darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-23 11:51:05 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
3bc2fffbb2fa46daed8faeedef7bede3ad41388d
notifications-admin/tests/app/main/views/test_two_factor.py
Pea Tyczynska 6578719103 Test next redirects with realistic URL 
This change has been made following PR review, to ensure
that special signs are transformed correctly when passing
through the next URL.
2020-10-12 12:01:39 +01:00

455 lines
15 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import pytest
from bs4 import BeautifulSoup
from flask import url_for
from freezegun import freeze_time
from tests.conftest import (
SERVICE_ONE_ID,
normalize_spaces,
set_config,
url_for_endpoint_with_token,
)
@pytest.mark.parametrize('request_url', ['two_factor_email_sent', 'revalidate_email_sent'])
@pytest.mark.parametrize('redirect_url', [None, f'/services/{SERVICE_ONE_ID}/templates'])
@pytest.mark.parametrize('email_resent, page_title', [
(None, 'Check your email'),
(True, 'Email resent')
])
def test_two_factor_email_sent_page(
client,
email_resent,
page_title,
redirect_url,
request_url
):
response = client.get(url_for(f'main.{request_url}', next=redirect_url, email_resent=email_resent))
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.string == page_title
# there shouldn't be a form for updating mobile number
assert page.find('form') is None
resend_email_link = page.find('a', class_="govuk-link govuk-link--no-visited-state page-footer-secondary-link")
assert resend_email_link.text == 'Not received an email?'
assert resend_email_link['href'] == url_for('main.email_not_received', next=redirect_url)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_should_render_two_factor_page(
client,
api_user_active,
mock_get_user_by_email,
mocker,
redirect_url
):
# TODO this lives here until we work out how to
# reassign the session after it is lost mid register process
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
response = client.get(url_for('main.two_factor', next=redirect_url))
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.select_one('main p').text.strip() == (
'Weve sent you a text message with a security code.'
)
assert page.select_one('label').text.strip() == (
'Text message code'
)
assert page.select_one('input')['type'] == 'tel'
assert page.select_one('input')['pattern'] == '[0-9]*'
assert page.select_one(
'a:contains("Not received a text message?")'
)['href'] == url_for('main.check_and_resend_text_code', next=redirect_url)
@freeze_time('2020-01-27T12:00:00')
def test_should_login_user_and_should_redirect_to_next_url(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
response = client.post(url_for('main.two_factor', next='/services/{}'.format(SERVICE_ONE_ID)),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
service_id=SERVICE_ONE_ID,
_external=True
)
@freeze_time('2020-01-27T12:00:00')
def test_should_send_email_and_redirect_to_info_page_if_user_needs_to_revalidate_email(
client,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_create_event,
mock_send_verify_code,
mocker
):
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
api_user_active['email_access_validated_at'] = '2019-03-23T11:35:21.726132Z'
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
response = client.post(url_for('main.two_factor', next=f'/services/{SERVICE_ONE_ID}'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.revalidate_email_sent',
_external=True,
next=f'/services/{SERVICE_ONE_ID}'
)
mock_send_verify_code.assert_called_with(api_user_active['id'], 'email', None, mocker.ANY)
@freeze_time('2020-01-27T12:00:00')
def test_should_login_user_and_not_redirect_to_external_url(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
response = client.post(url_for('main.two_factor', next='http://www.google.com'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
@pytest.mark.parametrize('platform_admin', (
True, False,
))
@freeze_time('2020-01-27T12:00:00')
def test_should_login_user_and_redirect_to_show_accounts(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
platform_admin,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
api_user_active['platform_admin'] = platform_admin
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(
client,
api_user_active,
mock_get_user_by_email,
mock_check_verify_code_code_not_found,
mocker
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
response = client.post(url_for('main.two_factor'),
data={'sms_code': '23456'})
assert response.status_code == 200
assert 'Code not found' in response.get_data(as_text=True)
@freeze_time('2020-01-27T12:00:00')
def test_should_login_user_when_multiple_valid_codes_exist(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
response = client.post(url_for('main.two_factor'),
data={'sms_code': '23456'})
assert response.status_code == 302
