tests/app/main/test_validators.py

import pytest
from app.main.forms import RegisterUserForm, ServiceSmsSender
from app.main.validators import ValidGovEmail, NoCommasInPlaceHolders
from wtforms import ValidationError
from unittest.mock import Mock


@pytest.mark.parametrize('password', [
    'govuknotify', '11111111', 'kittykat', 'evangeli'
])
def test_should_raise_validation_error_for_password(app_, mock_get_user_by_email, password):
    with app_.test_request_context():
        form = RegisterUserForm()
        form.name.data = 'test'
        form.email_address.data = 'teset@example.gov.uk'
        form.mobile_number.data = '441231231231'
        form.password.data = password

        form.validate()
        assert 'Choose a password that’s harder to guess' in form.errors['password']


def test_valid_email_not_in_valid_domains(app_):
    with app_.test_request_context():
        form = RegisterUserForm(email_address="test@test.com", mobile_number='441231231231')
        assert not form.validate()
        assert "Enter a central government email address" in form.errors['email_address'][0]


def test_valid_email_in_valid_domains(app_):
    with app_.test_request_context():
        form = RegisterUserForm(
            name="test",
            email_address="test@my.gov.uk",
            mobile_number='4407888999111',
            password='an uncommon password')
        form.validate()
        assert form.errors == {}


def test_invalid_email_address_error_message(app_):
    with app_.test_request_context():
        form = RegisterUserForm(
            name="test",
            email_address="test.com",
            mobile_number='4407888999111',
            password='1234567890')
        assert not form.validate()

        form = RegisterUserForm(
            name="test",
            email_address="test.com",
            mobile_number='4407888999111',
            password='1234567890')
        assert not form.validate()


def _gen_mock_field(x):
    return Mock(data=x)


@pytest.mark.parametrize("email", [
    'test@gov.uk',
    'test@GOV.UK',
    'test@gov.uK',
    'test@test.test.gov.uk',
    'test@test.gov.uk',
    'test@mod.uk',
    'test@ddc-mod.org',
    'test@test.ddc-mod.org',
    'test@gov.scot',
    'test@test.gov.scot',
    'test@parliament.uk',
    'test@gov.parliament.uk',
    'test@nhs.uk',
    'test@gov.nhs.uk',
    'test@nhs.net',
    'test@gov.nhs.net',
    'test@police.uk',
    'test@gov.police.uk',
    'test@GOV.PoliCe.uk',
    'test@ucds.email',
    'test@naturalengland.org.uk',
    'test@hmcts.net',
    'test@irmsecurity.com'  # remove once pen test complete
])
def test_valid_list_of_white_list_email_domains(app_, email):
    with app_.test_request_context():
        email_domain_validators = ValidGovEmail()
        email_domain_validators(None, _gen_mock_field(email))


@pytest.mark.parametrize("email", [
    'test@ukgov.uk',
    'test@gov.uk.uk',
    'test@gov.test.uk',
    'test@ukmod.uk',
    'test@mod.uk.uk',
    'test@mod.test.uk',
    'test@ukddc-mod.org',
    'test@ddc-mod.org.uk',
    'test@ddc-mod.uk.org',
    'test@ukgov.scot',
    'test@gov.scot.uk',
    'test@gov.test.scot',
    'test@ukparliament.uk',
    'test@parliament.uk.uk',
    'test@parliament.test.uk',
    'test@uknhs.uk',
    'test@nhs.uk.uk',
    'test@uknhs.net',
    'test@nhs.net.uk',
    'test@nhs.test.net',
    'test@ukpolice.uk',
    'test@police.uk.uk',
    'test@police.test.uk',
    'test@ucds.com'
])
def test_invalid_list_of_white_list_email_domains(app_, email):
    with app_.test_request_context():
        email_domain_validators = ValidGovEmail()
        with pytest.raises(ValidationError):
            email_domain_validators(None, _gen_mock_field(email))


def test_for_commas_in_placeholders(app_):
    with app_.test_request_context():
        with pytest.raises(ValidationError) as error:
            NoCommasInPlaceHolders()(None, _gen_mock_field('Hello ((name,date))'))
        assert str(error.value) == 'You can’t have commas in your fields'
        NoCommasInPlaceHolders()(None, _gen_mock_field('Hello ((name))'))


def test_sms_sender_form_validation(app_, mock_get_user_by_email):
    with app_.test_request_context():
        form = ServiceSmsSender()

        form.sms_sender.data = 'elevenchars'
        form.validate()
        assert not form.errors

        form.sms_sender.data = ''
        form.validate()
        assert not form.errors

        form.sms_sender.data = 'morethanelevenchars'
        form.validate()
        assert "Enter fewer than 11 characters" == form.errors['sms_sender'][0]

        form.sms_sender.data = '###########'
        form.validate()
        assert 'Use letters and numbers only' == form.errors['sms_sender'][0]
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								import pytest
-												Users can set a value that appears as the sender of a text message.

It can be up to eleven characters alpha numeric, no special characters
allowed.

