new_email == user2.email
def test_register_success_message(self, app, db):
"""register flashes a success message on successful submission."""
data = dict(
email='*****@*****.**',
email2='*****@*****.**',
password='******',
password2='hunter2',
username='******')
with app.test_client() as tc:
rv = tc.post(url_for('auth.register'),
data=data,
follow_redirects=True)
assert 'A confirmation email has been sent' in str(rv.data)
def test_manage_user_change_email_address(self, app, db):
"""manage_user changes email address if new one not in use already."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
new_email = '*****@*****.**'
data = self.make_form_data(user, email=new_email)
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
tc.post(url_for('auth.manage_user', user_id=user.id),
data=data,
follow_redirects=True)
assert user.email == new_email
def test_manage_user_prevents_manage_users_lockout(self, app, db):
"""Flash error if user tries to revoke their own MANAGE_USERS perm."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
data = self.make_form_data(user, manage_users=False)
rv = tc.post(url_for('auth.manage_user', user_id=user.id),
data=data,
follow_redirects=True)
assert user.can(Permission.MANAGE_USERS)
assert 'Error: Please do not try to remove' in str(rv.data)
def test_validate_current_password(self, app, db):
"""validate_current_password raises exception w/ bad password."""
user = create_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
tc.post('/auth/login', data=dict(login=user.name,
password='******'),
follow_redirects=True)
form = EditUserForm()
form.current_password.data = 'turtles'
with pytest.raises(ValidationError):
form.validate_current_password(form.current_password)
def test_resend_confirmation_email_request_too_soon(self, app, db):
"""Flash an errror if request made too soon after previous one."""
app.config['ERFP_MINUTES_BETWEEN_REQUESTS'] = 5
user = make_dummy_user()
db.session.add(user)
db.session.commit()
user.log_email_request('confirm account')
data = dict(email=user.email)
with app.test_client() as tc:
rv = tc.post(url_for('auth.resend_confirmation'),
data=data,
follow_redirects=True)
assert 'Error: A confirmation email has already been sent' in\
str(rv.data)
def test_register_adds_user_to_database(self, app, db):
"""register adds user to db if form validates."""
data = dict(
email='*****@*****.**',
email2='*****@*****.**',
password='******',
password2='hunter2',
username='******')
with app.test_client() as tc:
tc.post(url_for('auth.register'),
data=data,
follow_redirects=True)
user = User.query.filter_by(name='AzureDiamond').first()
assert user.email == '*****@*****.**'
def test_api(app):
ma = Marshmallow(app)
views.create_short_url
app.register_blueprint(bp)
with app.test_client() as client:
response = client.post(
'/long_to_short',
data=json.dumps(dict(long_url=link)),
content_type='application/json',
)
data = json.loads(response.data.decode())
db.session.remove()
assert response.status_code == 201
assert 'localhost' in data['short_link']
def test_manage_user_prevents_change_to_email_of_other_user(self, app, db):
"""Flash an error if new email is in use by another user."""
user = make_smart_user()
db.session.add(user)
cavy = make_guinea_pig()
db.session.add(cavy)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
data = self.make_form_data(cavy, email=user.email)
rv = tc.post(url_for('auth.manage_user', user_id=cavy.id),
data=data,
follow_redirects=True)
assert 'Error: Email address already in' in str(rv.data)
def test_select_user_success_redirect(self, app, db):
"""select_user should redirect to target_route if successful."""
user = make_smart_user()
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.post(url_for('auth.select_user',
target_route='auth.manage_user'),
data=dict(select_user=1),
follow_redirects=False)
assert rv.location == url_for('auth.manage_user',
user_id=1,
_external=True)
def test_resend_confirmation_logged_in_user(self, app, db):
"""resend_confirmation flashes an error if user is logged in.
Since users can't log in without being confirmed, there's no point in
letting them resend confirmation emails if they're logged in!
"""
user = make_dummy_user()
user.confirmed = True
db.session.add(user)
db.session.commit()
with app.test_client() as tc:
login(user.name, 'hunter2', tc=tc)
rv = tc.get(url_for('auth.resend_confirmation'),
follow_redirects=True)
assert 'Error: Your account is already' in str(rv.data)
def test_get_wtforms_errors(self):
""" Tests the get_wtforms_errors function by posting to /login with
missing parameters. This also tests the new_line_to_break Jinja2
filter. The expected return value is an error stating that both the
username and password was not provided with a <br> in between
"""
client = app.test_client()
rv = client.post('/login',
data=dict(auth_source='PostMaster User'),
follow_redirects=True)
error_option_one = \
'The username was not provided<br>The password was not provided'
error_option_two = \
'The password was not provided<br>The username was not provided'
assert error_option_one in rv.data.decode('utf-8') or \
error_option_two in rv.data.decode('utf-8')
def test_account_lockout_from_ui(self):
""" Tests that the user gets an account lockout message after 5 failed
attempts.
"""
client = app.test_client()
for i in range(6):
rv = client.post('/login',
data=dict(username='******',
password='******',
auth_source='PostMaster User'),
follow_redirects=True)
error_msg = ('The user is currently locked out. Please try logging in '
'again later.')
assert error_msg in rv.data.decode('utf-8')
def __init__(self, access_token, refresh_token, default_auth=None):
# Use basic auth for socketio client
self.socketio = socketio.test_client(
app, headers={'Authorization': 'Basic dGVzdDp0ZXN0'})
# Use jwt
self.socketio_jwt = socketio.test_client(
app, headers={'Authorization': f'Bearer {access_token}'})
self.http = app.test_client()
self.headers = {}
self.access_token = access_token
self.refresh_token = refresh_token
if default_auth:
self.set_auth(default_auth)
def test_validate_wtforms_password(self):
""" Tests the validate_wtforms_password function by logging in with an
authorized LDAP user, and expects the Dashboard page (view when logged
in) to be returned
"""
user_dn = 'CN=Test User,OU=PostMaster,DC=postmaster,DC=local'
# Mocks the AD instantiation in validate_wtforms_password with the
# Mocked LDAP instance created from the manage_mock_ldap decorator.
# We are patching utils because of the way it is imported
with patch('postmaster.utils.AD') as mock_ad:
self.ad_obj.check_nested_group_membership = Mock(return_value=True)
mock_ad.return_value = self.ad_obj
client = app.test_client()
rv = client.post('/login',
data=dict(username=user_dn,
password='******',
auth_source='postmaster.local'),
follow_redirects=True)
assert '<h2 class="textHeading">Dashboard</h2>' in \
rv.data.decode('utf-8')