darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-06-21 21:53:42 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
403e133b80bb46292ea141efcb2f3bd39f3b70a1
notifications-admin/tests/app/main/views/test_two_factor.py

246 lines
12 KiB
Python
Raw Normal View History

Reintroduce some tests. A bit of cleanup of mocks. User object fields made a bit clearer and simple test to verify user added.
2016-01-23 23:14:50 +00:00
from flask import url_for
Revert config changes so it doesn't break local dev builds. Update tests
2016-03-09 09:29:35 +00:00
from tests.conftest import SERVICE_ONE_ID
109638656: Implementation of two factor verification Validation of the code is done in the form, when the form.validate_on_submit is called the validate code methods are called as well.
2015-12-09 11:36:57 +00:00
Record login including remembered user login events to the api based of flask login signals.
2016-04-27 16:39:17 +01:00
from unittest.mock import ANY
109638656: Initial implementation for two-factor
2015-12-07 16:56:11 +00:00
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
def test_should_render_two_factor_page(app_,
api_user_active,
All tests passing and merged with master.
2016-01-27 16:30:33 +00:00
mock_get_user_by_email):
Tests added for dao.
2016-01-15 15:15:35 +00:00
with app_.test_request_context():
with app_.test_client() as client:
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised.
2016-01-07 12:43:10 +00:00
# TODO this lives here until we work out how to
# reassign the session after it is lost mid register process
with client.session_transaction() as session:
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised.
2016-01-07 12:43:10 +00:00
response = client.get(url_for('main.two_factor'))
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
assert response.status_code == 200
Change 'verification code' to 'security code' Extensive testing on Verify has shown that this is understood better.
2016-08-22 10:17:03 +01:00
assert '''Weve sent you a text message with a security code.''' in response.get_data(as_text=True)
109638656: Initial implementation for two-factor
2015-12-07 16:56:11 +00:00
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: **Multiple services** ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` **One service** ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` **No services (you’ve deleted all your services)** `Sign in` → `Enter two factor code` → `Choose service` → `Add new service`
2016-02-05 14:25:48 +00:00
def test_should_login_user_and_redirect_to_service_dashboard(app_,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
Record login including remembered user login events to the api based of flask login signals.
2016-04-27 16:39:17 +01:00
mock_get_services_with_one_service,
mock_events):
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: **Multiple services** ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` **One service** ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` **No services (you’ve deleted all your services)** `Sign in` → `Enter two factor code` → `Choose service` → `Add new service`
2016-02-05 14:25:48 +00:00
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used.
2016-03-14 16:30:48 +00:00
service_id=SERVICE_ONE_ID,
_external=True
)
Record login including remembered user login events to the api based of flask login signals.
2016-04-27 16:39:17 +01:00
mock_events.assert_called_with('sucessful_login', ANY)
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used.
2016-03-14 16:30:48 +00:00
def test_should_login_user_and_should_redirect_to_next_url(app_,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services):
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
response = client.post(url_for('main.two_factor', next='/services/{}/dashboard'.format(SERVICE_ONE_ID)),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
service_id=SERVICE_ONE_ID,
_external=True
)
def test_should_login_user_and_not_redirect_to_external_url(app_,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service):
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
response = client.post(url_for('main.two_factor', next='http://www.google.com'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
Revert config changes so it doesn't break local dev builds. Update tests
2016-03-09 09:29:35 +00:00
service_id=SERVICE_ONE_ID,
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: **Multiple services** ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` **One service** ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` **No services (you’ve deleted all your services)** `Sign in` → `Enter two factor code` → `Choose service` → `Add new service`
2016-02-05 14:25:48 +00:00
_external=True
)
def test_should_login_user_and_redirect_to_choose_services(app_,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services):
Tests added for dao.
2016-01-15 15:15:35 +00:00
with app_.test_request_context():
with app_.test_client() as client:
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
with client.session_transaction() as session:
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
109638656: Implement two factor verify flow When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present.
2015-12-08 12:36:54 +00:00
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
assert response.status_code == 302
Use url_for to generate URLs > it is about consistency and updates, if that endpoint changes in the future > we don't have to update hundreds of tests for a specific string. The actual > url should be ambiguous we are testing a view endpoint.
2016-01-14 11:30:33 +00:00
assert response.location == url_for('main.choose_service', _external=True)
109638656: Implement two factor verify flow When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present.
2015-12-08 12:36:54 +00:00
Tests added for dao.
