darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-05-30 02:50:03 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
da7cd6714765135e935caeb46fdb08d588fbc39c
notifications-admin/tests/app/main/views/test_two_factor.py
Chris Hill-Scott 8b7f2fbf04 Stop using _external=True in tests 
It looks like, by default, Flask no longer makes full URLs, for example
`https://example.com/path`. Instead it does `/path`. This will still
work fine, and if anything is better because it reduces the number of
bytes of HTML we are sending.

It won’t mean that requests go over `http` instead of `https` without
the protocol because we set the appropriate HSTS header here:
0c57da7781/ansible/roles/paas-proxy/templates/admin.conf.j2 (L11)

This commit changes all our tests to reflect that URLs no longer have
the protocol and domain in them. `_external=True` is Flask’s way of
saying whether a URL should be generated with the domain and protocol
(`True`) or without it (`False`).

Again, I can’t find the changelog or diff where this was introuduced,
but if you’d like to go spelunking then here’s a starting point:
50374e3cfe/src/flask/helpers.py (L192)
2022-06-06 12:12:52 +01:00

521 lines
15 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import pytest
from flask import url_for
from tests.conftest import (
SERVICE_ONE_ID,
normalize_spaces,
set_config,
url_for_endpoint_with_token,
)
@pytest.fixture
def mock_email_validated_recently(mocker):
return mocker.patch('app.main.views.two_factor.email_needs_revalidating', return_value=False)
@pytest.mark.parametrize('request_url', ['two_factor_email_sent', 'revalidate_email_sent'])
@pytest.mark.parametrize('redirect_url', [None, f'/services/{SERVICE_ONE_ID}/templates'])
@pytest.mark.parametrize('email_resent, page_title', [
(None, 'Check your email'),
(True, 'Email resent')
])
def test_two_factor_email_sent_page(
client_request,
email_resent,
page_title,
redirect_url,
request_url
):
client_request.logout()
page = client_request.get(
f'main.{request_url}',
next=redirect_url,
email_resent=email_resent,
)
assert page.h1.string == page_title
# there shouldn't be a form for updating mobile number
assert page.find('form') is None
resend_email_link = page.find('a', class_="govuk-link govuk-link--no-visited-state page-footer-secondary-link")
assert resend_email_link.text == 'Not received an email?'
assert resend_email_link['href'] == url_for('main.email_not_received', next=redirect_url)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_should_render_two_factor_page(
client_request,
api_user_active,
mock_get_user_by_email,
mocker,
redirect_url
):
client_request.logout()
# TODO this lives here until we work out how to
# reassign the session after it is lost mid register process
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
page = client_request.get('main.two_factor_sms', next=redirect_url)
assert page.select_one('main p').text.strip() == (
'Weve sent you a text message with a security code.'
)
assert page.select_one('label').text.strip() == (
'Text message code'
)
assert page.select_one('input')['type'] == 'tel'
assert page.select_one('input')['pattern'] == '[0-9]*'
assert page.select_one(
'a:contains("Not received a text message?")'
