def test_map_authorize():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/map/authorize'

    # User must be authenticated
    response = CLIENT.get(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # The user must have access to the map module
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['map'])

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_avg_attendance():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/trends/avg-attendance'

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to trends
    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['trends'])

    # Success!
    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json['results']) == list
    for result in response.json['results']:
        assert 'day_of_week' in result
        assert 'day_order' in result
        assert 'avg_attendance' in result

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_authorize():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # Success!
    response = CLIENT.get(
        '/service/user/authorize',
        headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert 'password' not in response.json

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
示例#4
0
def run_url_tests(url, client, access=[]):
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    # User must be authenticated
    response = client.get(url)
    assert response.status_code == 401

    response = client.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # The user must have access to the correct modules
    response = client.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, access)

    response = client.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200

    url = '/service/user/logout'
    response = client.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert not user
def test_event():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    # User must be authenticated
    url = '/service/event/7757038511'
    response = CLIENT.get(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to events
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['events'])

    # Success
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json) == dict

    # Check to make sure the aggregates are present
    assert 'average_age' in response.json
    assert 'member_count' in response.json
    assert 'non_member_count' in response.json
    assert 'first_event_count' in response.json
    assert 'age_groups' in response.json
    for group in response.json['age_groups']:
        count = response.json['age_groups'][group]
        assert type(count) == int

    # Check to make sure the attendees are present
    for attendee in response.json['attendees']:
        'member_id' in attendee
        'first_name' in attendee
        'last_name' in attendee
        'name' in attendee
        'age' in attendee
        'is_member' in attendee

    url = '/service/event/8675309'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 404
    assert type(response.json) == dict

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_user_reset_password():
    """For the user reset password end point to work, the e-mail
    in the post body must correspond to the e-mail that is on
    record for the user's account."""
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER,
                             conf.TEST_PASSWORD,
                             email='*****@*****.**')

    # Both the email and the username must appear in the post body
    response = CLIENT.post('/service/user/user-reset-password?mode=test',
                           json=dict(username=conf.TEST_USER))
    assert response.status_code == 400

    # The email address in the post body must match the email address
    # list for the user trying to reset their password
    response = CLIENT.post('/service/user/user-reset-password?mode=test',
                           json=dict(username=conf.TEST_USER,
                                     email='*****@*****.**'))
    assert response.status_code == 401

    # Success!
    response = CLIENT.post('/service/user/user-reset-password?mode=test',
                           json=dict(username=conf.TEST_USER,
                                     email='*****@*****.**'))
    assert response.status_code == 201

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_map_event_group_options():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/map/event_options'

    # The user must be authenticated
    response = CLIENT.get(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json) == list

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def delete_user(username):
    """ Deletes a user """
    user_management = UserManagement()
    jwt_user = get_jwt_identity()
    admin_user = user_management.get_user(jwt_user)

    authorized = admin_user['role'] == 'admin'
    log_request(request, jwt_user, authorized)

    if not authorized:
        response = {'message': 'only admins can delete users'}
        return jsonify(response), 403

    user_management.delete_user(username)
    response = {'message': 'user %s has been removed' % (username)}
    return jsonify(response), 204
def test_events():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    # User must be authenticated
    response = CLIENT.get('/service/events?limit=25')
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    url = '/service/events?limit=25&page=2'
    url += '&sort=start_datetime&order=desc'
    url += '&q=a&start_datetime=1900-01-01'
    url += '&end_datetime=2100-01-01'
    user_management.update_access(conf.TEST_USER, ['events'])

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json['results']) == list
    assert len(response.json['results']) == 25
    assert 'count' in response.json
    assert 'pages' in response.json

    # Make sure input validation is working
    url = '/service/events?limit=30&page=2'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 422

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_reset_password():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.delete_user('unittestadmin')
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    user_management.add_user('unittestadmin', conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username='******',
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # User must be an admin to update roles
    response = CLIENT.post('/service/user/reset-password?mode=test',
                           json=dict(username=conf.TEST_USER),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 403

    user_management.update_role('unittestadmin', 'admin')
    # Username must be in the post body
    response = CLIENT.post('/service/user/reset-password?mode=test',
                           json=dict(password='******'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Success!
    response = CLIENT.post('/service/user/reset-password?mode=test',
                           json=dict(username=conf.TEST_USER),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 201

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user('unittestadmin')
    user = user_management.get_user('unittestadmin')
    assert user == None
def test_all_geometries():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/map/geometries'

    # The user must be authenticated
    response = CLIENT.get(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # The user must have access to the map
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['map'])

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    for key in response.json:
        layer = response.json[key]
        assert 'id' in layer
        assert 'type' in layer
        assert 'source' in layer
        assert layer['source']['type'] == 'geojson'
        assert type(layer['source']['data']) == dict
        assert 'paint' in layer

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_year_group_attendees():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/trends/age-group-attendance'

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to trends
    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['trends'])

