|
Pierre-Yves Chibon |
0b1c13 |
# -*- coding: utf-8 -*-
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
0b1c13 |
"""
|
|
Pierre-Yves Chibon |
0b1c13 |
(c) 2016 - Copyright Red Hat Inc
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
0b1c13 |
Authors:
|
|
Pierre-Yves Chibon |
0b1c13 |
Pierre-Yves Chibon <pingou@pingoured.fr></pingou@pingoured.fr>
|
|
farhaanbukhsh |
96d198 |
Farhaan Bukhsh <farhaan.bukhsh@gmail.com></farhaan.bukhsh@gmail.com>
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
0b1c13 |
"""
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
67d1cc |
from __future__ import unicode_literals, absolute_import
|
|
Aurélien Bompard |
626417 |
|
|
Pierre-Yves Chibon |
0b1c13 |
import datetime
|
|
Pierre-Yves Chibon |
eac364 |
import hashlib
|
|
Pierre-Yves Chibon |
0b1c13 |
import json
|
|
Pierre-Yves Chibon |
0b1c13 |
import unittest
|
|
Pierre-Yves Chibon |
0b1c13 |
import shutil
|
|
Pierre-Yves Chibon |
0b1c13 |
import sys
|
|
Pierre-Yves Chibon |
0b1c13 |
import tempfile
|
|
Pierre-Yves Chibon |
0b1c13 |
import os
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
450dd6 |
import flask
|
|
Pierre-Yves Chibon |
0b1c13 |
import pygit2
|
|
Aurélien Bompard |
626417 |
import six
|
|
Pierre-Yves Chibon |
33ff8d |
from mock import patch, MagicMock
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
73d120 |
sys.path.insert(
|
|
Pierre-Yves Chibon |
73d120 |
0, os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
930073 |
import pagure.lib.query
|
|
Pierre-Yves Chibon |
0b1c13 |
import tests
|
|
Pierre-Yves Chibon |
0b1c13 |
from pagure.lib.repo import PagureRepo
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
b94671 |
import pagure.ui.login
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Clement Verna |
109c4b |
class PagureFlaskLogintests(tests.SimplePagureTest):
|
|
Pierre-Yves Chibon |
0b1c13 |
""" Tests for flask app controller of pagure """
|
|
Pierre-Yves Chibon |
0b1c13 |
|
|
Pierre-Yves Chibon |
bcc20e |
def setUp(self):
|
|
Pierre-Yves Chibon |
bcc20e |
""" Create the application with PAGURE_AUTH being local. """
|
|
Pierre-Yves Chibon |
bcc20e |
super(PagureFlaskLogintests, self).setUp()
|
|
Pierre-Yves Chibon |
bcc20e |
|
|
Pierre-Yves Chibon |
73d120 |
app = pagure.flask_app.create_app(
|
|
Pierre-Yves Chibon |
73d120 |
{"DB_URL": self.dbpath, "PAGURE_AUTH": "local"}
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
bcc20e |
# Remove the log handlers for the tests
|
|
Pierre-Yves Chibon |
bcc20e |
app.logger.handlers = []
|
|
Pierre-Yves Chibon |
bcc20e |
|
|
Pierre-Yves Chibon |
bcc20e |
self.app = app.test_client()
|
|
Pierre-Yves Chibon |
bcc20e |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
bcc20e |
def test_front_page(self):
|
|
Pierre-Yves Chibon |
bcc20e |
""" Test the front page. """
|
|
Pierre-Yves Chibon |
bcc20e |
# First access the front page
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/")
|
|
Pierre-Yves Chibon |
bcc20e |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
bcc20e |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch("pagure.lib.notify.send_email", MagicMock(return_value=True))
|
|
Pierre-Yves Chibon |
b94671 |
def test_new_user(self):
|
|
Pierre-Yves Chibon |
b94671 |
""" Test the new_user endpoint. """
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# Check before:
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertEqual(2, len(items))
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# First access the new user page
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/user/new")
|
|
Pierre-Yves Chibon |
b94671 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>New user - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/user/new" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# Create the form to send there
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# This has all the data needed
|
|
Pierre-Yves Chibon |
b94671 |
data = {
|
|
Pierre-Yves Chibon |
73d120 |
"user": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"fullname": "user foo",
|
|
Pierre-Yves Chibon |
73d120 |
"email_address": "foo@bar.com",
|
|
Pierre-Yves Chibon |
73d120 |
"password": "barpass",
|
|
Pierre-Yves Chibon |
73d120 |
"confirm_password": "barpass",
|
|
Pierre-Yves Chibon |
b94671 |
}
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# Submit this form - Doesn't work since there is no csrf token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>New user - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/user/new" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# Submit the form with the csrf token
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>New user - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/user/new" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Username already taken.", output.get_data(as_text=True))
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
5f96cd |
