def test_authentication_log(self):
        from frappe.auth import LoginManager, CookieManager

        # test user login log
        frappe.local.form_dict = {'cmd': 'login'}

        frappe.form_dict = {
            'sid': 'Guest',
            'pwd': 'admin',
            'usr': '******'
        }

        frappe.local.cookie_manager = CookieManager()
        frappe.local.login_manager = LoginManager()

        auth_log = self.get_auth_log()
        self.assertEquals(auth_log.status, 'Success')

        # test user logout log
        frappe.local.login_manager.logout()
        auth_log = self.get_auth_log(operation='Logout')
        self.assertEquals(auth_log.status, 'Success')

        # test invalid login
        frappe.form_dict.update({'pwd': 'password'})
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        auth_log = self.get_auth_log()
        self.assertEquals(auth_log.status, 'Failed')
示例#2
0
    def test_brute_security(self):
        update_system_settings({
            'allow_consecutive_login_attempts': 3,
            'allow_login_after_fail': 5
        })

        frappe.local.form_dict = frappe._dict({
            'cmd': 'login',
            'sid': 'Guest',
            'pwd': 'admin',
            'usr': '******'
        })

        frappe.local.cookie_manager = CookieManager()
        frappe.local.login_manager = LoginManager()

        auth_log = self.get_auth_log()
        self.assertEquals(auth_log.status, 'Success')

        # test user logout log
        frappe.local.login_manager.logout()
        auth_log = self.get_auth_log(operation='Logout')
        self.assertEquals(auth_log.status, 'Success')

        # test invalid login
        frappe.form_dict.update({'pwd': 'password'})
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.SecurityException, LoginManager)
        time.sleep(5)
        self.assertRaises(frappe.AuthenticationError, LoginManager)

        frappe.local.form_dict = frappe._dict()
示例#3
0
    def test_activity_log(self):

        # test user login log
        frappe.local.form_dict = frappe._dict({
            "cmd": "login",
            "sid": "Guest",
            "pwd": "admin",
            "usr": "******"
        })

        frappe.local.cookie_manager = CookieManager()
        frappe.local.login_manager = LoginManager()

        auth_log = self.get_auth_log()
        self.assertEqual(auth_log.status, "Success")

        # test user logout log
        frappe.local.login_manager.logout()
        auth_log = self.get_auth_log(operation="Logout")
        self.assertEqual(auth_log.status, "Success")

        # test invalid login
        frappe.form_dict.update({"pwd": "password"})
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        auth_log = self.get_auth_log()
        self.assertEqual(auth_log.status, "Failed")

        frappe.local.form_dict = frappe._dict()
示例#4
0
    def test_brute_security(self):
        update_system_settings({
            "allow_consecutive_login_attempts": 3,
            "allow_login_after_fail": 5
        })

        frappe.local.form_dict = frappe._dict({
            "cmd": "login",
            "sid": "Guest",
            "pwd": "admin",
            "usr": "******"
        })

        frappe.local.cookie_manager = CookieManager()
        frappe.local.login_manager = LoginManager()

        auth_log = self.get_auth_log()
        self.assertEquals(auth_log.status, "Success")

        # test user logout log
        frappe.local.login_manager.logout()
        auth_log = self.get_auth_log(operation="Logout")
        self.assertEquals(auth_log.status, "Success")

        # test invalid login
        frappe.form_dict.update({"pwd": "password"})
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.AuthenticationError, LoginManager)

        # REMOVE ME: current logic allows allow_consecutive_login_attempts+1 attempts
        # before raising security exception, remove below line when that is fixed.
        self.assertRaises(frappe.AuthenticationError, LoginManager)
        self.assertRaises(frappe.SecurityException, LoginManager)
        time.sleep(5)
        self.assertRaises(frappe.AuthenticationError, LoginManager)

        frappe.local.form_dict = frappe._dict()
示例#5
0
    def test_reset_password(self):
        from frappe.auth import CookieManager, LoginManager
        from frappe.utils import set_request
        old_password = "******"
        new_password = "******"

        set_request(path="/random")
        frappe.local.cookie_manager = CookieManager()
        frappe.local.login_manager = LoginManager()

        frappe.set_user("*****@*****.**")
        test_user = frappe.get_doc("User", "*****@*****.**")
        test_user.reset_password()
        self.assertEqual(
            update_password(new_password, key=test_user.reset_password_key),
            "/app")
        self.assertEqual(
            update_password(new_password, key="wrong_key"),
            "The Link specified has either been used before or Invalid")

        # password verification should fail with old password
        self.assertRaises(frappe.exceptions.AuthenticationError,
                          verify_password, old_password)
        verify_password(new_password)

        # reset password
        update_password(old_password, old_password=new_password)

        self.assertRaisesRegex(frappe.exceptions.ValidationError,
                               "Invalid key type", update_password, "test", 1,
                               ['like', '%'])

        password_strength_response = {
            "feedback": {
                "password_policy_validation_passed": False,
                "suggestions": ["Fix password"]
            }
        }

        # password strength failure test
        with patch.object(user_module,
                          "test_password_strength",
                          return_value=password_strength_response):
            self.assertRaisesRegex(frappe.exceptions.ValidationError,
                                   "Fix password", update_password,
                                   new_password, 0,
                                   test_user.reset_password_key)

        # test redirect URL for website users
        frappe.set_user("*****@*****.**")
        self.assertEqual(
            update_password(new_password, old_password=old_password), "/")
        # reset password
        update_password(old_password, old_password=new_password)

        # test API endpoint
        with patch.object(user_module.frappe, 'sendmail') as sendmail:
            frappe.clear_messages()
            test_user = frappe.get_doc("User", "*****@*****.**")
            self.assertEqual(reset_password(user="******"), None)
            test_user.reload()
            self.assertEqual(
                update_password(new_password,
                                key=test_user.reset_password_key), "/")
            update_password(old_password, old_password=new_password)
            self.assertEqual(
                json.loads(frappe.message_log[0]), {
                    "message":
                    "Password reset instructions have been sent to your email"
                })
        sendmail.assert_called_once()
        self.assertEqual(sendmail.call_args[1]["recipients"],
                         "*****@*****.**")

        self.assertEqual(reset_password(user="******"), None)
        self.assertEqual(reset_password(user="******"), "not allowed")
        self.assertEqual(reset_password(user="******"), "not found")