    # Success!
    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json) == dict
    for key in response.json:
        assert 'group' in response.json[key]
        assert 'count' in response.json[key]

    # And now let's try grouping by month
    url += '?groupBy=month'
    assert response.status_code == 200
    assert type(response.json) == dict
    for key in response.json:
        assert 'group' in response.json[key]
        assert 'count' in response.json[key]

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_participation():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/trends/participation/Young Professional'

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to the trends page
    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['trends'])

    response = CLIENT.get(
        url, headers={'Authorization': 'access_token_cookies=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json['results']) == list
    for item in response.json['results']:
        assert 'id' in item
        assert 'name' in item
        assert 'total' in item

    url += '?top=event'
    assert response.status_code == 200
    assert type(response.json['results']) == list
    for item in response.json['results']:
        assert 'id' in item
        assert 'name' in item
        assert 'total' in item

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_member_upload():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    url = '/service/members/upload'

    # The user must be authenticated
    response = CLIENT.post(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # The user must have access to members
    response = CLIENT.post(url,
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 403
    user_management.update_role(conf.TEST_USER, 'admin')

    # Uh oh! Bad file
    response = CLIENT.post(url,
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_export_event_aggregates():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    # User must be authenticated
    url = '/service/events/export?q=trsty'
    response = CLIENT.get(url)
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to events
    url = '/service/events/export?q=trsty'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['events'])

    # Success!
    url = '/service/events/export?q=trsty'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200

    csv = StringIO(response.data.decode('utf-8'))
    df = pd.read_csv(csv)
    assert len(df) > 0

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_event_cities():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    # User must be authenticated
    response = CLIENT.get('/service/events?limit=25')
    assert response.status_code == 401

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to events
    url = '/service/events/cities'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['map'])

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json['results']) == dict
    for city in response.json['results']['cities']:
        assert type(response.json['results']['cities'][city]) == list
    for city in response.json['results']['counts']:
        assert type(response.json['results']['counts'][city]) == str
    assert type(response.json['count']) == str

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_list_users():
    user_management = UserManagement()
    user_management.delete_user('unittestadmin')
    user_management.add_user('unittestadmin', conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username='******',
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # User must be an admin to update roles
    response = CLIENT.get('/service/users/list',
                          headers={
                              'Cookies': 'access_token_cookie=%s' % (jwt),
                              'X-CSRF-TOKEN': csrf['csrf_access_token']
                          })
    assert response.status_code == 403

    user_management.update_role('unittestadmin', 'admin')
    # Success!
    response = CLIENT.get(
        '/service/users/list',
        headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    users = response.json
    for user in users:
        assert 'id' in user
        assert 'role' in user
        assert 'modules' in user
        assert 'password' not in user

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user('unittestadmin')
    user = user_management.get_user('unittestadmin')
    assert user == None
def test_event_locations():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')

    # User must have access to events
    url = '/service/events/locations'
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 403
    user_management.update_access(conf.TEST_USER, ['map'])

    # Success!
    response = CLIENT.get(
        url, headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert type(response.json['results']) == list
    for result in response.json['results']:
        assert type(result['type']) == str
        assert type(result['geometry']['type']) == str
        assert type(result['geometry']['coordinates'][0]) == float
        assert type(result['geometry']['coordinates'][1]) == float
        assert type(result['properties']['title']) == str
        assert type(result['properties']['icon']) == str
        assert type(result['properties']['description']) == str

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_delete_user():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.delete_user('unittestadmin')
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    user_management.add_user('unittestadmin', conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username='******',
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # Only an admin can delete a user
    response = CLIENT.delete('/service/user/unittestuser',
                             headers={
                                 'Cookies': 'access_token_cookie=%s' % (jwt),
                                 'X-CSRF-TOKEN': csrf['csrf_access_token']
                             })
    assert response.status_code == 403
    user_management.update_role('unittestadmin', 'admin')

    # Success!
    response = CLIENT.delete('/service/user/unittestuser',
                             headers={
                                 'Cookies': 'access_token_cookie=%s' % (jwt),
                                 'X-CSRF-TOKEN': csrf['csrf_access_token']
                             })
    assert response.status_code == 204

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user = user_management.get_user(conf.TEST_USER)
    assert user == None

    user_management.delete_user('unittestadmin')
    user = user_management.get_user('unittestadmin')
def test_add_user():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.delete_user('unittestadmin')
    user_management.add_user('unittestadmin', conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username='******',
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # Only an admin can register a user
    response = CLIENT.post('/service/user?mode=test',
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 403
    user_management.update_role('unittestadmin', 'admin')

    # JSON body is required to register a user
    response = CLIENT.post('/service/user?mode=test',
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Success!
    response = CLIENT.post('/service/user?mode=test',
                           json=dict(username=conf.TEST_USER,
                                     email='*****@*****.**',
                                     role='standard',
                                     modules=['events', 'map']),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 201
    user = user_management.get_user(conf.TEST_USER)
    assert 'events' in user['modules']
    assert 'map' in user['modules']
    assert user['role'] == 'standard'
    assert user['email'] == '*****@*****.**'

