def check_tag_multiid(clnt, route_name, test_model):
"""check multiid tagging"""
data = {
'tag': 'testtag',
'action': 'set',
'ids-0': test_model.id,
'csrf_token': get_csrf_token(clnt)
}
response = clnt.post(url_for(route_name), data)
assert response.status_code == HTTPStatus.OK
assert 'testtag' in test_model.__class__.query.get(test_model.id).tags
data = {
'tag': 'testtag',
'action': 'unset',
'ids-0': test_model.id,
'csrf_token': get_csrf_token(clnt)
}
response = clnt.post(url_for(route_name), data)
assert response.status_code == HTTPStatus.OK
assert 'testtag' not in test_model.__class__.query.get(test_model.id).tags
response = clnt.post(url_for(route_name), {}, status='*')
assert response.status_code == HTTPStatus.BAD_REQUEST
def test_profile_webauthn_register_route(cl_user):
"""register new credential for user"""
device = SoftWebauthnDevice()
response = cl_user.get(url_for('auth.profile_webauthn_register_route'))
# some javascript code must be emulated
pkcco = cbor.decode(
b64decode(
cl_user.post(url_for('auth.profile_webauthn_pkcco_route'), {
'csrf_token': get_csrf_token(cl_user)
}).body))
attestation = device.create(pkcco, 'https://%s' % webauthn.rp.id)
attestation_data = {
'clientDataJSON': attestation['response']['clientDataJSON'],
'attestationObject': attestation['response']['attestationObject']
}
form = response.form
form['attestation'] = b64encode(cbor.encode(attestation_data))
# and back to standard test codeflow
form['name'] = 'pytest token'
response = form.submit()
assert response.status_code == HTTPStatus.FOUND
user = User.query.filter(User.username == 'pytest_user').one()
assert user.webauthn_credentials
def test_login_webauthn(client, webauthn_credential_factory):
"""test login by webauthn"""
device = SoftWebauthnDevice()
device.cred_init(webauthn.rp.id, b'randomhandle')
wncred = webauthn_credential_factory.create(initialized_device=device)
form = client.get(url_for('auth.login_route')).form
form['username'] = wncred.user.username
response = form.submit()
assert response.status_code == HTTPStatus.FOUND
response = response.follow()
# some javascript code muset be emulated
pkcro = cbor.decode(
b64decode(
client.post(url_for('auth.login_webauthn_pkcro_route'), {
'csrf_token': get_csrf_token(client)
}).body))
assertion = device.get(pkcro, f'https://{webauthn.rp.id}')
assertion_data = {
'credentialRawId': assertion['rawId'],
'authenticatorData': assertion['response']['authenticatorData'],
'clientDataJSON': assertion['response']['clientDataJSON'],
'signature': assertion['response']['signature'],
'userHandle': assertion['response']['userHandle']
}
form = response.form
form['assertion'] = b64encode(cbor.encode(assertion_data))
response = form.submit()
# and back to standard test codeflow
assert response.status_code == HTTPStatus.FOUND
response = client.get(url_for('index_route'))
assert response.lxml.xpath('//a[text()="Logout"]')
def test_vuln_delete_multiid_route(cl_operator, test_vuln):
"""vuln multi delete route for ajaxed toolbars test"""
data = {'ids-0': test_vuln.id, 'csrf_token': get_csrf_token(cl_operator)}
response = cl_operator.post(url_for('storage.vuln_delete_multiid_route'), data)
assert response.status_code == HTTPStatus.OK
assert not Vuln.query.get(test_vuln.id)
response = cl_operator.post(url_for('storage.vuln_delete_multiid_route'), {}, status='*')
assert response.status_code == HTTPStatus.BAD_REQUEST
def test_user_apikey_route(cl_admin, user):
"""user apikey route test"""
data = {'csrf_token': get_csrf_token(cl_admin)}
response = cl_admin.post(url_for('auth.user_apikey_route', user_id=user.id, action='generate'), data)
assert response.status_code == HTTPStatus.OK
assert User.query.get(user.id).apikey
response = cl_admin.post(url_for('auth.user_apikey_route', user_id=user.id, action='revoke'), data)
assert response.status_code == HTTPStatus.OK
assert not User.query.get(user.id).apikey
response = cl_admin.post(url_for('auth.user_apikey_route', user_id=user.id, action='invalid'), status='*')
assert response.status_code == HTTPStatus.BAD_REQUEST
def test_login_webauthn(client, test_user):
"""test login by webauthn"""
device = SoftWebauthnDevice()
device.cred_init(webauthn.rp.id, b'randomhandle')
persist_and_detach(
WebauthnCredential(user=test_user,
user_handle=device.user_handle,
credential_data=cbor.encode(
device.cred_as_attested().__dict__)))
form = client.get(url_for('auth.login_route')).form
form['username'] = test_user.username
response = form.submit()
assert response.status_code == HTTPStatus.FOUND
response = response.follow()
# some javascript code muset be emulated
pkcro = cbor.decode(
b64decode(
client.post(url_for('auth.login_webauthn_pkcro_route'), {
'csrf_token': get_csrf_token(client)
}).body))
assertion = device.get(pkcro, 'https://%s' % webauthn.rp.id)
assertion_data = {
'credentialRawId': assertion['rawId'],
'authenticatorData': assertion['response']['authenticatorData'],
'clientDataJSON': assertion['response']['clientDataJSON'],
'signature': assertion['response']['signature'],
'userHandle': assertion['response']['userHandle']
}
form = response.form
form['assertion'] = b64encode(cbor.encode(assertion_data))
response = form.submit()
# and back to standard test codeflow
assert response.status_code == HTTPStatus.FOUND
response = client.get(url_for('index_route'))
assert response.lxml.xpath('//a[text()="Logout"]')
