def test_should_redirect_after_mobile_number_confirm(
client_request,
mocker,
mock_update_user_attribute,
mock_check_verify_code,
fake_uuid,
phone_number_to_register_with,
):
user_before = create_user(fake_uuid)
user_after = create_user(fake_uuid)
user_before['current_session_id'] = str(uuid.UUID(int=1))
user_after['current_session_id'] = str(uuid.UUID(int=2))
# first time (login decorator) return normally, second time (after 2FA return with new session id)
mocker.patch('app.user_api_client.get_user', side_effect=[user_before, user_after])
with client_request.session_transaction() as session:
session['new-mob-password-confirmed'] = True
session['new-mob'] = phone_number_to_register_with
session['current_session_id'] = user_before['current_session_id']
client_request.post(
'main.user_profile_mobile_number_confirm',
_data={'two_factor_code': '12345'},
_expected_status=302,
_expected_redirect=url_for(
'main.user_profile',
_external=True,
)
)
# make sure the current_session_id has changed to what the API returned
with client_request.session_transaction() as session:
assert session['current_session_id'] == user_after['current_session_id']
def setup(cls):
cls.course1 = conftest.create_course(1)
cls.course2 = conftest.create_course(2)
cls.course_no_submissions = conftest.create_course(3)
cls.course_no_exercises = conftest.create_course(4)
cls.ex1_1 = conftest.create_exercise(cls.course1, 1, 1)
cls.ex1_2 = conftest.create_exercise(cls.course1, 2, 2)
cls.ex2_1 = conftest.create_exercise(cls.course2, 1, 3)
cls.ex3_1 = conftest.create_exercise(cls.course_no_submissions, 1, 4)
cls.user1 = conftest.create_user(index=1)
cls.user2 = conftest.create_user(index=2)
conftest.create_usercourse(cls.user1, cls.course1)
conftest.create_usercourse(cls.user1, cls.course2)
conftest.create_usercourse(cls.user2, cls.course1)
solution = conftest.create_solution
cls.s1 = solution(cls.ex1_1, cls.user1)
cls.s2 = solution(cls.ex1_1, cls.user1, code='Other submission')
cls.s3 = solution(cls.ex1_1, cls.user2)
cls.s4 = solution(cls.ex1_2, cls.user1)
cls.s5 = solution(cls.ex2_1, cls.user1)
def test_authenticate_error(app: Devicehub):
"""Tests the authenticate method with wrong token values."""
with app.app_context():
MESSAGE = 'Provide a suitable token.'
create_user()
# Token doesn't exist
with pytest.raises(Unauthorized, message=MESSAGE):
app.auth.authenticate(token=str(uuid4()))
# Wrong token format
with pytest.raises(Unauthorized, message=MESSAGE):
app.auth.authenticate(token='this is a wrong uuid')
def test_verify_user(client):
"""Test verify User token route"""
username = "******"
password = "******"
verified_user = create_user(username, password, is_verified=False)
add_user_to_db(verified_user)
verified_user.id = 0
token = verified_user.get_email_token()
no_token_rv = client.get('/verify', follow_redirects=True)
assert no_token_rv.status_code == 401
assert b'Please log in' in no_token_rv.data
invalid_rv = client.get('/verify?token={}'.format("token"),
follow_redirects=True)
assert invalid_rv.status_code == 401
assert b'Please log in' in invalid_rv.data
valid_rv = client.get('/verify?token={}'.format(token),
follow_redirects=True)
assert valid_rv.status_code == 200
assert verified_user.is_verified is True
assert b'This is a restricted page! <User %b>' % username.encode('utf-8') \
in valid_rv.data
def test_login_success(client: Client, app: Devicehub):
"""
Tests successfully performing login.
This checks that:
- User is returned.
- User has token.
- User has not the password.
"""
with app.app_context():
create_user()
user, _ = client.post({
'email': '*****@*****.**',
'password': '******'
},
uri='/users/login',
status=200)
assert user['email'] == '*****@*****.**'
assert UUID(b64decode(user['token'].encode()).decode()[:-1])
assert 'password' not in user
def test_login_failure(client: Client, app: Devicehub):
"""Tests performing wrong login."""