# Submit the form with another username
|
|
Pierre-Yves Chibon |
73d120 |
data["user"] = "foouser"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>New user - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Email address already taken.", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
5f96cd |
|
|
Pierre-Yves Chibon |
5f96cd |
# Submit the form with proper data
|
|
Pierre-Yves Chibon |
73d120 |
data["email_address"] = "foo@example.com"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
5f96cd |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
b94671 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"User created, please check your email to activate the account",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
b94671 |
# Check after:
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(3, len(items))
|
|
Pierre-Yves Chibon |
b94671 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False})
|
|
Pierre-Yves Chibon |
a4c666 |
def test_do_login(self):
|
|
Pierre-Yves Chibon |
a4c666 |
""" Test the do_login endpoint. """
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/login/")
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
a4c666 |
# This has all the data needed
|
|
Pierre-Yves Chibon |
73d120 |
data = {"username": "foouser", "password": "barpass"}
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
a4c666 |
# Submit this form - Doesn't work since there is no csrf token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Insufficient information provided", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
a4c666 |
# Submit the form with the csrf token - but invalid user
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Username or password invalid.", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
a4c666 |
# Create a local user
|
|
Pierre-Yves Chibon |
a4c666 |
self.test_new_user()
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(3, len(items))
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
3deace |
# Submit the form with the csrf token - but user not confirmed
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Invalid user, did you confirm the creation with the url "
|
|
Pierre-Yves Chibon |
73d120 |
"provided by email?",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
a4c666 |
|
|
Pierre-Yves Chibon |
3deace |
# User in the DB, csrf provided - but wrong password submitted
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "password"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
farhaanbukhsh |
fa9239 |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
fa9239 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Username or password invalid.", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
farhaanbukhsh |
fa9239 |
|
|
farhaanbukhsh |
66f5d8 |
# When account is not confirmed i.e user_obj != None
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "barpass"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
farhaanbukhsh |
66f5d8 |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
66f5d8 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
farhaanbukhsh |
66f5d8 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Invalid user, did you confirm the creation with the url "
|
|
Pierre-Yves Chibon |
73d120 |
"provided by email?",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
farhaanbukhsh |
fa9239 |
|
|
Pierre-Yves Chibon |
9b9f29 |
# Confirm the user so that we can log in
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
9b9f29 |
self.assertNotEqual(item.token, None)
|
|
Pierre-Yves Chibon |
9b9f29 |
|
|
Pierre-Yves Chibon |
9b9f29 |
# Remove the token
|
|
Pierre-Yves Chibon |
9b9f29 |
item.token = None
|
|
Pierre-Yves Chibon |
9b9f29 |
self.session.add(item)
|
|
Pierre-Yves Chibon |
b130e5 |
self.session.commit()
|
|
Pierre-Yves Chibon |
9b9f29 |
|
|
Pierre-Yves Chibon |
9b9f29 |
# Check the user
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
9b9f29 |
self.assertEqual(item.token, None)
|
|
Pierre-Yves Chibon |
9b9f29 |
|
|
Pierre-Yves Chibon |
9b9f29 |
# Login but cannot save the session to the DB due to the missing IP
|
|
Pierre-Yves Chibon |
9b9f29 |
# address in the flask request
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "barpass"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Pierre-Yves Chibon |
9b9f29 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Home - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
450dd6 |
|
|
Pierre-Yves Chibon |
450dd6 |
# I'm not sure if the change was in flask or werkzeug, but in older
|
|
Pierre-Yves Chibon |
450dd6 |
# version flask.request.remote_addr was returning None, while it
|
|
Pierre-Yves Chibon |
450dd6 |
# now returns 127.0.0.1 making our logic pass where it used to
|
|
Pierre-Yves Chibon |
450dd6 |
# partly fail
|
|
Pierre-Yves Chibon |
73d120 |
if hasattr(flask, "__version__"):
|
|
Pierre-Yves Chibon |
73d120 |
flask_v = tuple(int(el) for el in flask.__version__.split("."))
