darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-09 21:04:14 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
f2fc6da0ee06dfd7818fa3ece400a1c6f46cb63e
notifications-admin/tests/app/main/views/test_two_factor.py
Kenneth Kehl 8489fb9e61 update flake8-pytest-style-plugin
2024-07-15 08:07:18 -07:00

539 lines
15 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import pytest
from flask import url_for
from tests.conftest import (
SERVICE_ONE_ID,
normalize_spaces,
set_config,
url_for_endpoint_with_token,
)
@pytest.fixture
def mock_email_validated_recently(mocker):
return mocker.patch(
"app.main.views.two_factor.email_needs_revalidating", return_value=False
)
@pytest.mark.parametrize(
"request_url", ["two_factor_email_sent", "revalidate_email_sent"]
)
@pytest.mark.parametrize(
"redirect_url", [None, f"/services/{SERVICE_ONE_ID}/templates"]
)
@pytest.mark.parametrize(
("email_resent", "page_title"), [(None, "Check your email"), (True, "Email resent")]
)
def test_two_factor_email_sent_page(
client_request, email_resent, page_title, redirect_url, request_url, mocker
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
page = client_request.get(
f"main.{request_url}",
next=redirect_url,
email_resent=email_resent,
)
assert page.h1.string == page_title
# there shouldn't be a form for updating mobile number
assert page.find("form") is None
resend_email_link = page.find("a", class_="usa-link")
assert resend_email_link.text == "Not received an email?"
assert resend_email_link["href"] == url_for(
"main.email_not_received", next=redirect_url
)
@pytest.mark.parametrize(
"redirect_url",
[
None,
f"/services/{SERVICE_ONE_ID}/templates",
],
)
def test_should_render_two_factor_page(
client_request, api_user_active, mock_get_user_by_email, mocker, redirect_url
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
# TODO this lives here until we work out how to
# reassign the session after it is lost mid register process
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
mocker.patch("app.user_api_client.get_user", return_value=api_user_active)
page = client_request.get("main.two_factor_sms", next=redirect_url)
assert page.select_one("main p").text.strip() == (
"Weve sent you a text message with a security code."
)
assert page.select_one("label").text.strip() == ("Text message code")
assert page.select_one("input")["type"] == "tel"
assert page.select_one("input")["pattern"] == "[0-9]*"
assert page.select_one('a:contains("Not received a text message?")')[
"href"
] == url_for("main.check_and_resend_text_code", next=redirect_url)
def test_should_login_user_and_should_redirect_to_next_url(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
client_request.post(
"main.two_factor_sms",
next="/services/{}".format(SERVICE_ONE_ID),
_data={"sms_code": "123456"},
_expected_redirect=url_for(
"main.service_dashboard",
service_id=SERVICE_ONE_ID,
),
)
def test_should_send_email_and_redirect_to_info_page_if_user_needs_to_revalidate_email(
client_request,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_create_event,
mock_send_verify_code,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
mocker.patch("app.user_api_client.get_user", return_value=api_user_active)
mocker.patch(
"app.main.views.two_factor.email_needs_revalidating", return_value=True
)
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
client_request.post(
"main.two_factor_sms",
next=f"/services/{SERVICE_ONE_ID}",
_data={"sms_code": "123456"},
_expected_redirect=url_for(
"main.revalidate_email_sent", next=f"/services/{SERVICE_ONE_ID}"
),
)
mock_send_verify_code.assert_called_with(
api_user_active["id"], "email", None, mocker.ANY
)
def test_should_login_user_and_not_redirect_to_external_url(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
client_request.post(
"main.two_factor_sms",
next="http://www.google.com",
_data={"sms_code": "123456"},
_expected_redirect=url_for("main.show_accounts_or_dashboard"),
)
@pytest.mark.parametrize(
"platform_admin",
[
True,
False,
],
)
def test_should_login_user_and_redirect_to_show_accounts(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_create_event,
mock_email_validated_recently,
platform_admin,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
api_user_active["platform_admin"] = platform_admin
client_request.post(
"main.two_factor_sms",
_data={"sms_code": "123456"},
_expected_redirect=url_for("main.show_accounts_or_dashboard"),
)
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(
client_request,
api_user_active,
mock_get_user_by_email,
mock_check_verify_code_code_not_found,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
mocker.patch("app.user_api_client.get_user", return_value=api_user_active)
page = client_request.post(
"main.two_factor_sms",
_data={"sms_code": "234567"},
_expected_status=200,
)
assert "Code not found" in page.text
def test_should_login_user_when_multiple_valid_codes_exist(
client_request,
api_user_active,
mock_get_user,
mock_get_user_by_email,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_create_event,
mock_email_validated_recently,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
}
client_request.post(
"main.two_factor_sms",
_data={"sms_code": "234567"},
_expected_status=302,
)
def test_two_factor_sms_should_set_password_when_new_password_exists_in_session(
client_request,
api_user_active,
mock_get_user,
mock_check_verify_code,
mock_get_services_with_one_service,
mock_update_user_password,
mock_create_event,
mock_email_validated_recently,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_active["id"],
"email": api_user_active["email_address"],
"password": "changedpassword",
}
client_request.post(
