mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-06-23 08:49:46 -04:00
92f78b14fe
the js `fetch` function will follow redirects blindly and return you the final 200 response. when there's an error, we don't want to go anywhere, and we want to use the flask `flash` functionality to pop up an error page (the likely reason for seeing this is using a yubikey that isn't associated with your user). using `flash` and then `window.location.reload()` handles this fine. However, when the user does log in succesfully we need to properly log them in - this includes: * checking their account isn't over the max login count * resetting failed login count to 0 if not * setting a new session id in the database (so other browser windows are logged out) * checking if they need to revalidate their email access (every 90 days) * clearing old user out of the cache This code all happens in the ajax function rather than being in a separate redirect, so that you can't just navigate to the login flow. I wasn't able to unit test that function due how it uses the session and other flask globals, so moved the auth into its own function so it's easy to stub out all that CBOR nonsense. TODO: We still need to pass any `next` URLs through the chain from login page all the way through the javascript AJAX calls and redirects to the log_in_user function
309 lines
11 KiB
Python
309 lines
11 KiB
Python
import uuid
|
|
from unittest.mock import Mock, call
|
|
|
|
import pytest
|
|
from notifications_python_client.errors import HTTPError
|
|
|
|
from app import invite_api_client, service_api_client, user_api_client
|
|
from app.models.webauthn_credential import WebAuthnCredential
|
|
from tests import sample_uuid
|
|
from tests.conftest import SERVICE_ONE_ID
|
|
|
|
user_id = sample_uuid()
|
|
|
|
|
|
def test_client_gets_all_users_for_service(
|
|
mocker,
|
|
fake_uuid,
|
|
):
|
|
|
|
user_api_client.max_failed_login_count = 99 # doesn't matter for this test
|
|
mock_get = mocker.patch(
|
|
'app.notify_client.user_api_client.UserApiClient.get',
|
|
return_value={'data': [
|
|
{'id': fake_uuid},
|
|
]}
|
|
)
|
|
|
|
users = user_api_client.get_users_for_service(SERVICE_ONE_ID)
|
|
|
|
mock_get.assert_called_once_with('/service/{}/users'.format(SERVICE_ONE_ID))
|
|
assert len(users) == 1
|
|
assert users[0]['id'] == fake_uuid
|
|
|
|
|
|
def test_client_uses_correct_find_by_email(mocker, api_user_active):
|
|
|
|
expected_url = '/user/email'
|
|
expected_data = {'email': api_user_active['email_address']}
|
|
|
|
user_api_client.max_failed_login_count = 1 # doesn't matter for this test
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
user_api_client.get_user_by_email(api_user_active['email_address'])
|
|
|
|
mock_post.assert_called_once_with(expected_url, data=expected_data)
|
|
|
|
|
|
def test_client_only_updates_allowed_attributes(mocker):
|
|
mocker.patch('app.notify_client.current_user', id='1')
|
|
with pytest.raises(TypeError) as error:
|
|
user_api_client.update_user_attribute('user_id', id='1')
|
|
assert str(error.value) == 'Not allowed to update user attributes: id'
|
|
|
|
|
|
def test_client_updates_password_separately(mocker, api_user_active):
|
|
expected_url = '/user/{}/update-password'.format(api_user_active['id'])
|
|
expected_params = {'_password': 'newpassword'}
|
|
user_api_client.max_failed_login_count = 1 # doesn't matter for this test
|
|
mock_update_password = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
user_api_client.update_password(api_user_active['id'], expected_params['_password'])
|
|
mock_update_password.assert_called_once_with(expected_url, data=expected_params)
|
|
|
|
|
|
def test_client_activates_if_pending(mocker, api_user_pending):
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
user_api_client.max_failed_login_count = 1 # doesn't matter for this test
|
|
|
|
user_api_client.activate_user(api_user_pending['id'])
|
|
|
|
mock_post.assert_called_once_with('/user/{}/activate'.format(api_user_pending['id']), data=None)
|
|
|
|
|
|