# Wrong password
with app.app_context():
create_user()
client.post({
'email': '*****@*****.**',
'password': '******'
},
uri='/users/login/',
status=WrongCredentials)
# Wrong URI
client.post({}, uri='/wrong-uri', status=NotFound)
# Malformed data
client.post({}, uri='/users/login/', status=ValidationError)
client.post({
'email': 'this is not an email',
'password': '******'
},
uri='/users/login/',
status=ValidationError)
def test_author():
"""
Checks the default created author.
Note that the author can be accessed after inserting the row.
"""
user = create_user()
g.user = user
e = EventWithOneDevice(device=Device())
db.session.add(e)
assert e.author is None
assert e.author_id is None
db.session.commit()
assert e.author == user
def test_login_success(client: Client, app: Devicehub):
"""Tests successfully performing login.
This checks that:
- User is returned.
- User has token.
- User has not the password.
"""
with app.app_context():
create_user()
user, _ = client.post({
'email': '*****@*****.**',
'password': '******'
},
uri='/users/login/',
status=200)
assert user['email'] == '*****@*****.**'
assert UUID(auth.Auth.decode(user['token']))
assert 'password' not in user
assert user['individuals'][0]['name'] == 'Timmy'
assert user['individuals'][0]['type'] == 'Person'
assert len(user['individuals']) == 1
assert user['inventories'][0]['id'] == 'test'
def test_authorized_request(client):
"""Test authorized requests"""
username = "******"
password = "******"
add_user_to_db(create_user(username, password))
login_rv = client.post('/login',
data=dict(username=username, password=password),
follow_redirects=True)
get_index = client.get('/')
assert get_index.status_code == 200
get_files = client.get('/files')
assert get_files.status_code == 200
def test_get_file_by_id(client, s3_fixture):
username = '******'
user_id = 0
file_id = 0
file_2_id = 1
invalid_file_id = 9
password = '******'
file_name = 'test.pdf'
file_2_name = 'test2.pdf'
file_desc = 'This is a test file description'
(s3_client, s3) = s3_fixture
s3_client.create_bucket(Bucket=TEST_S3_BUCKET)
user = create_user(username, password)
user.id = user_id
add_user_to_db(user)
file = create_file(name=file_name,
id=file_id,
desc=file_desc,
username=username,
user_id=user_id)
file_2 = create_file(name=file_2_name,
id=file_2_id,
username=username,
user_id=user_id)
add_file_to_db(file)
add_file_to_db(file_2)
s3.Bucket(TEST_S3_BUCKET).put_object(Key=file.key,
Body=io.BytesIO(b'this is a test'))
client.post('/login', data=dict(username=username, password=password))
invalid_file_id_rv = client.get('/files/{}'.format(invalid_file_id))
assert b'File does not exist' in invalid_file_id_rv.data
file_not_in_bucket_rv = client.get('/files/{}'.format(file_2_id))
assert b'File not in your folder' in file_not_in_bucket_rv.data
valid_get_rv = client.get('/files/{}'.format(file_id))
assert valid_get_rv.status_code == 200
assert file_desc in valid_get_rv.data.decode("utf-8")
def test_delete_user(client, s3_fixture):
"""Delete a User and that User's bucket"""
s3_client = s3_fixture[0]
s3_client.create_bucket(Bucket=TEST_S3_BUCKET)
username = "******"
password = "******"
add_user_to_db(create_user(username, password))
valid_login_rv = client.post('/login',
data=dict(username=username,
password=password),
follow_redirects=True)
delete_rv = client.delete('/user/delete')
assert delete_rv.status_code == 200
assert b'User deleted' in delete_rv.data
def test_edit_file_by_id(client, s3_fixture):
username = '******'
user_id = 0
password = '******'
file_name = 'test.pdf'
file_id = 0
file_desc = "This will change."
file_desc_changed = "This is changed."