    # Can't register the same user twice
    response = CLIENT.post('/service/user?mode=test',
                           json=dict(username=conf.TEST_USER,
                                     email='*****@*****.**',
                                     password=conf.TEST_PASSWORD),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None

    user_management.delete_user('unittestadmin')
    user = user_management.get_user('unittestadmin')
    assert user == None
def test_user_authenticate(monkeypatch):
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    # Username and password are required to authenticate
    response = CLIENT.post('/service/user/authenticate')
    assert response.status_code == 400

    # Password is required to authenticate
    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER))
    assert response.status_code == 400

    # Password must be correct to authenticate
    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password='******'))
    assert response.status_code == 401

    # Success !
    monkeypatch.setattr('shir_connect.services.utils.count_bad_login_attempts',
                        lambda *args, **kwargs: 2)
    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    refresh_jwt = utils._get_cookie_from_response(response,
                                                  'refresh_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # Tests that authenticate is also working with cookies
    response = CLIENT.get('/service/user/authorize',
                          headers={
                              'Cookies': 'access_token_cookie=%s' % (jwt),
                              'X-CSRF-TOKEN': csrf['csrf_access_token']
                          })
    assert response.status_code == 200
    assert response.json['id'] == conf.TEST_USER

    # Success!
    response = CLIENT.get(
        '/service/user/refresh',
        headers={
            'Cookies':
            'access_token_cookie=%s;refresh_token_cookie=%s' %
            (jwt, refresh_jwt),
            'X-CSRF-TOKEN':
            csrf['csrf_access_token']
        })
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'refresh_token_cookie')
    refresh_jwt = utils._get_cookie_from_response(response,
                                                  'refresh_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # Make sure the refreshed token works
    response = CLIENT.get(
        '/service/user/authorize',
        headers={'Cookies': 'access_token_cookie=%s' % (jwt)})
    assert response.status_code == 200
    assert response.json['id'] == conf.TEST_USER

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_change_password():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username=conf.TEST_USER,
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # JSON body is required to update password
    response = CLIENT.post('/service/user/change-password',
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Old password must be correct to change password
    response = CLIENT.post('/service/user/change-password',
                           json=dict(old_password='******',
                                     new_password=conf.TEST_PASSWORD + '!1',
                                     new_password2=conf.TEST_PASSWORD + '!1'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # New passwords must match to update password
    response = CLIENT.post('/service/user/change-password',
                           json=dict(old_password=conf.TEST_PASSWORD,
                                     new_password=conf.TEST_PASSWORD + '!1',
                                     new_password2=conf.TEST_PASSWORD + '!2'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Success!
    response = CLIENT.post('/service/user/change-password',
                           json=dict(old_password=conf.TEST_PASSWORD,
                                     new_password=conf.TEST_PASSWORD + '!1',
                                     new_password2=conf.TEST_PASSWORD + '!1'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 201

    # Make sure password update worked
    authorized = user_management.authenticate_user(
        username=conf.TEST_USER, password='******')

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None
def test_update_email():
    user_management = UserManagement()
    user_management.delete_user(conf.TEST_USER)
    user_management.delete_user('unittestadmin')
    user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
    user_management.add_user('unittestadmin', conf.TEST_PASSWORD)

    response = CLIENT.post('/service/user/authenticate',
                           json=dict(username='******',
                                     password=conf.TEST_PASSWORD))
    assert response.status_code == 200
    jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
    csrf = utils._get_cookie_from_response(response, 'csrf_access_token')

    # User must be an admin to update email
    response = CLIENT.post('/service/user/update-email',
                           json=dict(username=conf.TEST_USER, role='admin'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 403

    user_management.update_role('unittestadmin', 'admin')
    # Username must be in the post body
    response = CLIENT.post('/service/user/update-email',
                           json=dict(email='*****@*****.**'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Email must be in the post body
    response = CLIENT.post('/service/user/update-email',
                           json=dict(username=conf.TEST_USER),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 400

    # Success!
    response = CLIENT.post('/service/user/update-email',
                           json=dict(username=conf.TEST_USER,
                                     email='*****@*****.**'),
                           headers={
                               'Cookies': 'access_token_cookie=%s' % (jwt),
                               'X-CSRF-TOKEN': csrf['csrf_access_token']
                           })
    assert response.status_code == 201
    unittestuser = user_management.get_user(conf.TEST_USER)
    assert unittestuser['email'] == '*****@*****.**'

    url = '/service/user/logout'
    response = CLIENT.post(url)
    assert response.status_code == 200

    user_management.delete_user(conf.TEST_USER)
    user = user_management.get_user(conf.TEST_USER)
    assert user == None

    user_management.delete_user('unittestadmin')
    user = user_management.get_user('unittestadmin')
    assert user == None