											
										
										
											2016-07-01 13:47:22 +01:00
+								from app.main.forms import RegisterUserForm, ServiceSmsSender
-												Refactor to use a cleaner and lean regex

											
										
										
											2016-10-28 10:45:05 +01:00
+								from app.main.validators import ValidGovEmail, NoCommasInPlaceHolders
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								from wtforms import ValidationError
 								from unittest.mock import Mock
-												108536374: Implement a validator to exclude passwords on a blacklist

											
										
										
											2015-12-01 15:51:09 +00:00
-												Stop people using very common passwords

If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```

											
										
										
											2016-09-27 11:28:12 +01:00
+								@pytest.mark.parametrize('password', [
-												Add variations on GOV.UK Notify to blacklist

There’s a chance that someone will run out of imagination and use
the name of the thing they’re signing up for as their password.

This wouldn’t be caught by the generic blacklist.

											
										
										
											2016-09-27 12:24:46 +01:00
+								    'govuknotify', '11111111', 'kittykat', 'evangeli'
-												Stop people using very common passwords

If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```

											
										
										
											2016-09-27 11:28:12 +01:00
+								])
 								def test_should_raise_validation_error_for_password(app_, mock_get_user_by_email, password):
-												Fix missing request context in validators tests

											
										
										
											2016-04-25 11:20:43 +01:00
+								    with app_.test_request_context():
 								        form = RegisterUserForm()
 								        form.name.data = 'test'
 								        form.email_address.data = 'teset@example.gov.uk'
 								        form.mobile_number.data = '441231231231'
-												Stop people using very common passwords

If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```

											
										
										
											2016-09-27 11:28:12 +01:00
+								        form.password.data = password
-												108536374: Implement a validator to exclude passwords on a blacklist

											
										
										
											2015-12-01 15:51:09 +00:00
-												Fix missing request context in validators tests

											
										
										
											2016-04-25 11:20:43 +01:00
+								        form.validate()
-												Give better error message for blacklisted password

Telling the user what to do, rather than the mistake they’ve made is
usually better.

											
										
										
											2016-09-27 11:37:20 +01:00
+								        assert 'Choose a password that’s harder to guess' in form.errors['password']
-												Valid email domains added and tests passing.

											
										
										
											2016-03-18 12:05:50 +00:00
 								def test_valid_email_not_in_valid_domains(app_):
 								    with app_.test_request_context():
 								        form = RegisterUserForm(email_address="test@test.com", mobile_number='441231231231')
 								        assert not form.validate()
 								        assert "Enter a central government email address" in form.errors['email_address'][0]
 								def test_valid_email_in_valid_domains(app_):
 								    with app_.test_request_context():
 								        form = RegisterUserForm(
 								            name="test",
 								            email_address="test@my.gov.uk",
 								            mobile_number='4407888999111',
-												Stop people using very common passwords

If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.

CESG recommend blacklisting the most common passwords:

> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
>   lockout, throttling, or protective monitoring
> - blacklisting the most common password choices

How I made this list:

- went to the OWASP repository of security lists:
  https://github.com/danielmiessler/SecLists

- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
  `500-worst-passwords.txt`

- filtered out any under 8 characters:
  ```
  sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
  sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
  ```

- filtered out any duplicates:
  ```
  cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
  ```

											
										
										
											2016-09-27 11:28:12 +01:00
+								            password='an uncommon password')
-												Valid email domains added and tests passing.

											
										
										
											2016-03-18 12:05:50 +00:00
+								        form.validate()
 								        assert form.errors == {}
 								def test_invalid_email_address_error_message(app_):
 								    with app_.test_request_context():
 								        form = RegisterUserForm(
 								            name="test",
 								            email_address="test.com",
 								            mobile_number='4407888999111',
 								            password='1234567890')
 								        assert not form.validate()
 								        form = RegisterUserForm(
 								            name="test",
 								            email_address="test.com",
 								            mobile_number='4407888999111',
 								            password='1234567890')
 								        assert not form.validate()
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
 								def _gen_mock_field(x):
 								    return Mock(data=x)
 								@pytest.mark.parametrize("email", [
 								    'test@gov.uk',
-												Fix issue with uppercase in the domain name.

											
										
										
											2016-04-06 16:45:35 +01:00
+								    'test@GOV.UK',
 								    'test@gov.uK',
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								    'test@test.test.gov.uk',
 								    'test@test.gov.uk',
 								    'test@mod.uk',
 								    'test@ddc-mod.org',
 								    'test@test.ddc-mod.org',
 								    'test@gov.scot',
 								    'test@test.gov.scot',
 								    'test@parliament.uk',
 								    'test@gov.parliament.uk',
 								    'test@nhs.uk',
 								    'test@gov.nhs.uk',
 								    'test@nhs.net',
 								    'test@gov.nhs.net',
 								    'test@police.uk',
-												Fix issue with uppercase in the domain name.

											
										
										
											2016-04-06 16:45:35 +01:00
+								    'test@gov.police.uk',
 								    'test@GOV.PoliCe.uk',
-												Add Natural England to gov. email domains list

> I cannot register as the Email address field will not accept my email
> address format (.org.uk).  Natural England is a non-departmental
> government body sponsored by Defra (Department for Environment, Food
> and Rural Affairs).  Can you register me on the system or change the
> system so it will accept my email address?

