darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-13 06:54:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
d2784d0d8a823d0d9a6dcafe9a57f3e7876ad363
notifications-admin/tests/app/main/views/test_two_factor.py
Chris Hill-Scott 5c1920fc20 Remove old method of updating email_access_validated_at 
Previously we were passing a flag to the API which handled this. Now
we are doing it at the time of clicking the link, not at the time of
storing the new password. We don’t need to update the timestamp twice,
so this commit removes the code which tells the API to do it.
2021-08-19 11:14:47 +01:00

498 lines
16 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import pytest
from bs4 import BeautifulSoup
from flask import url_for
from tests.conftest import (
SERVICE_ONE_ID,
normalize_spaces,
set_config,
url_for_endpoint_with_token,
)
@pytest.fixture
def mock_email_validated_recently(mocker):
return mocker.patch('app.main.views.two_factor.email_needs_revalidating', return_value=False)
@pytest.mark.parametrize('request_url', ['two_factor_email_sent', 'revalidate_email_sent'])
@pytest.mark.parametrize('redirect_url', [None, f'/services/{SERVICE_ONE_ID}/templates'])
@pytest.mark.parametrize('email_resent, page_title', [
(None, 'Check your email'),
(True, 'Email resent')
])
def test_two_factor_email_sent_page(
client,
email_resent,
page_title,
redirect_url,
request_url
):
response = client.get(url_for(f'main.{request_url}', next=redirect_url, email_resent=email_resent))
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.string == page_title
# there shouldn't be a form for updating mobile number
assert page.find('form') is None
resend_email_link = page.find('a', class_="govuk-link govuk-link--no-visited-state page-footer-secondary-link")
assert resend_email_link.text == 'Not received an email?'
assert resend_email_link['href'] == url_for('main.email_not_received', next=redirect_url)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_should_render_two_factor_page(
client,
api_user_active,
mock_get_user_by_email,
mocker,
redirect_url
):
# TODO this lives here until we work out how to
# reassign the session after it is lost mid register process
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
response = client.get(url_for('main.two_factor_sms', next=redirect_url))
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.select_one('main p').text.strip() == (
'Weve sent you a text message with a security code.'
)
assert page.select_one('label').text.strip() == (
'Text message code'
)
assert page.select_one('input')['type'] == 'tel'
assert page.select_one('input')['pattern'] == '[0-9]*'
assert page.select_one(
'a:contains("Not received a text message?")'
)['href'] == url_for('main.check_and_resend_text_code', next=redirect_url)
def test_should_login_user_and_should_redirect_to_next_url(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
response = client.post(url_for('main.two_factor_sms', next='/services/{}'.format(SERVICE_ONE_ID)),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.service_dashboard',
service_id=SERVICE_ONE_ID,
_external=True
)
def test_should_send_email_and_redirect_to_info_page_if_user_needs_to_revalidate_email(
client,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_create_event,
mock_send_verify_code,
mocker
):
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
mocker.patch('app.main.views.two_factor.email_needs_revalidating', return_value=True)
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
response = client.post(url_for('main.two_factor_sms', next=f'/services/{SERVICE_ONE_ID}'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for(
'main.revalidate_email_sent',
_external=True,
next=f'/services/{SERVICE_ONE_ID}'
)
mock_send_verify_code.assert_called_with(api_user_active['id'], 'email', None, mocker.ANY)
def test_should_login_user_and_not_redirect_to_external_url(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
response = client.post(url_for('main.two_factor_sms', next='http://www.google.com'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
@pytest.mark.parametrize('platform_admin', (
True, False,
))
def test_should_login_user_and_redirect_to_show_accounts(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
platform_admin,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['platform_admin'] = platform_admin
response = client.post(url_for('main.two_factor_sms'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(
client,
api_user_active,
mock_get_user_by_email,
mock_check_verify_code_code_not_found,
mocker
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
response = client.post(url_for('main.two_factor_sms'),
data={'sms_code': '23456'})
assert response.status_code == 200
assert 'Code not found' in response.get_data(as_text=True)
def test_should_login_user_when_multiple_valid_codes_exist(
client,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
response = client.post(url_for('main.two_factor_sms'),
data={'sms_code': '23456'})
assert response.status_code == 302
def test_two_factor_sms_should_set_password_when_new_password_exists_in_session(
client,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_update_user_password,
mock_create_event,
mock_email_validated_recently,
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address'],
'password': 'changedpassword'}
response = client.post(url_for('main.two_factor_sms'),
data={'sms_code': '12345'})
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
mock_update_user_password.assert_called_once_with(
api_user_active['id'], 'changedpassword',
)
def test_two_factor_sms_returns_error_when_user_is_locked(
client,
api_user_locked,
mock_get_locked_user,
mock_check_verify_code_code_not_found,
mock_get_services_with_one_service