|
|
Aurélien Bompard |
13bcde |
if flask_v < (0, 12, 0):
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Ryan Lerch |
ca4b80 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/login/?next=http://localhost/">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Could not set the session in the db, please report "
|
|
Pierre-Yves Chibon |
73d120 |
"this error to an admin",
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d5b214 |
else:
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Pierre-Yves Chibon |
d5b214 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/logout/?next=http://localhost/dashboard/projects">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
9b9f29 |
|
|
Pierre-Yves Chibon |
7cc953 |
# Make the password invalid
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
7cc953 |
|
|
Pierre-Yves Chibon |
7cc953 |
# Remove the $2$
|
|
Pierre-Yves Chibon |
7cc953 |
item.password = item.password[3:]
|
|
Pierre-Yves Chibon |
7cc953 |
self.session.add(item)
|
|
Pierre-Yves Chibon |
b130e5 |
self.session.commit()
|
|
Pierre-Yves Chibon |
7cc953 |
|
|
Pierre-Yves Chibon |
7cc953 |
# Check the password
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertFalse(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
7cc953 |
|
|
Pierre-Yves Chibon |
7cc953 |
# Try login again
|
|
Pierre-Yves Chibon |
b130e5 |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/dologin",
|
|
Pierre-Yves Chibon |
73d120 |
data=data,
|
|
Pierre-Yves Chibon |
73d120 |
follow_redirects=True,
|
|
Pierre-Yves Chibon |
73d120 |
environ_base={"REMOTE_ADDR": "127.0.0.1"},
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
7cc953 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
7cc953 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Username or password of invalid format.",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
7cc953 |
|
|
Pierre-Yves Chibon |
b130e5 |
# Check the password is still not of a known version
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertFalse(item.password.startswith("$1$"))
|
|
Pierre-Yves Chibon |
73d120 |
self.assertFalse(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
eac364 |
|
|
Pierre-Yves Chibon |
eac364 |
# V1 password
|
|
Pierre-Yves Chibon |
73d120 |
password = "%s%s" % ("barpass", None)
|
|
Aurélien Bompard |
619e2a |
if isinstance(password, six.text_type):
|
|
Pierre-Yves Chibon |
73d120 |
password = password.encode("utf-8")
|
|
Aurélien Bompard |
626417 |
password = hashlib.sha512(password).hexdigest().encode("utf-8")
|
|
Pierre-Yves Chibon |
eac364 |
item.token = None
|
|
Pierre-Yves Chibon |
73d120 |
item.password = b"$1$" + password
|
|
Pierre-Yves Chibon |
eac364 |
self.session.add(item)
|
|
Pierre-Yves Chibon |
b130e5 |
self.session.commit()
|
|
Pierre-Yves Chibon |
eac364 |
|
|
Pierre-Yves Chibon |
eac364 |
# Check the password
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith(b"$1$"))
|
|
Pierre-Yves Chibon |
eac364 |
|
|
Pierre-Yves Chibon |
eac364 |
# Log in with a v1 password
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/dologin",
|
|
Pierre-Yves Chibon |
73d120 |
data=data,
|
|
Pierre-Yves Chibon |
73d120 |
follow_redirects=True,
|
|
Pierre-Yves Chibon |
73d120 |
environ_base={"REMOTE_ADDR": "127.0.0.1"},
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
eac364 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Home - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Welcome foouser", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Activity", output_text)
|
|
Pierre-Yves Chibon |
450dd6 |
|
|
Pierre-Yves Chibon |
b130e5 |
# Check the password got upgraded to version 2
|
|
Aurélien Bompard |
13bcde |
self.session.commit()