def test_client_passes_admin_url_when_sending_email_auth(
|
|
notify_admin,
|
|
mocker,
|
|
fake_uuid,
|
|
):
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
user_api_client.send_verify_code(fake_uuid, 'email', 'ignored@example.com')
|
|
|
|
mock_post.assert_called_once_with(
|
|
'/user/{}/email-code'.format(fake_uuid),
|
|
data={
|
|
'to': 'ignored@example.com',
|
|
'email_auth_link_host': 'http://localhost:6012',
|
|
}
|
|
)
|
|
|
|
|
|
def test_client_converts_admin_permissions_to_db_permissions_on_edit(notify_admin, mocker):
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
user_api_client.set_user_permissions('user_id', 'service_id', permissions={'send_messages', 'view_activity'})
|
|
|
|
assert sorted(mock_post.call_args[1]['data']['permissions'], key=lambda x: x['permission']) == sorted([
|
|
{'permission': 'send_texts'},
|
|
{'permission': 'send_emails'},
|
|
{'permission': 'send_letters'},
|
|
{'permission': 'view_activity'},
|
|
], key=lambda x: x['permission'])
|
|
|
|
|
|
def test_client_converts_admin_permissions_to_db_permissions_on_add_to_service(notify_admin, mocker):
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post', return_value={'data': {}})
|
|
|
|
user_api_client.add_user_to_service('service_id',
|
|
'user_id',
|
|
permissions={'send_messages', 'view_activity'},
|
|
folder_permissions=[])
|
|
|
|
assert sorted(mock_post.call_args[1]['data']['permissions'], key=lambda x: x['permission']) == sorted([
|
|
{'permission': 'send_texts'},
|
|
{'permission': 'send_emails'},
|
|
{'permission': 'send_letters'},
|
|
{'permission': 'view_activity'},
|
|
], key=lambda x: x['permission'])
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
(
|
|
'expected_cache_get_calls,'
|
|
'cache_value,'
|
|
'expected_api_calls,'
|
|
'expected_cache_set_calls,'
|
|
'expected_return_value,'
|
|
),
|
|
[
|
|
(
|
|
[
|
|
call('user-{}'.format(user_id))
|
|
],
|
|
b'{"data": "from cache"}',
|
|
[],
|
|
[],
|
|
'from cache',
|
|
),
|
|
(
|
|
[
|
|
call('user-{}'.format(user_id))
|
|
],
|
|
None,
|
|
[
|
|
call('/user/{}'.format(user_id))
|
|
],
|
|
[
|
|
call(
|
|
'user-{}'.format(user_id),
|
|
'{"data": "from api"}',
|
|
ex=604800
|
|
)
|
|
],
|
|
'from api',
|
|
),
|
|
]
|
|
)
|
|
def test_returns_value_from_cache(
|
|
notify_admin,
|
|
mocker,
|
|
expected_cache_get_calls,
|
|
cache_value,
|
|
expected_return_value,
|
|
expected_api_calls,
|
|
expected_cache_set_calls,
|
|
):
|
|
|
|
mock_redis_get = mocker.patch(
|
|
'app.extensions.RedisClient.get',
|
|
return_value=cache_value,
|
|
)
|
|
mock_api_get = mocker.patch(
|
|
'app.notify_client.NotifyAdminAPIClient.get',
|
|
return_value={'data': 'from api'},
|
|
)
|
|
mock_redis_set = mocker.patch(
|
|
'app.extensions.RedisClient.set',
|
|
)
|
|
|
|
user_api_client.get_user(user_id)
|
|
|
|
assert mock_redis_get.call_args_list == expected_cache_get_calls
|
|
assert mock_api_get.call_args_list == expected_api_calls
|
|
assert mock_redis_set.call_args_list == expected_cache_set_calls
|
|
|
|
|
|
@pytest.mark.parametrize('client, method, extra_args, extra_kwargs', [
|
|
(user_api_client, 'add_user_to_service', [SERVICE_ONE_ID, sample_uuid(), [], []], {}),
|
|
(user_api_client, 'update_user_attribute', [user_id], {}),
|
|
(user_api_client, 'reset_failed_login_count', [user_id], {}),
|
|
(user_api_client, 'update_user_attribute', [user_id], {}),
|
|
(user_api_client, 'update_password', [user_id, 'hunter2'], {}),
|
|
(user_api_client, 'verify_password', [user_id, 'hunter2'], {}),
|
|
(user_api_client, 'check_verify_code', [user_id, '', ''], {}),
|
|
(user_api_client, 'complete_webauthn_login_attempt', [user_id], {'is_successful': True}),
|
|
(user_api_client, 'add_user_to_service', [SERVICE_ONE_ID, user_id, [], []], {}),
|
|
(user_api_client, 'add_user_to_organisation', [sample_uuid(), user_id], {}),
|
|
(user_api_client, 'set_user_permissions', [user_id, SERVICE_ONE_ID, []], {}),
|
|
(user_api_client, 'activate_user', [user_id], {}),
|
|
(user_api_client, 'archive_user', [user_id], {}),
|
|