– Deskpro ticket

> Natural England is an executive non-departmental public body,
> sponsored by the Department for Environment, Food & Rural Affairs.

– https://www.gov.uk/government/organisations/natural-england

***

Checks out…

											
										
										
											2016-12-07 12:58:49 +00:00
+								    'test@ucds.email',
 								    'test@naturalengland.org.uk',
-												add hmcts.net to email whitelist

(HM Courts & Tribunals Service)

											
										
										
											2017-01-03 12:34:57 +00:00
+								    'test@hmcts.net',
-												This PR allows the pentesters to operate as part of white listed root domains. Needed for full app testing.

											
										
										
											2017-01-16 14:18:46 +00:00
+								    'test@irmsecurity.com'  # remove once pen test complete
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								])
 								def test_valid_list_of_white_list_email_domains(app_, email):
 								    with app_.test_request_context():
-												Refactor to use a cleaner and lean regex

											
										
										
											2016-10-28 10:45:05 +01:00
+								        email_domain_validators = ValidGovEmail()
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								        email_domain_validators(None, _gen_mock_field(email))
 								@pytest.mark.parametrize("email", [
 								    'test@ukgov.uk',
 								    'test@gov.uk.uk',
 								    'test@gov.test.uk',
 								    'test@ukmod.uk',
 								    'test@mod.uk.uk',
 								    'test@mod.test.uk',
 								    'test@ukddc-mod.org',
 								    'test@ddc-mod.org.uk',
 								    'test@ddc-mod.uk.org',
 								    'test@ukgov.scot',
 								    'test@gov.scot.uk',
 								    'test@gov.test.scot',
 								    'test@ukparliament.uk',
 								    'test@parliament.uk.uk',
 								    'test@parliament.test.uk',
 								    'test@uknhs.uk',
 								    'test@nhs.uk.uk',
 								    'test@uknhs.net',
 								    'test@nhs.net.uk',
 								    'test@nhs.test.net',
 								    'test@ukpolice.uk',
 								    'test@police.uk.uk',
-												Update email domain list.

											
										
										
											2016-10-18 13:51:34 +01:00
+								    'test@police.test.uk',
 								    'test@ucds.com'
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								])
 								def test_invalid_list_of_white_list_email_domains(app_, email):
 								    with app_.test_request_context():
-												Refactor to use a cleaner and lean regex

											
										
										
											2016-10-28 10:45:05 +01:00
+								        email_domain_validators = ValidGovEmail()
-												Fixed email bug and added new exhaustive tests.

											
										
										
											2016-04-06 11:01:22 +01:00
+								        with pytest.raises(ValidationError):
 								            email_domain_validators(None, _gen_mock_field(email))
-												Don’t allow commas in placeholders

> If a user tries to save a template containing something like
> ((name,date)) we should give a validation error.

This is because it causes havoc with the column headers in CSV files.

https://www.pivotaltracker.com/story/show/117043389

											
										
										
											2016-04-07 16:02:06 +01:00
 								def test_for_commas_in_placeholders(app_):
 								    with app_.test_request_context():
 								        with pytest.raises(ValidationError) as error:
 								            NoCommasInPlaceHolders()(None, _gen_mock_field('Hello ((name,date))'))
 								        assert str(error.value) == 'You can’t have commas in your fields'
 								        NoCommasInPlaceHolders()(None, _gen_mock_field('Hello ((name))'))
-												Users can set a value that appears as the sender of a text message.

It can be up to eleven characters alpha numeric, no special characters
allowed.

											
										
										
											2016-07-01 13:47:22 +01:00
 								def test_sms_sender_form_validation(app_, mock_get_user_by_email):
 								    with app_.test_request_context():
 								        form = ServiceSmsSender()
 								        form.sms_sender.data = 'elevenchars'
 								        form.validate()
 								        assert not form.errors
-												Can remove sms sender.

											
										
										
											2016-07-01 16:32:21 +01:00
+								        form.sms_sender.data = ''
 								        form.validate()
 								        assert not form.errors
-												Users can set a value that appears as the sender of a text message.

It can be up to eleven characters alpha numeric, no special characters
allowed.

											
										
										
											2016-07-01 13:47:22 +01:00
+								        form.sms_sender.data = 'morethanelevenchars'
 								        form.validate()
-												Add some explaining to the SMS sender page

											
										
										
											2016-08-22 16:10:57 +01:00
+								        assert "Enter fewer than 11 characters" == form.errors['sms_sender'][0]
-												Users can set a value that appears as the sender of a text message.

It can be up to eleven characters alpha numeric, no special characters
allowed.

											
										
										
											2016-07-01 13:47:22 +01:00
 								        form.sms_sender.data = '###########'
 								        form.validate()
-												Add some explaining to the SMS sender page

											
										
										
											2016-08-22 16:10:57 +01:00
+								        assert 'Use letters and numbers only' == form.errors['sms_sender'][0]