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
b130e5 |
|
|
Aurélien Bompard |
d90ed4 |
# We have set the REMOTE_ADDR in the request, so this works with all
|
|
Aurélien Bompard |
d90ed4 |
# versions of Flask.
|
|
Aurélien Bompard |
d90ed4 |
self.assertIn(
|
|
Aurélien Bompard |
d90ed4 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/logout/?next=http://localhost/dashboard/projects">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
7cc953 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False})
|
|
Pierre-Yves Chibon |
1baa7f |
def test_do_login_and_redirect(self):
|
|
Pierre-Yves Chibon |
1baa7f |
""" Test the do_login endpoint with a non-default redirect. """
|
|
Pierre-Yves Chibon |
1baa7f |
# This has all the data needed
|
|
Pierre-Yves Chibon |
1baa7f |
data = {
|
|
Pierre-Yves Chibon |
73d120 |
"username": "foouser",
|
|
Pierre-Yves Chibon |
73d120 |
"password": "barpass",
|
|
Pierre-Yves Chibon |
73d120 |
"csrf_token": self.get_csrf(url="/login/"),
|
|
Pierre-Yves Chibon |
73d120 |
"next_url": "http://localhost/test/",
|
|
Pierre-Yves Chibon |
1baa7f |
}
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Create a local user
|
|
Pierre-Yves Chibon |
1baa7f |
self.test_new_user()
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.commit()
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Confirm the user so that we can log in
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertNotEqual(item.token, None)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Remove the token
|
|
Pierre-Yves Chibon |
1baa7f |
item.token = None
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.add(item)
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.commit()
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Check the user
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(item.token, None)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Add a test project to the user
|
|
Pierre-Yves Chibon |
74da3a |
tests.create_projects(self.session, user_id=3)
|
|
Pierre-Yves Chibon |
73d120 |
tests.create_projects_git(os.path.join(self.path, "repos"))
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/test")
|
|
Pierre-Yves Chibon |
1baa7f |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Overview - test - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Login and redirect to the test project
|
|
Pierre-Yves Chibon |
1baa7f |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/dologin",
|
|
Pierre-Yves Chibon |
73d120 |
data=data,
|
|
Pierre-Yves Chibon |
73d120 |
follow_redirects=True,
|
|
Pierre-Yves Chibon |
73d120 |
environ_base={"REMOTE_ADDR": "127.0.0.1"},
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
1baa7f |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Overview - test - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertIn(
|
|
Pierre-Yves Chibon |
1baa7f |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/logout/?next=http://localhost/test/">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'Settings', output_text
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"CHECK_SESSION_IP": False})
|
|
Pierre-Yves Chibon |
1baa7f |
def test_has_settings(self):
|
|
Pierre-Yves Chibon |
1baa7f |
""" Test that user can see the Settings button when they are logged
|
|
Pierre-Yves Chibon |
1baa7f |
in. """
|
|
Pierre-Yves Chibon |
1baa7f |
# Create a local user
|
|
Pierre-Yves Chibon |
1baa7f |
self.test_new_user()
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.commit()
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Remove the token
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
1baa7f |
item.token = None
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.add(item)
|
|
Pierre-Yves Chibon |
1baa7f |
self.session.commit()
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Check the user
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(item.token, None)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Add a test project to the user
|
|
Pierre-Yves Chibon |
1baa7f |
tests.create_projects(self.session)
|
|
Pierre-Yves Chibon |
73d120 |
tests.create_projects_git(os.path.join(self.path, "repos"))
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/test")
|
|
Pierre-Yves Chibon |
1baa7f |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Overview - test - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
1baa7f |
# Login and redirect to the test project
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="pingou")
|
|
Pierre-Yves Chibon |
1baa7f |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/test")
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
1baa7f |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Overview - test - Pagure</title>", output_text
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
1baa7f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'Settings', output_text
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
1baa7f |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch("pagure.lib.notify.send_email", MagicMock(return_value=True))
|
|
Farhaan Bukhsh |
ecae95 |
def test_non_ascii_password(self):
|
|
Farhaan Bukhsh |
ecae95 |
""" Test login and create user functionality when the password is
|
|
Farhaan Bukhsh |
ecae95 |
non-ascii.
|
|
Farhaan Bukhsh |
ecae95 |
"""
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Check before:
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(2, len(items))
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# First access the new user page
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/user/new")
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>New user - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/user/new" method="post">', output_text)</form>
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Create the form to send there
|
|
Farhaan Bukhsh |
ecae95 |