"main.two_factor_sms",
_data={"sms_code": "123456"},
_expected_redirect=url_for("main.show_accounts_or_dashboard"),
)
mock_update_user_password.assert_called_once_with(
api_user_active["id"],
"changedpassword",
)
def test_two_factor_sms_returns_error_when_user_is_locked(
client_request,
api_user_locked,
mock_get_locked_user,
mock_check_verify_code_code_not_found,
mock_get_services_with_one_service,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_locked["id"],
"email": api_user_locked["email_address"],
}
page = client_request.post(
"main.two_factor_sms",
_data={"sms_code": "123456"},
_expected_status=200,
)
assert "Code not found" in page.text
def test_two_factor_sms_post_should_redirect_to_sign_in_if_user_not_in_session(
client_request,
):
client_request.post(
"main.two_factor_sms",
_data={"sms_code": "123456"},
_expected_redirect=url_for("main.sign_in"),
)
def test_two_factor_sms_should_activate_pending_user(
client_request,
mocker,
api_user_pending,
mock_check_verify_code,
mock_create_event,
mock_activate_user,
mock_email_validated_recently,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
mocker.patch("app.user_api_client.get_user", return_value=api_user_pending)
mocker.patch("app.service_api_client.get_services", return_value={"data": []})
with client_request.session_transaction() as session:
session["user_details"] = {
"id": api_user_pending["id"],
"email_address": api_user_pending["email_address"],
}
client_request.post("main.two_factor_sms", _data={"sms_code": "123456"})
assert mock_activate_user.called
@pytest.mark.parametrize(
("extra_args", "expected_encoded_next_arg"),
[({}, ""), ({"next": "https://example.com"}, "?next=https://example.com")],
)
def test_valid_two_factor_email_link_shows_interstitial(
client_request,
valid_token,
mocker,
extra_args,
expected_encoded_next_arg,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
mock_check_code = mocker.patch("app.user_api_client.check_verify_code")
encoded_token = valid_token.replace("%2E", ".")
token_url = url_for(
"main.two_factor_email_interstitial", token=encoded_token, **extra_args
)
# This must match the URL we put in the emails
assert token_url == f"/email-auth/{encoded_token}{expected_encoded_next_arg}"
client_request.logout()
page = client_request.get_url(token_url)
assert normalize_spaces(page.select_one("main").text) == (
"Click below to complete email re-verification and finish signing in. "
"Verify email"
)
form = page.select_one("form")
expected_form_id = "use-email-auth"
assert "action" not in form
assert form["method"] == "post"
assert form["id"] == expected_form_id
assert mock_check_code.called is False
def test_valid_two_factor_email_link_logs_in_user(
client_request,
valid_token,
mock_get_user,
mock_get_services_with_one_service,
mocker,
mock_create_event,
):
mocker.patch("app.user_api_client.check_verify_code", return_value=(True, ""))
client_request.post_url(
url_for_endpoint_with_token("main.two_factor_email", token=valid_token),
_expected_redirect=url_for("main.show_accounts_or_dashboard"),
)
@pytest.mark.parametrize(
"redirect_url",
[
None,
f"/services/{SERVICE_ONE_ID}/templates",
],
)
def test_two_factor_email_link_has_expired(
notify_admin,
valid_token,
client_request,
mock_send_verify_code,
fake_uuid,
redirect_url,
mocker,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
with set_config(notify_admin, "EMAIL_EXPIRY_SECONDS", -1):
page = client_request.post_url(
url_for_endpoint_with_token(
"main.two_factor_email", token=valid_token, next=redirect_url
),
_follow_redirects=True,
)
assert page.h1.text.strip() == "This link has expired"
assert page.select_one('a:contains("Sign in again")')["href"] == url_for(
"main.sign_in", next=redirect_url
)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_is_invalid(client_request, mocker):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
token = 12345
page = client_request.post(
"main.two_factor_email",
token=token,
_follow_redirects=True,
_expected_status=404,
)
assert (
normalize_spaces(page.select_one(".banner-dangerous").text)
== "Theres something wrong with the link youve used."
)
@pytest.mark.parametrize(
"redirect_url",
[
None,
f"/services/{SERVICE_ONE_ID}/templates",
],
)
def test_two_factor_email_link_is_already_used(
client_request,
valid_token,
mocker,
mock_send_verify_code,
redirect_url,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
mocker.patch(
"app.user_api_client.check_verify_code",
return_value=(False, "Code has expired"),
)
page = client_request.post_url(
url_for_endpoint_with_token(
"main.two_factor_email", token=valid_token, next=redirect_url
),
_follow_redirects=True,
)
assert page.h1.text.strip() == "This link has expired"
assert page.select_one('a:contains("Sign in again")')["href"] == url_for(
"main.sign_in", next=redirect_url
)
assert mock_send_verify_code.called is False
def test_two_factor_email_link_when_user_is_locked_out(
client_request,
valid_token,
mocker,
mock_send_verify_code,
):
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
mocker.patch(
"app.user_api_client.check_verify_code", return_value=(False, "Code not found")
)
page = client_request.post_url(
url_for_endpoint_with_token("main.two_factor_email", token=valid_token),
_follow_redirects=True,
)
assert page.h1.text.strip() == "This link has expired"
assert mock_send_verify_code.called is False
def test_two_factor_email_link_used_when_user_already_logged_in(
client_request, valid_token
):
client_request.post_url(
url_for_endpoint_with_token("main.two_factor_email", token=valid_token),
_expected_redirect=url_for("main.show_accounts_or_dashboard"),
)
Reference in New Issue View Git Blame Copy Permalink