)['href'] == url_for('main.check_and_resend_text_code', next=redirect_url)
def test_should_login_user_and_should_redirect_to_next_url(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
client_request.post(
'main.two_factor_sms',
next='/services/{}'.format(SERVICE_ONE_ID),
_data={'sms_code': '12345'},
_expected_redirect=url_for(
'main.service_dashboard',
service_id=SERVICE_ONE_ID,
),
)
def test_should_send_email_and_redirect_to_info_page_if_user_needs_to_revalidate_email(
client_request,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_create_event,
mock_send_verify_code,
mocker
):
client_request.logout()
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
mocker.patch('app.main.views.two_factor.email_needs_revalidating', return_value=True)
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
client_request.post(
'main.two_factor_sms',
next=f'/services/{SERVICE_ONE_ID}',
_data={'sms_code': '12345'},
_expected_redirect=url_for(
'main.revalidate_email_sent',
next=f'/services/{SERVICE_ONE_ID}'
),
)
mock_send_verify_code.assert_called_with(api_user_active['id'], 'email', None, mocker.ANY)
def test_should_login_user_and_not_redirect_to_external_url(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
client_request.post(
'main.two_factor_sms',
next='http://www.google.com',
_data={'sms_code': '12345'},
_expected_redirect=url_for('main.show_accounts_or_dashboard')
)
@pytest.mark.parametrize('platform_admin', (
True, False,
))
def test_should_login_user_and_redirect_to_show_accounts(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
platform_admin,
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
api_user_active['platform_admin'] = platform_admin
client_request.post(
'main.two_factor_sms',
_data={'sms_code': '12345'},
_expected_redirect=url_for('main.show_accounts_or_dashboard')
)
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(
client_request,
api_user_active,
mock_get_user_by_email,
mock_check_verify_code_code_not_found,
mocker
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
mocker.patch('app.user_api_client.get_user', return_value=api_user_active)
page = client_request.post(
'main.two_factor_sms',
_data={'sms_code': '23456'},
_expected_status=200,
)
assert 'Code not found' in page.text
def test_should_login_user_when_multiple_valid_codes_exist(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address']}
client_request.post(
'main.two_factor_sms',
_data={'sms_code': '23456'},
_expected_status=302,
)
def test_two_factor_sms_should_set_password_when_new_password_exists_in_session(
client_request,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_update_user_password,
mock_create_event,
mock_email_validated_recently,
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_active['id'],
'email': api_user_active['email_address'],
'password': 'changedpassword'}
client_request.post(
'main.two_factor_sms',
_data={'sms_code': '12345'},
_expected_redirect=url_for('main.show_accounts_or_dashboard'),
)
mock_update_user_password.assert_called_once_with(
api_user_active['id'], 'changedpassword',
)
def test_two_factor_sms_returns_error_when_user_is_locked(
client_request,
api_user_locked,
mock_get_locked_user,
mock_check_verify_code_code_not_found,
mock_get_services_with_one_service
):
client_request.logout()
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_locked['id'],
'email': api_user_locked['email_address'],
}
page = client_request.post(
'main.two_factor_sms',
_data={'sms_code': '12345'},
_expected_status=200,
)
assert 'Code not found' in page.text
def test_two_factor_sms_post_should_redirect_to_sign_in_if_user_not_in_session(
client_request,
):
client_request.post(
'main.two_factor_sms',
_data={'sms_code': '12345'},
_expected_redirect=url_for('main.sign_in')
)
@pytest.mark.parametrize('endpoint', ['main.two_factor_webauthn', 'main.two_factor_sms'])
def test_two_factor_endpoints_get_should_redirect_to_sign_in_if_user_not_in_session(
client_request,
endpoint,
):
client_request.get(
endpoint,
_expected_redirect=url_for('main.sign_in')
)
def test_two_factor_webauthn_should_have_auth_signin_button(
client_request,
platform_admin_user,
mocker,
):
client_request.logout()
mock_get_user = mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
with client_request.session_transaction() as session:
session['user_details'] = {'id': platform_admin_user['id'], 'email': platform_admin_user['email_address']}
page = client_request.get('main.two_factor_webauthn')
button = page.select_one("button[data-module=authenticate-security-key]")
assert button.text.strip() == 'Check security key'
assert button.name == 'button'
mock_get_user.assert_called_once_with(platform_admin_user['id'])
def test_two_factor_webauthn_should_reject_non_webauthn_auth_users(
client_request,
platform_admin_user,
mocker,
):
client_request.logout()
platform_admin_user['auth_type'] = 'sms_auth'
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
with client_request.session_transaction() as session:
session['user_details'] = {'id': platform_admin_user['id'], 'email': platform_admin_user['email_address']}
client_request.get(
'main.two_factor_webauthn',
_expected_status=403,
)
def test_two_factor_sms_should_activate_pending_user(
client_request,
mocker,
api_user_pending,
mock_check_verify_code,
mock_create_event,
mock_activate_user,
mock_email_validated_recently,
):
client_request.logout()
mocker.patch('app.user_api_client.get_user', return_value=api_user_pending)
mocker.patch('app.service_api_client.get_services', return_value={'data': []})
with client_request.session_transaction() as session:
session['user_details'] = {
'id': api_user_pending['id'],
'email_address': api_user_pending['email_address']
}
client_request.post('main.two_factor_sms', _data={'sms_code': '12345'})
assert mock_activate_user.called
@pytest.mark.parametrize('extra_args, expected_encoded_next_arg', (
({}, ''),
({'next': 'https://example.com'}, '?next=https%3A%2F%2Fexample.com')
))
def test_valid_two_factor_email_link_shows_interstitial(
client_request,
valid_token,
mocker,
extra_args,
expected_encoded_next_arg,
):
mock_check_code = mocker.patch('app.user_api_client.check_verify_code')
encoded_token = valid_token.replace('%2E', '.')