# This has all the data needed
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
data = {
|
|
Pierre-Yves Chibon |
73d120 |
"user": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"fullname": "user foo",
|
|
Pierre-Yves Chibon |
73d120 |
"email_address": "foo@bar.com",
|
|
Pierre-Yves Chibon |
73d120 |
"password": "ö",
|
|
Pierre-Yves Chibon |
73d120 |
"confirm_password": "ö",
|
|
Farhaan Bukhsh |
ecae95 |
}
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit this form - Doesn't work since there is no csrf token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>New user - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/user/new" method="post">', output_text)</form>
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Aurélien Bompard |
626417 |
csrf_token = output_text.split(
|
|
Pierre-Yves Chibon |
73d120 |
'name="csrf_token" type="hidden" value="'
|
|
Pierre-Yves Chibon |
73d120 |
)[1].split('">')[0]
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit the form with the csrf token
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>New user - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/user/new" method="post">', output_text)</form>
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Username already taken.", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit the form with another username
|
|
Pierre-Yves Chibon |
73d120 |
data["user"] = "foobar"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>New user - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Email address already taken.", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit the form with proper data
|
|
Pierre-Yves Chibon |
73d120 |
data["email_address"] = "foobar@foobar.com"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/user/new", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"User created, please check your email to activate the account",
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Check after:
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(3, len(items))
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Checking for the /login page
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/login/")
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# This has all the data needed
|
|
Pierre-Yves Chibon |
73d120 |
data = {"username": "foob_bar", "password": "ö"}
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit this form - Doesn't work since there is no csrf token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Insufficient information provided", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit the form with the csrf token - but invalid user
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Username or password invalid.", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Submit the form with the csrf token - but user not confirmed
|
|
Pierre-Yves Chibon |
73d120 |
data["username"] = "foobar"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Farhaan Bukhsh |
ecae95 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Invalid user, did you confirm the creation with the url "
|
|
Pierre-Yves Chibon |
73d120 |
"provided by email?",
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# User in the DB, csrf provided - but wrong password submitted
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "öö"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Username or password invalid.", output_text)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# When account is not confirmed i.e user_obj != None
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "ö"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Login - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn('<form action="/dologin" method="post">', output_text)</form>
|
|
Farhaan Bukhsh |
ecae95 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Invalid user, did you confirm the creation with the url "
|
|
Pierre-Yves Chibon |
73d120 |
"provided by email?",
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Confirm the user so that we can log in
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foobar")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foobar")
|
|
Farhaan Bukhsh |
ecae95 |
self.assertNotEqual(item.token, None)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Remove the token
|
|
Farhaan Bukhsh |
ecae95 |
item.token = None
|
|
Farhaan Bukhsh |
ecae95 |
self.session.add(item)
|
|
Farhaan Bukhsh |
ecae95 |
self.session.commit()
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Login but cannot save the session to the DB due to the missing IP
|
|
Farhaan Bukhsh |
ecae95 |
# address in the flask request
|
|
Pierre-Yves Chibon |
73d120 |
data["password"] = "ö"
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/dologin", data=data, follow_redirects=True)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(output.status_code, 200)
|
|
Aurélien Bompard |
626417 |
output_text = output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("<title>Home - Pagure</title>", output_text)
|
|
Pierre-Yves Chibon |
d5b214 |
|
|
Pierre-Yves Chibon |
d5b214 |
# I'm not sure if the change was in flask or werkzeug, but in older
|
|
Pierre-Yves Chibon |
d5b214 |
# version flask.request.remote_addr was returning None, while it
|
|
Pierre-Yves Chibon |
d5b214 |
# now returns 127.0.0.1 making our logic pass where it used to
|
|
Pierre-Yves Chibon |
d5b214 |
# partly fail
|
|
Pierre-Yves Chibon |
73d120 |
if hasattr(flask, "__version__"):
|
|
Pierre-Yves Chibon |
73d120 |
flask_v = tuple(int(el) for el in flask.__version__.split("."))
|
|
Pierre-Yves Chibon |
d5b214 |
if flask_v <= (0, 12, 0):
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Ryan Lerch |
ca4b80 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/login/?next=http://localhost/">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Could not set the session in the db, please report "
|
|
Pierre-Yves Chibon |