):
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_locked['id'],
'email': api_user_locked['email_address'],
}
response = client.post(url_for('main.two_factor_sms'),
data={'sms_code': '12345'})
assert response.status_code == 200
assert 'Code not found' in response.get_data(as_text=True)
def test_two_factor_sms_post_should_redirect_to_sign_in_if_user_not_in_session(
client_request,
):
client_request.post(
'main.two_factor_sms',
_data={'sms_code': '12345'},
_expected_redirect=url_for('main.sign_in', _external=True)
)
@pytest.mark.parametrize('endpoint', ['main.two_factor_webauthn', 'main.two_factor_sms'])
def test_two_factor_endpoints_get_should_redirect_to_sign_in_if_user_not_in_session(
client_request,
endpoint,
):
client_request.get(
endpoint,
_expected_redirect=url_for('main.sign_in', _external=True)
)
def test_two_factor_webauthn_should_have_auth_signin_button(
client,
platform_admin_user,
mocker,
):
mock_get_user = mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
with client.session_transaction() as session:
session['user_details'] = {'id': platform_admin_user['id'], 'email': platform_admin_user['email_address']}
response = client.get(url_for('main.two_factor_webauthn'))
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
button = page.select_one("button[data-module=authenticate-security-key]")
assert button.text.strip() == 'Check security key'
assert button.name == 'button'
mock_get_user.assert_called_once_with(platform_admin_user['id'])
def test_two_factor_webauthn_should_reject_non_webauthn_auth_users(
client,
platform_admin_user,
mocker,
):
platform_admin_user['auth_type'] = 'sms_auth'
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
with client.session_transaction() as session:
session['user_details'] = {'id': platform_admin_user['id'], 'email': platform_admin_user['email_address']}
response = client.get(url_for('main.two_factor_webauthn'))
assert response.status_code == 403
def test_two_factor_sms_should_activate_pending_user(
client,
mocker,
api_user_pending,
mock_check_verify_code,
mock_create_event,
mock_activate_user,
mock_email_validated_recently,
):
mocker.patch('app.user_api_client.get_user', return_value=api_user_pending)
mocker.patch('app.service_api_client.get_services', return_value={'data': []})
with client.session_transaction() as session:
session['user_details'] = {
'id': api_user_pending['id'],
'email_address': api_user_pending['email_address']
}
client.post(url_for('main.two_factor_sms'), data={'sms_code': '12345'})
assert mock_activate_user.called
@pytest.mark.parametrize('extra_args, expected_encoded_next_arg', (
({}, ''),
({'next': 'https://example.com'}, '?next=https%3A%2F%2Fexample.com')
))
def test_valid_two_factor_email_link_shows_interstitial(
client_request,
valid_token,
mocker,
extra_args,
expected_encoded_next_arg,
):
mock_check_code = mocker.patch('app.user_api_client.check_verify_code')
encoded_token = valid_token.replace('%2E', '.')
token_url = url_for(
'main.two_factor_email_interstitial',
token=encoded_token,
**extra_args
)
# This must match the URL we put in the emails
assert token_url == f'/email-auth/{encoded_token}{expected_encoded_next_arg}'
client_request.logout()
page = client_request.get_url(token_url)
assert normalize_spaces(page.select_one('main .js-hidden').text) == (
'Sign in '
'Continue to dashboard'
)
form = page.select_one('form')
expected_form_id = 'use-email-auth'
assert 'action' not in form
assert form['method'] == 'post'
assert form['id'] == expected_form_id
assert page.select_one('main script').string.strip() == (
f'document.getElementById("{expected_form_id}").submit();'
)
assert mock_check_code.called is False
def test_valid_two_factor_email_link_logs_in_user(
client,
valid_token,
mock_get_user,
mock_get_services_with_one_service,
mocker,
mock_create_event,
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(True, ''))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
)
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_has_expired(
notify_admin,
valid_token,
client,
mock_send_verify_code,
fake_uuid,
redirect_url
):
with set_config(notify_admin, 'EMAIL_2FA_EXPIRY_SECONDS', -1):
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
follow_redirects=True,
)
assert response.status_code == 200
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_is_invalid(
client
):
token = 12345
response = client.post(
url_for('main.two_factor_email', token=token),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert normalize_spaces(
page.select_one('.banner-dangerous').text
) == "Theres something wrong with the link youve used."
assert response.status_code == 404
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_is_already_used(
client,
valid_token,
mocker,
mock_send_verify_code,
redirect_url
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code has expired'))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert response.status_code == 200
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_when_user_is_locked_out(
client,
valid_token,
mocker,
mock_send_verify_code
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code not found'))
response = client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
follow_redirects=True
)
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert response.status_code == 200
assert page.h1.text.strip() == 'The link has expired'
assert mock_send_verify_code.called is False
def test_two_factor_email_link_used_when_user_already_logged_in(
logged_in_client,
valid_token
):
response = logged_in_client.post(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token)
)
assert response.status_code == 302
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
Reference in New Issue View Git Blame Copy Permalink