def test_delete_without_permissions(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
headers = {'Authorization': f'Bearer {utils.generate_access_token()}'}
resp = client.delete(f'/api/users/{public_id}', headers=headers)
assert resp.status_code == 403
assert json.loads(resp.data.decode()).get('message') == 'Access Denied!'
def test_admin_update_without_data(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/{public_id}', headers=headers)
assert resp.status_code == 200
def test_admin_update_invalid_data(app, client):
utils = Utils(app, client)
guid = utils.get_guid()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/{guid}',
headers=headers,
json={'invalid': 'invalid'})
assert resp.status_code == 400
def test_admin_update_non_existing_role(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/{public_id}',
headers=headers,
json={'role': 'invalid'})
assert resp.status_code == 400
assert json.loads(resp.data.decode()).get('message') == 'Invalid Role'
def test_admin_update(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
data = {'displayName': 'My new display name!'}
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/{public_id}', headers=headers, json=data)
assert resp.status_code == 200
assert json.loads(resp.data.decode()).get('data').get(
'displayName') == data.get('displayName')
def test_logout_invalid(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_access_token(refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
resp = client.delete('/api/auth/refresh/invalid')
assert resp.status_code == 401
assert json.loads(
resp.data.decode()).get('message') == 'Invalid refresh token'
def test_refresh_token_invalid_data(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_access_token(refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
resp = client.post('/api/auth/refresh', json={'invalid': 'invalid'})
assert resp.status_code == 400
assert json.loads(
resp.data.decode()).get('message') == 'Payload is invalid'
def test_authentication_without_activation(app, client):
utils = Utils(app, client)
utils.create_user(username='******',
password='******',
verified=False)
resp = client.post('/api/auth',
json={
'username': '******',
'password': '******'
})
assert resp.status_code == 401
assert json.loads(
resp.data.decode('utf8')).get('message') == 'Account not activated'
def test_authentication_with_invalid_2fa_token(app, client):
utils = Utils(app, client)
utils.enable_2fa()
resp = client.post('/api/auth',
json={
'username': '******',
'password': '******',
'token': '999999'
})
assert resp.status_code == 401
assert json.loads(
resp.data.decode('utf8')).get('message') == 'Invalid credentials'
def test_get(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.get(f'/api/users/{public_id}', headers=headers)
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('data').get('email') == '*****@*****.**'
assert json.loads(
resp.data.decode()).get('data').get('displayName') == 'test'
assert not json.loads(resp.data.decode()).get('data').get('2fa')
def test_admin_update_enable_2fa(app, client):
utils = Utils(app, client)
public_id = utils.get_public_id()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/{public_id}',
headers=headers,
json={'totp_enabled': True})
assert resp.status_code == 400
assert json.loads(resp.data.decode()).get(
'message') == 'You are not allowed to enable 2FA.'
def test_refresh_token_deleted_account(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_access_token(refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
utils.delete_user()
resp = client.post('/api/auth/refresh',
json={'refreshToken': refresh_token})
assert resp.status_code == 400
assert json.loads(
resp.data.decode()).get('message') == 'User does not exist!'
def test_update_enable_2fa_invalid_token(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
# first step to enable 2fa, get secret key
resp = client.put('/api/users/me',
headers=headers,
json={'totp_enabled': True})
assert resp.status_code == 200
assert not json.loads(resp.data.decode()).get('data').get('2fa')
assert '2fa_secret' in json.loads(resp.data.decode()).get('data')
secret = json.loads(resp.data.decode()).get('data').get('2fa_secret')
# generate a 2fa token using the secret key, and use it to activate 2fa
totp_token = str(onetimepass.get_totp(secret)).zfill(6)
resp = client.post('/api/users/2fa',
headers=headers,
json={'token': '000000'})
assert resp.status_code == 400
assert json.loads(
resp.data.decode()).get('message') == 'invalid token, try again'
resp = client.post('/api/users/2fa',
headers=headers,
json={'token': str(totp_token)})
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('message') == '2fa has been enabled'
def test_get_all(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.get(f'/api/users', headers=headers)
assert resp.status_code == 200
def test_delete_without_data(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.delete(f'/api/users', headers=headers)
assert resp.status_code == 405
def test_update_show_qr_after_2fa_has_been_enabled(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
# first step to enable 2fa, get secret key
resp = client.put('/api/users/me',
headers=headers,
json={'totp_enabled': True})
assert resp.status_code == 200
assert not json.loads(resp.data.decode()).get('data').get('2fa')
assert '2fa_secret' in json.loads(resp.data.decode()).get('data')
# generate a 2fa token using the secret key, and use it to activate 2fa
secret = json.loads(resp.data.decode()).get('data').get('2fa_secret')
totp_token = str(onetimepass.get_totp(secret)).zfill(6)
resp = client.post('/api/users/2fa',
headers=headers,
json={'token': str(totp_token)})
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('message') == '2fa has been enabled'
# it should not be possible to generate the qr code after 2fa has been enabled
# this would be a potential security vulnerability
resp = client.get('/api/users/2fa', headers=headers)
assert resp.status_code == 400
assert json.loads(
resp.data.decode()).get('message') == 'Unable to generate QR Code'
def test_PlainTextUpdater(self):
self.file = Utils.create_github_content_file(file='content.txt')
self.ptf = PlainTextFile(self.file, self.instance)
self.instance.files = [self.ptf.github_file]
self.ptu = PlainTextUpdater(TestSearchAndReplaceTransformation.Args(),
self.instance)
self.assertIs(self.ptu.run(), True)
def test_get_user_info(app, client):
utils = Utils(app, client)
resp = client.get(
'/api/auth',
headers={'Authorization': f'Bearer {utils.generate_access_token()}'})
assert resp.status_code == 200
assert 'username' in json.loads(resp.data.decode()).get('data')
assert parser.parse(
json.loads(resp.data.decode()).get('data').get('created'))
def test_logout_blacklisted(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_admin_access_token(
refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
resp = client.delete(f'/api/auth/refresh/{refresh_token}')
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('data') == 'Successfully blacklisted token'
resp = client.delete(f'/api/auth/refresh/{refresh_token}')
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('data') == 'Successfully blacklisted token'
def test_update_modify_role(app, client):
utils = Utils(app, client)
data = {'role': 'admin'}
headers = {'Authorization': f'Bearer {utils.generate_access_token()}'}
resp = client.put('/api/users/me', headers=headers, json=data)
assert resp.status_code == 403
assert json.loads(resp.data.decode()).get(
'message') == 'You are not allowed to change your role!'