73d120 |
"this error to an admin",
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d5b214 |
else:
|
|
Pierre-Yves Chibon |
d5b214 |
self.assertIn(
|
|
Pierre-Yves Chibon |
d5b214 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/logout/?next=http://localhost/dashboard/projects">',
|
|
Pierre-Yves Chibon |
73d120 |
output_text,
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Farhaan Bukhsh |
ecae95 |
# Check the user
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foobar")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foobar")
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(item.token, None)
|
|
Farhaan Bukhsh |
ecae95 |
|
|
Pierre-Yves Chibon |
10fbdf |
def test_confirm_user(self):
|
|
Pierre-Yves Chibon |
10fbdf |
""" Test the confirm_user endpoint. """
|
|
Pierre-Yves Chibon |
10fbdf |
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/confirm/foo", follow_redirects=True)
|
|
Pierre-Yves Chibon |
10fbdf |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
10fbdf |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"No user associated with this token.",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
10fbdf |
|
|
Pierre-Yves Chibon |
10fbdf |
# Create a local user
|
|
Pierre-Yves Chibon |
10fbdf |
self.test_new_user()
|
|
Pierre-Yves Chibon |
10fbdf |
|
|
Pierre-Yves Chibon |
930073 |
items = pagure.lib.query.search_user(self.session)
|
|
Farhaan Bukhsh |
ecae95 |
self.assertEqual(3, len(items))
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
10fbdf |
self.assertNotEqual(item.token, None)
|
|
Pierre-Yves Chibon |
10fbdf |
|
|
Pierre-Yves Chibon |
10fbdf |
output = self.app.get(
|
|
Pierre-Yves Chibon |
73d120 |
"/confirm/%s" % item.token, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
10fbdf |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
10fbdf |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Email confirmed, account activated", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
10fbdf |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch("pagure.lib.notify.send_email", MagicMock(return_value=True))
|
|
Pierre-Yves Chibon |
db170c |
def test_lost_password(self):
|
|
Pierre-Yves Chibon |
db170c |
""" Test the lost_password endpoint. """
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/lost")
|
|
Pierre-Yves Chibon |
db170c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
db170c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Lost password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/lost" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
db170c |
# Prepare the data to send
|
|
Pierre-Yves Chibon |
73d120 |
data = {"username": "foouser"}
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
db170c |
# Missing CSRF
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/password/lost", data=data)
|
|
Pierre-Yves Chibon |
db170c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
db170c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Lost password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/lost" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
db170c |
# With the CSRF - But invalid user
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
db170c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/lost", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Username invalid.", output.get_data(as_text=True))
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
db170c |
# With the CSRF and a valid user
|
|
Pierre-Yves Chibon |
73d120 |
data["username"] = "foo"
|
|
Pierre-Yves Chibon |
db170c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/lost", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
db170c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Check your email to finish changing your password",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
db170c |
# With the CSRF and a valid user - but too quick after the last one
|
|
Pierre-Yves Chibon |
73d120 |
data["username"] = "foo"
|
|
Pierre-Yves Chibon |
db170c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/lost", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
db170c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"An email was sent to you less than 3 minutes ago, did you "
|
|
Pierre-Yves Chibon |
73d120 |
"check your spam folder? Otherwise, try again after some time.",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
db170c |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
73d120 |
@patch("pagure.lib.notify.send_email", MagicMock(return_value=True))
|
|
Pierre-Yves Chibon |
c3ff39 |
def test_reset_password(self):
|
|
Pierre-Yves Chibon |
c3ff39 |
""" Test the reset_password endpoint. """
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/reset/foo", follow_redirects=True)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"No user associated with this token.",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
self.test_lost_password()
|
|
Pierre-Yves Chibon |
c3ff39 |
self.test_new_user()
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
# Check the password
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertNotEqual(item.token, None)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
old_password = item.password
|
|
Pierre-Yves Chibon |
c3ff39 |
token = item.token
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
output = self.app.get(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/reset/%s" % token, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
73d120 |
data = {"password": "passwd", "confirm_password": "passwd"}
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
# Missing CSRF
|
|
Pierre-Yves Chibon |
c3ff39 |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/reset/%s" % token, data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
|
|
Pierre-Yves Chibon |
c3ff39 |
# With CSRF
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