@freeze_time('2020-01-27T12:00:00')
def test_two_factor_should_set_password_when_new_password_exists_in_session(
client,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_update_user_password,
mock_create_event,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address'],
'password': 'changedpassword'}
api_user_active['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
mock_update_user_password.assert_called_once_with(
api_user_active['id'], 'changedpassword', validated_email_access=True
)
def test_two_factor_returns_error_when_user_is_locked(
client,
api_user_locked,
mock_get_locked_user,
mock_check_verify_code_code_not_found,
mock_get_services_with_one_service
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_locked['id'],
'email': api_user_locked['email_address'],
}
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 200
assert 'Code not found' in response.get_data(as_text=True)
def test_two_factor_should_redirect_to_sign_in_if_user_not_in_session(
client,
api_user_active,
mock_get_user,
):
response = client.post(url_for('main.two_factor'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.sign_in', _external=True)
@freeze_time('2020-01-27T12:00:00')
def test_two_factor_should_activate_pending_user(
client,
mocker,
api_user_pending,
mock_check_verify_code,
mock_create_event,
mock_activate_user,
):
mocker.patch('app.user_api_client.get_user', return_value=api_user_pending)
mocker.patch('app.service_api_client.get_services', return_value={'data': []})
api_user_pending['email_access_validated_at'] = '2020-01-23T11:35:21.726132Z'
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_pending['id'],
'email_address': api_user_pending['email_address']
}
client.post(url_for('main.two_factor'), data={'sms_code': '12345'})
assert mock_activate_user.called
@pytest.mark.parametrize('extra_args, expected_encoded_next_arg', (
({}, ''),
({'next': 'https://example.com'}, '?next=https%3A%2F%2Fexample.com')
))
def test_valid_two_factor_email_link_shows_interstitial(
client_request,
valid_token,
mocker,
extra_args,
expected_encoded_next_arg,
):
mock_check_code = mocker.patch('app.user_api_client.check_verify_code')
encoded_token = valid_token.replace('%2E', '.')
token_url = url_for(
'main.two_factor_email_interstitial',
token=encoded_token,
**extra_args
)
# This must match the URL we put in the emails
assert token_url == f'/email-auth/{encoded_token}{expected_encoded_next_arg}'
client_request.logout()
page = client_request.get_url(token_url)
assert normalize_spaces(page.select_one('main .js-hidden').text) == (
'Sign in '
'Continue to dashboard'
)
form = page.select_one('form')
expected_form_id = 'use-email-auth'
assert 'action' not in form
assert form['method'] == 'post'
assert form['id'] == expected_form_id
assert page.select_one('main script').text.strip() == (
f'document.getElementById("{expected_form_id}").submit();'
)
assert mock_check_code.called is False
def test_valid_two_factor_email_link_logs_in_user(
client,
valid_token,
mock_get_user,
mock_get_services_with_one_service,
mocker,
mock_create_event,
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(True, ''))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
)
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_has_expired(
app_,
valid_token,
client,
mock_send_verify_code,
fake_uuid,
redirect_url
):
with set_config(app_, 'EMAIL_2FA_EXPIRY_SECONDS', -1):
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
follow_redirects=True,
)
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_is_invalid(
client
):
token = 12345
response = client.post(
url_for('main.two_factor_email', token=token),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert normalize_spaces(
page.select_one('.banner-dangerous').text
) == "Theres something wrong with the link youve used."
assert response.status_code == 404
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_is_already_used(
client,
valid_token,
mocker,
mock_send_verify_code,
redirect_url
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code has expired'))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert response.status_code == 200
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_when_user_is_locked_out(
client,
valid_token,
mocker,
mock_send_verify_code
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code not found'))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert response.status_code == 200
assert page.h1.text.strip() == 'The link has expired'
assert mock_send_verify_code.called is False
def test_two_factor_email_link_used_when_user_already_logged_in(
logged_in_client,
valid_token
):
response = logged_in_client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token)
)
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
Reference in New Issue View Git Blame Copy Permalink