def post(self, *args, **kwargs): # type: (*Any, **Any) -> None user_id = kwargs.get("user_id") # type: Optional[int] name = kwargs.get("name") # type: Optional[str] user = User.get(self.session, user_id, name) if not user: return self.notfound() if not self.check_access(self.session, self.current_user, user): return self.forbidden() form = UserTokenForm(self.request.arguments) if not form.validate(): return self.render( "user-token-add.html", form=form, user=user, alerts=self.get_form_alerts(form.errors), ) try: token, secret = add_new_user_token( self.session, UserToken(name=form.data["name"], user=user)) self.session.commit() except IntegrityError: self.session.rollback() form.name.errors.append("Name already in use.") return self.render( "user-token-add.html", form=form, user=user, alerts=self.get_form_alerts(form.errors), ) AuditLog.log( self.session, self.current_user.id, "add_token", "Added token: {}".format(token.name), on_user_id=user.id, ) email_context = { "actioner": self.current_user.name, "changed_user": user.name, "action": "added", } send_email( self.session, [user.name], "User token created", "user_tokens_changed", settings(), email_context, ) return self.render("user-token-created.html", token=token, secret=secret)
def test_usertokens(standard_graph, session, users, groups, permissions): # noqa: F811 user = users["*****@*****.**"] assert len(user.tokens) == 0 tok, secret = add_new_user_token(session, UserToken(user=user, name="Foo")) assert len(user.tokens) == 1 assert tok.check_secret(secret) assert tok.check_secret("invalid") == False assert tok.enabled == True disable_user_token(session, tok) assert tok.enabled == False assert user.tokens[0].enabled == False assert UserToken.get(session, name="Foo", user=user).enabled == False assert tok.check_secret(secret) == False
def post(self, user_id=None, name=None): user = User.get(self.session, user_id, name) if not user: return self.notfound() if not self.check_access(self.session, self.current_user, user): return self.forbidden() form = UserTokenForm(self.request.arguments) if not form.validate(): return self.render( "user-token-add.html", form=form, user=user, alerts=self.get_form_alerts(form.errors), ) try: token, secret = add_new_user_token( self.session, UserToken(name=form.data["name"], user=user)) self.session.commit() except IntegrityError: self.session.rollback() form.name.errors.append("Name already in use.") return self.render( "user-token-add.html", form=form, user=user, alerts=self.get_form_alerts(form.errors), ) AuditLog.log(self.session, self.current_user.id, 'add_token', 'Added token: {}'.format(token.name), on_user_id=user.id) email_context = { "actioner": self.current_user.name, "changed_user": user.name, "action": "added", } send_email(self.session, [user.name], 'User token created', 'user_tokens_changed', settings, email_context) return self.render("user-token-created.html", token=token, secret=secret)
def test_usertokens(users, session, http_client, base_url): user = users["*****@*****.**"] tok, secret = add_new_user_token(session, UserToken(user=user, name="Foo")) session.commit() api_url = url(base_url, '/token/validate') # Completely bogus input resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': 'invalid'})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 1 valid_token = str(tok) + ":" + secret # Valid token resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': valid_token})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "ok" assert body["data"]["identity"] == str(tok) assert body["data"]["owner"] == user.username assert body["data"]["act_as_owner"] assert body["data"]["valid"] # Token with the last character changed to something invalid bad_char = "1" if secret[-1].isalpha() else "a" token_with_bad_secret = str(tok) + ":" + secret[:-1] + bad_char resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_secret})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 4 # Token with the token name frobbed to be something invalid token_with_bad_name = str(tok) + "z:" + secret resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_name})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 2 # Token with the user frobbed to be something invalid token_with_bad_user = "******" + str(tok) + ":" + secret resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_user})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 2 # Token with the user changed to another valid, but wrong user token_with_wrong_user = "******" + tok.name + ":" + secret resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_wrong_user})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 2 # Disabled, but otherwise valid token disable_user_token(session, tok) session.commit() resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': valid_token})) body = json.loads(resp.body) assert resp.code == 200 assert body["status"] == "error" assert len(body["errors"]) == 1 assert body["errors"][0]["code"] == 3