c3ff39 |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/reset/%s" % token, data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
c3ff39 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Password changed", output.get_data(as_text=True))
|
|
Pierre-Yves Chibon |
73d120 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch(
|
|
Pierre-Yves Chibon |
73d120 |
"pagure.ui.login._check_session_cookie", MagicMock(return_value=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
23b43c |
def test_change_password(self):
|
|
Pierre-Yves Chibon |
23b43c |
""" Test the change_password endpoint. """
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# Not logged in, redirects
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/change", follow_redirects=True)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Login - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/dologin" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
user = tests.FakeUser()
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/change")
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 404)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("User not found", output.get_data(as_text=True))
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foo")
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/change")
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
19ad5f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/change" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
data = {
|
|
Pierre-Yves Chibon |
73d120 |
"old_password": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"password": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"confirm_password": "foo",
|
|
Pierre-Yves Chibon |
23b43c |
}
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# No CSRF token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/password/change", data=data)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
19ad5f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/change" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# With CSRF - Invalid password format
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
23b43c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/change", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Could not update your password, either user or password "
|
|
Pierre-Yves Chibon |
73d120 |
"could not be checked",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
self.test_new_user()
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# Remove token of foouser
|
|
Pierre-Yves Chibon |
73d120 |
item = pagure.lib.query.search_user(self.session, username="foouser")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(item.user, "foouser")
|
|
Pierre-Yves Chibon |
23b43c |
self.assertNotEqual(item.token, None)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertTrue(item.password.startswith("$2$"))
|
|
Pierre-Yves Chibon |
23b43c |
item.token = None
|
|
Pierre-Yves Chibon |
23b43c |
self.session.add(item)
|
|
Pierre-Yves Chibon |
23b43c |
self.session.commit()
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foouser")
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/password/change")
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
19ad5f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/change" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
data = {
|
|
Pierre-Yves Chibon |
73d120 |
"old_password": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"password": "foo",
|
|
Pierre-Yves Chibon |
73d120 |
"confirm_password": "foo",
|
|
Pierre-Yves Chibon |
23b43c |
}
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# No CSRF token
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/password/change", data=data)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
farhaanbukhsh |
19ad5f |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Change password - Pagure</title>",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
'<form action="/password/change" method="post">',</form>
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
73d120 |
csrf_token = (
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
.split('name="csrf_token" type="hidden" value="')[1]
|
|
Pierre-Yves Chibon |
73d120 |
.split('">')[0]
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# With CSRF - Incorrect password
|
|
Pierre-Yves Chibon |
73d120 |
data["csrf_token"] = csrf_token
|
|
Pierre-Yves Chibon |
23b43c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/change", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"Could not update your password, either user or password "
|
|
Pierre-Yves Chibon |
73d120 |
"could not be checked",
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
23b43c |
# With CSRF - Correct password
|
|
Pierre-Yves Chibon |
73d120 |
data["old_password"] = "barpass"
|
|
Pierre-Yves Chibon |
23b43c |
output = self.app.post(
|
|
Pierre-Yves Chibon |
73d120 |
"/password/change", data=data, follow_redirects=True
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
23b43c |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("Password changed", output.get_data(as_text=True))
|
|
Pierre-Yves Chibon |
23b43c |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pierre-Yves Chibon |
d25b69 |
def test_logout(self):
|
|
Pierre-Yves Chibon |
d25b69 |
""" Test the auth_logout endpoint for local login. """
|
|
Pierre-Yves Chibon |
d25b69 |
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/logout/", follow_redirects=True)
|
|
Pierre-Yves Chibon |
d25b69 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertNotIn(
|
|
Pierre-Yves Chibon |
73d120 |
"You have been logged out", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d25b69 |
self.assertIn(
|
|
Ryan Lerch |
ca4b80 |
'
|
|
Pierre-Yves Chibon |
73d120 |
'href="/login/?next=http://localhost/">',
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d25b69 |