(service_api_client, 'remove_user_from_service', [SERVICE_ONE_ID, user_id], {}),
|
|
(service_api_client, 'create_service', ['', '', 0, False, user_id, sample_uuid()], {}),
|
|
(invite_api_client, 'accept_invite', [SERVICE_ONE_ID, user_id], {}),
|
|
])
|
|
def test_deletes_user_cache(
|
|
notify_admin,
|
|
mock_get_user,
|
|
mocker,
|
|
client,
|
|
method,
|
|
extra_args,
|
|
extra_kwargs,
|
|
):
|
|
mocker.patch('app.notify_client.current_user', id='1')
|
|
mock_redis_delete = mocker.patch('app.extensions.RedisClient.delete')
|
|
mock_request = mocker.patch('notifications_python_client.base.BaseAPIClient.request')
|
|
|
|
getattr(client, method)(*extra_args, **extra_kwargs)
|
|
|
|
assert call('user-{}'.format(user_id)) in mock_redis_delete.call_args_list
|
|
assert len(mock_request.call_args_list) == 1
|
|
|
|
|
|
def test_add_user_to_service_calls_correct_endpoint_and_deletes_keys_from_cache(mocker):
|
|
mock_redis_delete = mocker.patch('app.extensions.RedisClient.delete')
|
|
|
|
service_id = uuid.uuid4()
|
|
user_id = uuid.uuid4()
|
|
folder_id = uuid.uuid4()
|
|
|
|
expected_url = '/service/{}/users/{}'.format(service_id, user_id)
|
|
data = {'permissions': [], 'folder_permissions': [folder_id]}
|
|
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
user_api_client.add_user_to_service(service_id, user_id, [], [folder_id])
|
|
|
|
mock_post.assert_called_once_with(expected_url, data=data)
|
|
assert mock_redis_delete.call_args_list == [
|
|
call('user-{user_id}'.format(user_id=user_id)),
|
|
call('service-{service_id}-template-folders'.format(service_id=service_id)),
|
|
call('service-{service_id}'.format(service_id=service_id)),
|
|
]
|
|
|
|
|
|
def test_get_webauthn_credentials_for_user(mocker, webauthn_credential, fake_uuid):
|
|
|
|
mock_get = mocker.patch(
|
|
'app.notify_client.user_api_client.UserApiClient.get',
|
|
return_value={'data': [webauthn_credential]}
|
|
)
|
|
|
|
credentials = user_api_client.get_webauthn_credentials_for_user(fake_uuid)
|
|
|
|
mock_get.assert_called_once_with(f'/user/{fake_uuid}/webauthn')
|
|
assert len(credentials) == 1
|
|
assert credentials[0]['name'] == 'Test credential'
|
|
|
|
|
|
def test_create_webauthn_credential_for_user(mocker, webauthn_credential, fake_uuid):
|
|
credential = WebAuthnCredential(webauthn_credential)
|
|
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
expected_url = f'/user/{fake_uuid}/webauthn'
|
|
|
|
user_api_client.create_webauthn_credential_for_user(fake_uuid, credential)
|
|
mock_post.assert_called_once_with(expected_url, data=credential.serialize())
|
|
|
|
|
|
def test_complete_webauthn_login_attempt_returns_true_and_no_message_normally(fake_uuid, mocker):
|
|
mock_post = mocker.patch('app.notify_client.user_api_client.UserApiClient.post')
|
|
|
|
resp = user_api_client.complete_webauthn_login_attempt(fake_uuid, is_successful=True)
|
|
|
|
expected_data = {'successful': True}
|
|
mock_post.assert_called_once_with(f'/user/{fake_uuid}/verify/webauthn-login', data=expected_data)
|
|
assert resp == (True, '')
|
|
|
|
|
|
def test_complete_webauthn_login_attempt_returns_false_and_message_on_403(fake_uuid, mocker):
|
|
mock_post = mocker.patch(
|
|
'app.notify_client.user_api_client.UserApiClient.post',
|
|
side_effect=HTTPError(
|
|
response=Mock(
|
|
status_code=403,
|
|
json=Mock(
|
|
return_value={'message': 'forbidden'}
|
|
)
|
|
)
|
|
)
|
|
)
|
|
|
|
resp = user_api_client.complete_webauthn_login_attempt(fake_uuid, is_successful=True)
|
|
|
|
expected_data = {'successful': True}
|
|
mock_post.assert_called_once_with(f'/user/{fake_uuid}/verify/webauthn-login', data=expected_data)
|
|
|
|
assert resp == (False, 'forbidden')
|
|
|
|
|
|
def test_complete_webauthn_login_attempt_raises_on_api_error(fake_uuid, mocker):
|
|
mocker.patch(
|
|
'app.notify_client.user_api_client.UserApiClient.post',
|
|
side_effect=HTTPError(response=Mock(status_code=503, message='error'))
|
|
)
|
|
|
|
with pytest.raises(HTTPError):
|
|
user_api_client.complete_webauthn_login_attempt(fake_uuid, is_successful=True)
|