def test_logout_mismatched_tokens(self):
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
headers = {'Authorization': 'Bearer {}'.format(key['access_token'])}
add_user(username='******', password='******')
from server.database import db
db.session.commit()
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = key['refresh_token']
response = self.app.post('/api/auth/logout',
headers=headers,
content_type="application/json",
data=json.dumps(dict(refresh_token=token)))
self.assertEqual(response.status_code, BAD_REQUEST)
self.assertEqual(len(BlacklistedToken.query.all()), 0)
def run(session, parameters):
"""
Args:
parameters=[username, password]
"""
username = parameters[0]
password = parameters[1]
r = database.get_user_by_name(username)
if r:
# 用户名已存在
session.send(GeneralMessage.REG_FAIL, 0)
else:
database.add_user(username, md5(password))
session.send(GeneralMessage.REG_OK, {})
def create_user():
from server.context import running_context
from server.database import add_user, User, ResourcePermission, Role, initialize_resource_roles_from_database
running_context.db.create_all()
if not User.query.all():
admin_role = running_context.Role(
name='admin',
description='administrator',
resources=server.database.default_resources)
running_context.db.session.add(admin_role)
admin_user = add_user(username='******', password='******')
admin_user.roles.append(admin_role)
running_context.db.session.commit()
if Role.query.all() or ResourcePermission.query.all():
initialize_resource_roles_from_database()
apps = set(helpers.list_apps()) - set(
[_app.name for _app in device_db.session.query(App).all()])
app.logger.debug('Found apps: {0}'.format(apps))
for app_name in apps:
device_db.session.add(App(name=app_name, devices=[]))
running_context.db.session.commit()
device_db.session.commit()
running_context.CaseSubscription.sync_to_subscriptions()
app.logger.handlers = logging.getLogger('server').handlers
def setup_guest_user(self):
user = add_user('guest', 'guest')
role = Role('guest', resources=['users'])
server.database.resource_roles['users'].add('guest')
db.session.add(user)
user.roles.append(role)
db.session.commit()
return user
def test_login_updates_user(self):
user = add_user(username='******', password='******')
self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
self.assertEqual(user.login_count, 1)
self.assertTrue(user.active)
def test_login_inactive_user(self):
user = add_user(username='******', password='******')
user.active = False
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******',
password='******')))
self.assertEqual(response.status_code, UNAUTHORIZED_ERROR)
def test_delete_current_user(self):
user = add_user('test', 'test')
user.set_roles({'admin'})
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
access_token = key['access_token']
headers = {'Authorization': 'Bearer {}'.format(access_token)}
self.delete_with_status_check('/api/users/{}'.format(user.id),
headers=headers,
status_code=UNAUTHORIZED_ERROR)
def add_user():
sha256 = hashlib.sha256(bytes(request.form.get('pass'), encoding='utf-8')).hexdigest()
name = request.form.get('name')
email = request.form.get('email')
result = not DB.check_user(name) and not DB.check_email(email)
if not (search('^.+@.+\..+$', email) and search('^[a-zA-Z0-9_]+$', name) and result):
return make_response('Wrong data', 400)
if request.files:
file = request.files['file']
if file.mimetype in const.IMAGES:
file_ext = const.IMAGES[file.mimetype]
file.save("./server/static/avatar/{}{}".format(name, file_ext))
else:
return make_response('Wrong data', 400)
else:
file_ext = None
(activation_token, result) = DB.add_user(name, sha256, file_ext, email)
if result:
response = make_response('OK')
result2 = DB.check_user(name, sha256)
if result2:
session = Session(name, result2.activated, result2.uid)
self.sessions[session.get_id()] = session
self.sessions_by_user_name[name] = session
session['avatar'] = result2.file
DB.add_session(session, result2.uid)
session.add_cookie_to_resp(response)
email_.send_email(
"Для подтвеждения регистрации пожалуйста перейдите по ссылке "
"http://{domain}/api/activate_account?token={token}".format(
domain=(self.domain if self.domain is not None else self.ip),
token=activation_token
),
"Account activation",
email)
else:
self.logger.write_msg("Something wrong with registration ({})".format(name))
response.headers["Content-type"] = "text/plain"
return response
else:
return 'Error', 500
def test_logout_updates_user(self):
user = add_user('testlogout', 'test')
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******',
password='******')))
key = json.loads(response.get_data(as_text=True))
access_token = key['access_token']
refresh_token = key['refresh_token']
headers = {'Authorization': 'Bearer {}'.format(access_token)}
self.app.post('/api/auth/logout',
headers=headers,
content_type="application/json",
data=json.dumps(dict(refresh_token=refresh_token)))
self.assertEqual(user.login_count, 0)
def test_refresh_deactivated_user(self):
user = add_user(username='******', password='******')
from server.database import db
db.session.commit()
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = key['refresh_token']
headers = {'Authorization': 'Bearer {}'.format(token)}
user.active = False
refresh = self.app.post('/api/auth/refresh',
content_type="application/json",
headers=headers)
self.assertEqual(refresh.status_code, UNAUTHORIZED_ERROR)
def __func():
data = request.get_json()
username = data['username']
if not running_context.User.query.filter_by(username=username).first():
user = add_user(username=username, password=data['password'])
if 'roles' in data:
user.set_roles(data['roles'])
running_context.db.session.commit()
current_app.logger.info('User added: {0}'.format(user.as_json()))
return user.as_json(), OBJECT_CREATED
else:
current_app.logger.warning(
'Could not create user {0}. User already exists.'.format(
username))
return {
"error": "User {0} already exists.".format(username)
}, OBJECT_EXISTS_ERROR
def test_refresh_with_blacklisted_token(self):
user = add_user(username='******', password='******')
from server.database import db
db.session.commit()
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = key['refresh_token']
db.session.delete(user)
db.session.commit()
headers = {'Authorization': 'Bearer {}'.format(token)}
self.app.post('/api/auth/refresh',
content_type="application/json",
headers=headers)
refresh = self.app.post('/api/auth/refresh',
content_type="application/json",
headers=headers)
self.assertEqual(refresh.status_code, UNAUTHORIZED_ERROR)
response = json.loads(refresh.get_data(as_text=True))
self.assertDictEqual(response, {'error': 'Token is revoked'})
def test_refresh_invalid_user_blacklists_token(self):
user = add_user(username='******', password='******')
from server.database import db
db.session.commit()
response = self.app.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = key['refresh_token']
db.session.delete(user)
db.session.commit()
headers = {'Authorization': 'Bearer {}'.format(token)}
refresh = self.app.post('/api/auth/refresh',
content_type="application/json",
headers=headers)
self.assertEqual(refresh.status_code, UNAUTHORIZED_ERROR)
token = decode_token(token)
from server.tokens import BlacklistedToken
tokens = BlacklistedToken.query.filter_by(jti=token['jti']).all()
self.assertEqual(len(tokens), 1)
def test_add_user_already_exists(self):
user = User('username', 'password')
db.session.add(user)
db.session.commit()
user = add_user('username', 'password')
self.assertIsNone(user)
def test_add_user(self):
user = add_user('username', 'password')
self.assertIsNotNone(user)
self.assertEqual(user.username, 'username')
self.assertIsNotNone(User.query.filter_by(username='******').first())