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foo")
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/logout/", follow_redirects=True)
|
|
Pierre-Yves Chibon |
d25b69 |
self.assertEqual(output.status_code, 200)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"<title>Home - Pagure</title>", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn(
|
|
Pierre-Yves Chibon |
73d120 |
"You have been logged out", output.get_data(as_text=True)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d25b69 |
# Due to the way the tests are running we do not actually
|
|
Pierre-Yves Chibon |
d25b69 |
# log out
|
|
Pierre-Yves Chibon |
d25b69 |
self.assertIn(
|
|
Ryan Lerch |
336cd6 |
'
|
|
Ryan Lerch |
336cd6 |
'http://localhost/dashboard/projects">Log Out',
|
|
Pierre-Yves Chibon |
73d120 |
output.get_data(as_text=True),
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pierre-Yves Chibon |
d25b69 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Pedro Lima |
951fd7 |
def test_settings_admin_session_timedout(self):
|
|
Pedro Lima |
951fd7 |
""" Test the admin_session_timedout with settings endpoint. """
|
|
Pierre-Yves Chibon |
b130e5 |
lifetime = pagure.config.config.get(
|
|
Pierre-Yves Chibon |
73d120 |
"ADMIN_SESSION_LIFETIME", datetime.timedelta(minutes=15)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pedro Lima |
951fd7 |
td1 = datetime.timedelta(minutes=1)
|
|
Pedro Lima |
951fd7 |
# session already expired
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foo")
|
|
Pierre-Yves Chibon |
480388 |
user.login_time = datetime.datetime.utcnow() - lifetime - td1
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pedro Lima |
951fd7 |
# not following the redirect because user_set contextmanager
|
|
Pedro Lima |
951fd7 |
# will run again for the login page and set back the user
|
|
Pedro Lima |
951fd7 |
# which results in a loop, since admin_session_timedout will
|
|
Pedro Lima |
951fd7 |
# redirect again for the login page
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/settings/")
|
|
Pedro Lima |
951fd7 |
self.assertEqual(output.status_code, 302)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertIn("http://localhost/login/", output.location)
|
|
Pedro Lima |
951fd7 |
# session did not expire
|
|
Pierre-Yves Chibon |
480388 |
user.login_time = datetime.datetime.utcnow() - lifetime + td1
|
|
Pierre-Yves Chibon |
b130e5 |
with tests.user_set(self.app.application, user):
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/settings/")
|
|
Pedro Lima |
951fd7 |
self.assertEqual(output.status_code, 200)
|
|
Pedro Lima |
951fd7 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch("flask.flash")
|
|
Pierre-Yves Chibon |
73d120 |
@patch("flask.g")
|
|
Pierre-Yves Chibon |
73d120 |
@patch("flask.session")
|
|
Pierre-Yves Chibon |
b130e5 |
def test_admin_session_timedout(self, session, g, flash):
|
|
Pedro Lima |
951fd7 |
""" Test the call to admin_session_timedout. """
|
|
Pierre-Yves Chibon |
b130e5 |
lifetime = pagure.config.config.get(
|
|
Pierre-Yves Chibon |
73d120 |
"ADMIN_SESSION_LIFETIME", datetime.timedelta(minutes=15)
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Pedro Lima |
951fd7 |
td1 = datetime.timedelta(minutes=1)
|
|
Pedro Lima |
951fd7 |
# session already expired
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foo")
|
|
Pierre-Yves Chibon |
480388 |
user.login_time = datetime.datetime.utcnow() - lifetime - td1
|
|
Pedro Lima |
951fd7 |
g.fas_user = user
|
|
Pierre-Yves Chibon |
b130e5 |
self.assertTrue(pagure.flask_app.admin_session_timedout())
|
|
Pedro Lima |
951fd7 |
# session did not expire
|
|
Pierre-Yves Chibon |
480388 |
user.login_time = datetime.datetime.utcnow() - lifetime + td1
|
|
Pedro Lima |
951fd7 |
g.fas_user = user
|
|
Pierre-Yves Chibon |
b130e5 |
self.assertFalse(pagure.flask_app.admin_session_timedout())
|
|
Pedro Lima |
951fd7 |
|
|
Pierre-Yves Chibon |
73d120 |
@patch.dict("pagure.config.config", {"PAGURE_AUTH": "local"})
|
|
Patrick Uiterwijk |
ce6d6d |
def test_force_logout(self):
|
|
Patrick Uiterwijk |
ce6d6d |
""" Test forcing logout. """
|
|
Pierre-Yves Chibon |
73d120 |
user = tests.FakeUser(username="foo")
|
|
Patrick Uiterwijk |
ce6d6d |
with tests.user_set(self.app.application, user, keep_get_user=True):
|
|
Patrick Uiterwijk |
ce6d6d |
# Test that accessing settings works
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/settings")
|
|
Patrick Uiterwijk |
ce6d6d |
self.assertEqual(output.status_code, 200)
|
|
Patrick Uiterwijk |
ce6d6d |
|
|
Patrick Uiterwijk |
ce6d6d |
# Now logout everywhere
|
|
Pierre-Yves Chibon |
73d120 |
data = {"csrf_token": self.get_csrf()}
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.post("/settings/forcelogout/", data=data)
|
|
Patrick Uiterwijk |
ce6d6d |
self.assertEqual(output.status_code, 302)
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(
|
|
Pierre-Yves Chibon |
73d120 |
output.headers["Location"], "http://localhost/settings"
|
|
Pierre-Yves Chibon |
73d120 |
)
|
|
Patrick Uiterwijk |
ce6d6d |
|
|
Patrick Uiterwijk |
ce6d6d |
# We should now get redirected to index, because our session became
|
|
Patrick Uiterwijk |
ce6d6d |
# invalid
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/settings")
|
|
Pierre-Yves Chibon |
73d120 |
self.assertEqual(output.headers["Location"], "http://localhost/")
|
|
Patrick Uiterwijk |
ce6d6d |
|
|
Patrick Uiterwijk |
ce6d6d |
# After changing the login_time to now, the session should again be
|
|
Patrick Uiterwijk |
ce6d6d |
# valid
|
|
Patrick Uiterwijk |
ce6d6d |
user.login_time = datetime.datetime.utcnow()
|
|
Pierre-Yves Chibon |
73d120 |
output = self.app.get("/")
|
|
Ryan Lerch |
336cd6 |
self.assertEqual(output.status_code, 302)
|
|
Patrick Uiterwijk |
ce6d6d |
|
|
Patrick Uiterwijk |
ce6d6d |
|
|
Pierre-Yves Chibon |
73d120 |
if __name__ == "__main__":
|
|
Pierre-Yves Chibon |
393f31 |
unittest.main(verbosity=2)
|