def test_delete_invalid_data(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.delete(f'/api/users/invalid', headers=headers)
assert resp.status_code == 404
assert json.loads(
resp.data.decode()).get('message') == 'User does not exist'
def test_create_without_data(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.post('/api/users', headers=headers)
assert resp.status_code == 400
assert json.loads(
resp.data.decode()).get('message') == 'Payload is invalid'
def test_refresh_token(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_access_token(refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
resp = client.post('/api/auth/refresh',
json={'refreshToken': refresh_token})
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('message') == 'Token refresh was successful'
assert 'accessToken' in json.loads(resp.data.decode())
access_token = json.loads(resp.data.decode()).get('accessToken')
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
def test_logout(app, client):
utils = Utils(app, client)
access_token, refresh_token = utils.generate_access_token(refresh=True)
resp = client.get('/api/auth',
headers={'Authorization': f'Bearer {access_token}'})
assert resp.status_code == 200
resp = client.delete(f'/api/auth/refresh/{refresh_token}')
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('data') == 'Successfully blacklisted token'
# refresh token should now be invalid, access token will be still valid til it's expired
resp = client.post('/api/auth/refresh',
json={'refreshToken': refresh_token})
assert resp.status_code == 401
assert json.loads(
resp.data.decode()).get('data') == 'Invalid refresh token'
def test_authentication_invalid_credentials(app, client):
Utils(app, client)
resp = client.post('/api/auth',
json={
'username': '******',
'password': '******'
})
assert resp.status_code == 401
assert json.loads(
resp.data.decode('utf8')).get('message') == 'Invalid credentials'
def test_authentication(app, client):
Utils(app, client)
resp = client.post('/api/auth',
json={
'username': '******',
'password': '******'
})
assert resp.status_code == 200
assert 'accessToken' in json.loads(resp.data.decode())
assert 'refreshToken' in json.loads(resp.data.decode())
def test_admin_update_disable_2fa(app, client):
utils = Utils(app, client)
utils.enable_2fa()
public_id = utils.get_public_id()
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
# check if 2fa is enabled
resp = client.get(f'/api/users/{public_id}', headers=headers)
assert json.loads(resp.data.decode()).get('data').get('2fa')
# disable 2fa
resp = client.put(f'/api/users/{public_id}',
headers=headers,
json={'totp_enabled': False})
assert resp.status_code == 200
assert not json.loads(resp.data.decode()).get('data').get('2fa')
def test_update_disable_2fa_without_token(app, client):
utils = Utils(app, client)
utils.enable_2fa()
headers = {'Authorization': f'Bearer {utils.generate_access_token()}'}
# check if 2fa is enabled
# resp = client.get('/api/auth', headers=headers)
resp = client.get(
'/api/auth',
headers={'Authorization': f'Bearer {utils.generate_access_token()}'})
assert json.loads(resp.data.decode()).get('data').get('2fa')
# disable 2fa
resp = client.put(f'/api/users/me',
headers=headers,
json={'totp_enabled': False})
assert resp.status_code == 400
assert json.loads(resp.data.decode()).get(
'message') == 'Unable to deactivate 2fa, token not submitted'
def test_admin_update_invalid_user(app, client):
utils = Utils(app, client)
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.put(f'/api/users/invalid',
headers=headers,
json={'displayName': 'new'})
assert resp.status_code == 404
assert json.loads(
resp.data.decode()).get('message') == 'User does not exist'
def test_delete(app, client):
utils = Utils(app, client)
# create user to delete
data = {
'username': '******',
'password': '******',
'email': '*****@*****.**',
'role': 'user'
}
headers = {
'Authorization': f'Bearer {utils.generate_admin_access_token()}'
}
resp = client.post('/api/users', headers=headers, json=data)
assert resp.status_code == 201
public_id = utils.get_public_id('new_user')
resp = client.delete(f'/api/users/{public_id}', headers=headers)
assert resp.status_code == 200
assert json.loads(
resp.data.decode()).get('data') == 'Successfully deleted user!'