file_desc_too_long = "t" * 131
invalid_file_id = 9
file = create_file(name=file_name,
id=file_id,
username=username,
user_id=user_id,
desc=file_desc)
add_user_to_db(create_user(username, password))
add_file_to_db(file)
client.post('/login', data=dict(username=username, password=password))
invalid_file_id_rv = client.patch('/files/{}/edit'.format(invalid_file_id))
assert b'File does not exist' in invalid_file_id_rv.data
missing_form_rv = client.patch('/files/{}/edit'.format(file_id))
assert b'Missing part of your form' in missing_form_rv.data
assert missing_form_rv.status_code == 400
too_long_desc_rv = client.patch('/files/{}/edit'.format(file_id),
data=dict(body=file_desc_too_long))
assert b'File description must be less than 130 characters' \
in too_long_desc_rv.data
assert too_long_desc_rv.status_code == 400
file_edit_rv = client.patch('/files/{}/edit'.format(file_id),
data=dict(body=file_desc_changed))
assert file.body == file_desc_changed
assert b'File edited!' in file_edit_rv.data
assert file_edit_rv.status_code == 200
def test_read_related(
self,
student_user: User,
solution: Solution,
exercise: Exercise,
):
solution2 = conftest.create_solution(student_user, exercise)
student_user2 = conftest.create_user(index=1)
messages = [
conftest.create_notification(student_user, solution),
conftest.create_notification(student_user, solution),
conftest.create_notification(student_user, solution),
conftest.create_notification(student_user, solution2),
conftest.create_notification(student_user2, solution),
]
assert all(not n.viewed for n in messages)
notifications.read_related(solution.id, student_user)
# peewee...
messages = [Notification.get_by_id(n.id) for n in messages]
assert all(n.viewed for n in messages[:3])
assert all(not n.viewed for n in messages[3:])
def test_logout_user(client):
"""Test User logout"""
username = "******"
password = "******"
add_user_to_db(create_user(username, password))
valid_login_rv = client.post('/login',
data=dict(username=username,
password=password),
follow_redirects=True)
logged_in_rv = client.get('/')
assert logged_in_rv.status_code == 200
logout_rv = client.get('/logout')
assert b'Logged out' in logout_rv.data
logged_out_rv = client.get('/', follow_redirects=True)
assert logged_out_rv.status_code == 401
assert b'Please log in' in logged_out_rv.data
def test_unverified_login(client):
"""
Test unverified login and resend verification email
NOTE: This test will fail if your SendGrid API key
is not set
"""
username = "******"
password = "******"
email = "*****@*****.**"
unverified_user = create_user(username, password, is_verified=False)
unverified_user.email = "*****@*****.**"
add_user_to_db(unverified_user)
unverified_login_rv = client.post('/login',
data=dict(username=username,
password=password),
follow_redirects=True)
assert unverified_login_rv.status_code == 401
assert b'Please verify your account. We just sent another email' \
in unverified_login_rv.data
def test_delete_file_by_id(client, s3_fixture):
username = '******'
user_id = 0
password = '******'
file_id = 0
file_2_id = 1
invalid_file_id = 9
file_name = 'test.pdf'
file_2_name = 'test2.pdf'
(s3_client, s3) = s3_fixture
s3_client.create_bucket(Bucket=TEST_S3_BUCKET)
add_user_to_db(create_user(username, password))
file = create_file(name=file_name,
id=file_id,
username=username,
user_id=user_id)
file_2 = create_file(name=file_2_name,
id=file_2_id,
username=username,
user_id=user_id)
add_file_to_db(file)
add_file_to_db(file_2)
client.post('/login', data=dict(username=username, password=password))
invalid_file_id_rv = client.delete(
'/files/{}/delete'.format(invalid_file_id))
assert b'File does not exist' in invalid_file_id_rv.data
delete_file_rv = client.delete('/files/{}/delete'.format(file_id))
assert delete_file_rv.status_code == 200
assert b'File removed' in delete_file_rv.data
def test_login_user(client):
"""Test login user"""
username = "******"
password = "******"
add_user_to_db(create_user(username, password))
valid_login_rv = client.post('/login',
data=dict(username=username,
password=password),
follow_redirects=True)
assert valid_login_rv.status_code == 200
invalid_login_rv = client.post('/login',
data=dict(username="******",
password="******"),
follow_redirects=True)
assert invalid_login_rv.status_code == 400
invalid_form_rv = client.post('/login',
data=dict(username=username),
follow_redirects=True)
assert invalid_form_rv.status_code == 400
def test_hash_password(app: Devicehub):
"""Tests correct password hashing and equaling."""
with app.app_context():
user = create_user()
assert isinstance(user.password, Password)
assert user.password == 'foo'
def test_hash_password():
"""Tests correct password hashing and equaling."""
