def post(self, *args, **kwargs):
# type: (*Any, **Any) -> None
user_id = kwargs.get("user_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserTokenForm(self.request.arguments)
if not form.validate():
return self.render(
"user-token-add.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors),
)
try:
token, secret = add_new_user_token(
self.session, UserToken(name=form.data["name"], user=user))
self.session.commit()
except IntegrityError:
self.session.rollback()
form.name.errors.append("Name already in use.")
return self.render(
"user-token-add.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors),
)
AuditLog.log(
self.session,
self.current_user.id,
"add_token",
"Added token: {}".format(token.name),
on_user_id=user.id,
)
email_context = {
"actioner": self.current_user.name,
"changed_user": user.name,
"action": "added",
}
send_email(
self.session,
[user.name],
"User token created",
"user_tokens_changed",
settings(),
email_context,
)
return self.render("user-token-created.html",
token=token,
secret=secret)
def test_usertokens(standard_graph, session, users, groups, permissions): # noqa: F811
user = users["*****@*****.**"]
assert len(user.tokens) == 0
tok, secret = add_new_user_token(session, UserToken(user=user, name="Foo"))
assert len(user.tokens) == 1
assert tok.check_secret(secret)
assert tok.check_secret("invalid") == False
assert tok.enabled == True
disable_user_token(session, tok)
assert tok.enabled == False
assert user.tokens[0].enabled == False
assert UserToken.get(session, name="Foo", user=user).enabled == False
assert tok.check_secret(secret) == False
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserTokenForm(self.request.arguments)
if not form.validate():
return self.render(
"user-token-add.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors),
)
try:
token, secret = add_new_user_token(
self.session, UserToken(name=form.data["name"], user=user))
self.session.commit()
except IntegrityError:
self.session.rollback()
form.name.errors.append("Name already in use.")
return self.render(
"user-token-add.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors),
)
AuditLog.log(self.session,
self.current_user.id,
'add_token',
'Added token: {}'.format(token.name),
on_user_id=user.id)
email_context = {
"actioner": self.current_user.name,
"changed_user": user.name,
"action": "added",
}
send_email(self.session, [user.name], 'User token created',
'user_tokens_changed', settings, email_context)
return self.render("user-token-created.html",
token=token,
secret=secret)
def test_usertokens(users, session, http_client, base_url):
user = users["*****@*****.**"]
tok, secret = add_new_user_token(session, UserToken(user=user, name="Foo"))
session.commit()
api_url = url(base_url, '/token/validate')
# Completely bogus input
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': 'invalid'}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 1
valid_token = str(tok) + ":" + secret
# Valid token
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': valid_token}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
assert body["data"]["identity"] == str(tok)
assert body["data"]["owner"] == user.username
assert body["data"]["act_as_owner"]
assert body["data"]["valid"]
# Token with the last character changed to something invalid
bad_char = "1" if secret[-1].isalpha() else "a"
token_with_bad_secret = str(tok) + ":" + secret[:-1] + bad_char
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_secret}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 4
# Token with the token name frobbed to be something invalid
token_with_bad_name = str(tok) + "z:" + secret
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_name}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 2
# Token with the user frobbed to be something invalid
token_with_bad_user = "******" + str(tok) + ":" + secret
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_bad_user}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 2
# Token with the user changed to another valid, but wrong user
token_with_wrong_user = "******" + tok.name + ":" + secret
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': token_with_wrong_user}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 2
# Disabled, but otherwise valid token
disable_user_token(session, tok)
session.commit()
resp = yield http_client.fetch(api_url, method="POST", body=urlencode({'token': valid_token}))
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "error"
assert len(body["errors"]) == 1
assert body["errors"][0]["code"] == 3