token_url = url_for(
'main.two_factor_email_interstitial',
token=encoded_token,
**extra_args
)
# This must match the URL we put in the emails
assert token_url == f'/email-auth/{encoded_token}{expected_encoded_next_arg}'
client_request.logout()
page = client_request.get_url(token_url)
assert normalize_spaces(page.select_one('main .js-hidden').text) == (
'Sign in '
'Continue to dashboard'
)
form = page.select_one('form')
expected_form_id = 'use-email-auth'
assert 'action' not in form
assert form['method'] == 'post'
assert form['id'] == expected_form_id
assert page.select_one('main script').string.strip() == (
f'document.getElementById("{expected_form_id}").submit();'
)
assert mock_check_code.called is False
def test_valid_two_factor_email_link_logs_in_user(
client_request,
valid_token,
mock_get_user,
mock_get_services_with_one_service,
mocker,
mock_create_event,
):
mocker.patch('app.user_api_client.check_verify_code', return_value=(True, ''))
client_request.post_url(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
_expected_redirect=url_for('main.show_accounts_or_dashboard')
)
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_has_expired(
notify_admin,
valid_token,
client_request,
mock_send_verify_code,
fake_uuid,
redirect_url
):
client_request.logout()
with set_config(notify_admin, 'EMAIL_2FA_EXPIRY_SECONDS', -1):
page = client_request.post_url(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
_follow_redirects=True,
)
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_is_invalid(
client_request
):
client_request.logout()
token = 12345
page = client_request.post(
'main.two_factor_email',
token=token,
_follow_redirects=True,
_expected_status=404,
)
assert normalize_spaces(
page.select_one('.banner-dangerous').text
) == "Theres something wrong with the link youve used."
@pytest.mark.parametrize('redirect_url', [
None,
f'/services/{SERVICE_ONE_ID}/templates',
])
def test_two_factor_email_link_is_already_used(
client_request,
valid_token,
mocker,
mock_send_verify_code,
redirect_url
):
client_request.logout()
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code has expired'))
page = client_request.post_url(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token, next=redirect_url),
_follow_redirects=True,
)
assert page.h1.text.strip() == 'The link has expired'
assert page.select_one('a:contains("Sign in again")')['href'] == url_for('main.sign_in', next=redirect_url)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_when_user_is_locked_out(
client_request,
valid_token,
mocker,
mock_send_verify_code
):
client_request.logout()
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code not found'))
page = client_request.post_url(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
_follow_redirects=True,
)
assert page.h1.text.strip() == 'The link has expired'
assert mock_send_verify_code.called is False
def test_two_factor_email_link_used_when_user_already_logged_in(
client_request,
valid_token
):
client_request.post_url(
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
_expected_redirect=url_for('main.show_accounts_or_dashboard'),
)
Reference in New Issue View Git Blame Copy Permalink