2016-01-15 15:15:35 +00:00
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(app_,
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
api_user_active,
All tests passing and merged with master.
2016-01-27 16:30:33 +00:00
mock_get_user_by_email,
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
mock_check_verify_code_code_not_found):
Tests added for dao.
2016-01-15 15:15:35 +00:00
with app_.test_request_context():
with app_.test_client() as client:
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
with client.session_transaction() as session:
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
response = client.post(url_for('main.two_factor'),
data={'sms_code': '23456'})
assert response.status_code == 200
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
assert 'Code not found' in response.get_data(as_text=True)
110880218: Completed implementation of resend the verificaton code
2015-12-31 13:16:59 +00:00
Tests added for dao.
2016-01-15 15:15:35 +00:00
def test_should_login_user_when_multiple_valid_codes_exist(app_,
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
api_user_active,
mock_get_user,
All tests passing and merged with master.
2016-01-27 16:30:33 +00:00
mock_get_user_by_email,
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: **Multiple services** ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` **One service** ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` **No services (you’ve deleted all your services)** `Sign in` → `Enter two factor code` → `Choose service` → `Add new service`
2016-02-05 14:25:48 +00:00
mock_check_verify_code,
mock_get_services_with_one_service):
Tests added for dao.
2016-01-15 15:15:35 +00:00
with app_.test_request_context():
with app_.test_client() as client:
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
with client.session_transaction() as session:
Working tests, hopefully all code changes done.
2016-01-27 12:22:32 +00:00
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
Refactor for code_not_received, sign_in, two_factor and verify.
2016-01-05 17:08:50 +00:00
response = client.post(url_for('main.two_factor'),
data={'sms_code': '23456'})
assert response.status_code == 302
Remember me functionality added and tested. Merge extra. Fixed comment.
2016-02-23 15:45:19 +00:00
def test_remember_me_set(app_,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service):
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address}
response = client.post(url_for('main.two_factor'),
data={'sms_code': '23456', 'remember_me': True})
assert response.status_code == 302
Added a test to check that the password is updated when the password exists in the session object on the two-factor page.
2016-03-08 14:58:29 +00:00
def test_two_factor_should_set_password_when_new_password_exists_in_session(app_,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_update_user):
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active.id,
'email': api_user_active.email_address,
'password': 'changedpassword'}
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
Revert config changes so it doesn't break local dev builds. Update tests
2016-03-09 09:29:35 +00:00
service_id=SERVICE_ONE_ID,
Added a test to check that the password is updated when the password exists in the session object on the two-factor page.
2016-03-08 14:58:29 +00:00
_external=True
)
api_user_active.password = 'changedpassword'
mock_update_user.assert_called_once_with(api_user_active)
Failed login count set to zero with password reset.
2016-04-26 11:51:34 +01:00
def test_two_factor_reset_login_count_called(app_,
api_user_locked,
mock_get_locked_user,
mock_update_user,
mock_check_verify_code,
mock_get_services_with_one_service):
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
new_password = "1234567890"
session['user_details'] = {
'id': api_user_locked.id,
'email': api_user_locked.email_address,
'password': new_password
}
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
service_id=SERVICE_ONE_ID,
_external=True
)
api_user_locked.reset_failed_login_count()
api_user_locked.password = new_password
mock_update_user.assert_called_with(api_user_locked)
In case user details were not in session the redirect did not use url_for to redirect to sign in.
2016-06-06 14:46:16 +01:00
def test_two_factor_should_redirect_to_sign_in_if_user_not_in_session(app_,
api_user_active,
mock_get_user):
with app_.test_request_context():
with app_.test_client() as client:
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.sign_in', _external=True)
- Add test to check that two-factor auth activates a user as expected - Ensure DB user activation statusupdate only executed when required - Fix test_should_activate_user_after_verify
2016-09-09 15:22:56 +01:00
def test_two_factor_should_activate_pending_user(app_,
mocker,
api_user_pending,
mock_check_verify_code,
mock_update_user
):
mocker.patch('app.user_api_client.get_user', return_value=api_user_pending)
mocker.patch('app.service_api_client.get_services', return_value={'data': []})
with app_.test_request_context():
with app_.test_client() as client:
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_pending.id,
'email_address': api_user_pending.email_address
}
client.post(url_for('main.two_factor'), data={'sms_code': '12345'})
assert mock_update_user.called
assert api_user_pending.is_active
Reference in New Issue Copy Permalink