user = create_user()
assert isinstance(user.password, Password)
assert user.password == 'foo'
def test_upload_file(client, s3_fixture):
username = '******'
password = '******'
invalid_file_name = 'test.txt'
valid_file_name = 'test.pdf'
invalid_file_desc = "test" * 50
(s3_client, s3) = s3_fixture
s3_client.create_bucket(Bucket=TEST_S3_BUCKET)
s3.Bucket(TEST_S3_BUCKET).put_object(Key=username + '/')
add_user_to_db(create_user(username, password))
client.post('/login', data=dict(username=username, password=password))
# Form missing file
missing_file_rv = client.post('/files', follow_redirects=True)
assert missing_file_rv.status_code == 400
assert b'Missing part of your form' in missing_file_rv.data
# Invalid file type
invalid_file_type_rv = client.post(
'/files',
data=dict(text="This is a file",
date="some date",
file=(io.BytesIO(b'this is a test'), invalid_file_name)),
follow_redirects=True)
assert invalid_file_type_rv.status_code == 400
assert b'Invalid file type' in invalid_file_type_rv.data
# File missing name
missing_filename_rv = client.post(
'/files',
data=dict(text="This is a file",
date="some date",
file=(io.BytesIO(b'this is a test'), '')),
follow_redirects=True)
assert missing_filename_rv.status_code == 400
assert b'missing file name' in missing_filename_rv.data
# File description too long
invalid_file_desc_rv = client.post(
'/files',
data=dict(text=invalid_file_desc,
date="some date",
file=(io.BytesIO(b'this is a test'), valid_file_name)),
follow_redirects=True)
assert invalid_file_desc_rv.status_code == 400
assert b'File description must be less than 130 characters' \
in invalid_file_desc_rv.data
# Valid file post
post_file_rv = client.post('/files',
data=dict(text="This is a file",
date="some date",
file=(io.BytesIO(b'this is a test'),
valid_file_name)),
follow_redirects=True)
assert post_file_rv.status_code == 200
assert b'Uploaded %b' % valid_file_name.encode('utf-8') \
in post_file_rv.data
# Filename already exists
file_exists_rv = client.post('/files',
data=dict(text="This is a file",
date="some date",
file=(io.BytesIO(b'this is a test'),
valid_file_name)),
follow_redirects=True)
assert file_exists_rv.status_code == 400
assert b'You already have a file with that name' in file_exists_rv.data
def test_member(request,accounts,invitations,bilateral,client,variant,settings):
from idapi.backendviews import get_members, update_members
from accounts.models import Account, NestedGroup, Invitation, EMailConfirmation
from ekklesia.data import json_decrypt, json_encrypt
from django.conf import settings
import os, json
twofactor = variant=='2fac'
setattr(settings, 'TWO_FACTOR_SIGNUP',twofactor)
#setattr(settings, 'DEBUG',True)
Invitation.objects.create(code='inv6',secret='password6',uuid='uid6',status=Invitation.REGISTERING)
Invitation.objects.create(code='inv7',secret='password7',uuid='uid7',status=Invitation.REGISTERING)
Invitation.objects.create(code='inv8',secret='password8',uuid='uid8',status=Invitation.REGISTERING)
member6 = create_user(username='******',status=Account.NEWMEMBER,is_active=False,
email='member6@localhost',uuid='uid6')
member7 = create_user(username='******',status=Account.NEWMEMBER,is_active=False,
email='member7@localhost',uuid='uid7')
member8 = create_user(username='******',status=Account.NEWMEMBER,is_active=False,
email='member8@localhost',uuid='uid8')
conf8 = EMailConfirmation.objects.create(user=member8, confirmation_key='key8')
activate = ['activate'] if twofactor else []
response, members = api(client,'backend/members/?new=1',user='******')
assert response.status_code == 200
members, encrypted, signed, result = json_decrypt(members,bilateral['id2'])
assert encrypted and signed
data = [['uid6','password6'],['uid7','password7']]
assert members == dict(fields=['uuid']+activate, version=[1, 0], format='member',
data=data if twofactor else [v[:-1] for v in data])
response, members = api(client,'backend/members/',user='******')
assert response.status_code == 200
#members = get_members(crypto=bilateral['id1'])
members, encrypted, signed, result = json_decrypt(members,bilateral['id2'])
assert encrypted and signed
data = [['uid1',''],['uid2',''],['uid3','']]+data
assert members == dict(fields=['uuid']+activate, version=[1, 0], format='member',
data=data if twofactor else [v[:-1] for v in data])
# change data by upload
data = [['uid1','eligible',1,[2],''],['uid2','member',1,[3],''],['uid3','deleted',0,[],''],
['uid6','member',1,[0],True],['uid7','deleted',0,[],False]]
members = dict(fields=['uuid','status','verified','departments']+activate,
version=[1, 0], format='member',
# data=[['uid1',0,0,2],['uid2',1,1,3],['uid3',1,1,4]])
data=data if twofactor else [v[:-1] for v in data])
departments = dict(fields=('id','parent','name','depth'), version=[1, 0], format='department',
# data=[[1,None,'root',1],[2,1,'sub',2],[3,2,'subsub',4],[4,1,'sub2',2],[5,None,'root2',1],[6,5,'r2sub',2]])
data=[[1,None,'r00t',1],[2,1,'s0b',2],[3,2,'s0bsub',3],[5,2,'s0bsub2',3],[6,None,'r00t2',1],[7,6,'r2s0b',2]])
members, result = json_encrypt(members,bilateral['id2'],encrypt=['foo@localhost'],sign=True)
#data, encrypted, signed, result = json_decrypt(members,bilateral['id1'])
departments, result = json_encrypt(departments,bilateral['id2'],encrypt=['foo@localhost'],sign=True)
response, result = api(client,'backend/members/','post',user='******',
data=dict(members=members,departments=departments))
assert response.status_code == 200
root = NestedGroup.objects.get(syncid=1)
assert root.name=='r00t' and root.is_root() and root.level==1
sub = NestedGroup.objects.get(syncid=2)
assert sub.name=='s0b' and sub.parent==root and sub.level==2
ssub = NestedGroup.objects.get(syncid=3)
assert ssub.name=='s0bsub' and ssub.parent==sub and ssub.level==3
assert not NestedGroup.objects.filter(syncid=4).exists()
ssub2 = NestedGroup.objects.get(syncid=5)
assert ssub2.name=='s0bsub2' and ssub2.parent==sub and ssub2.level==3
root2 = NestedGroup.objects.get(syncid=6)
assert root2.name=='r00t2' and root2.is_root() and root2.level==1
r2sub = NestedGroup.objects.get(syncid=7)
assert r2sub.name=='r2s0b' and r2sub.parent==root2 and r2sub.level==2
indep = NestedGroup.objects.get(name='indep')
assert indep.syncid is None and indep.level==1
m = Account.objects.get(uuid='uid3')
assert m.status==Account.DELETED
assert list(m.nested_groups.all())==[indep]
m = Account.objects.get(uuid='uid1')
assert m.status==Account.ELIGIBLE and m.verified
assert list(m.nested_groups.all())==[sub]
m = Account.objects.get(uuid='uid2')
assert m.status==Account.MEMBER and m.verified
assert set(m.nested_groups.all())==set([ssub,indep])
m = Account.objects.get(uuid='uid6')
assert m.status==Account.MEMBER and m.verified
assert not m.nested_groups.count()
inv = Invitation.objects.get(uuid='uid6')
assert inv.status==Invitation.REGISTERED
assert not Account.objects.filter(uuid='uid7').exists()
m = Account.objects.get(uuid='uid8')
assert m.status==Account.NEWMEMBER
inv = Invitation.objects.get(uuid='uid8')
assert inv.status==Invitation.REGISTERING
response, members = api(client,'backend/members/',user='******')
assert response.status_code == 200
members, encrypted, signed, result = json_decrypt(members,bilateral['id2'])
assert encrypted and signed
data = [['uid1',''],['uid2',''],['uid6','']]
if not twofactor: data = [v[:-1] for v in data]
assert listset_equal(members['data'], data)
assert members == dict(fields=['uuid']+activate, version=[1, 0], format='member',
data=members['data'])
def test_authenticate_success(app: Devicehub):
"""Checks the authenticate method."""
with app.app_context():
user = create_user()
response_user = app.auth.authenticate(token=str(user.token))
assert response_user == user
def test_assign_individual_user():
"""Tests assigning an individual to an user."""
user = create_user()
assert len(user.individuals) == 1
assert next(iter(user.individuals)).name == 'Timmy'
