canaille-globuzma/tests/core/test_account.py

import datetime
from unittest import mock

import pytest
import time_machine
from flask import g

from canaille.app import models


def test_index(testclient, user, backend):
    res = testclient.get("/", status=302)
    assert res.location == "/login"

    g.user = user
    res = testclient.get("/", status=302)
    assert res.location == "/profile/user"

    testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = []
    backend.reload(g.user)
    res = testclient.get("/", status=302)
    assert res.location == "/about"


def test_user_deleted_in_session(testclient, backend):
    u = models.User(
        formatted_name="Jake Doe",
        family_name="Jake",
        user_name="jake",
        emails=["jake@doe.test"],
        password="correct horse battery staple",
    )
    backend.save(u)
    testclient.get("/profile/jake", status=403)

    with testclient.session_transaction() as session:
        session["user_id"] = [u.id]

    backend.delete(u)

    testclient.get("/profile/jake", status=404)
    with testclient.session_transaction() as session:
        assert not session.get("user_id")


def test_impersonate(testclient, logged_admin, user):
    res = testclient.get("/", status=302).follow(status=200).click("Account settings")
    assert "admin" == res.form["user_name"].value

    res = (
        testclient.get("/impersonate/user", status=302)
        .follow(status=302)
        .follow(status=200)
        .click("Account settings")
    )
    assert "user" == res.form["user_name"].value

    testclient.get("/logout", status=302).follow(status=302).follow(status=200)

    res = testclient.get("/", status=302).follow(status=200).click("Account settings")
    assert "admin" == res.form["user_name"].value


def test_admin_self_deletion(testclient, backend):
    admin = models.User(
        formatted_name="Temp admin",
        family_name="admin",
        user_name="temp",
        emails=["temp@temp.test"],
        password="admin",
    )
    backend.save(admin)
    with testclient.session_transaction() as sess:
        sess["user_id"] = [admin.id]

    res = testclient.get("/profile/temp/settings")
    res = res.form.submit(name="action", value="confirm-delete")
    res = (
        res.form.submit(name="action", value="delete", status=302)
        .follow(status=302)
        .follow(status=200)
    )

    assert backend.get(models.User, user_name="temp") is None

    with testclient.session_transaction() as sess:
        assert not sess.get("user_id")


def test_user_self_deletion(testclient, backend):
    user = models.User(
        formatted_name="Temp user",
        family_name="user",
        user_name="temp",
        emails=["temp@temp.test"],
        password="correct horse battery staple",
    )
    backend.save(user)
    with testclient.session_transaction() as sess:
        sess["user_id"] = [user.id]

    testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = ["edit_self"]
    res = testclient.get("/profile/temp/settings")
    res.mustcontain(no="Delete my account")

    testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = [
        "edit_self",
        "delete_account",
    ]
    # Simulate an app restart
    backend.reload(user)

    res = testclient.get("/profile/temp/settings")
    res.mustcontain("Delete my account")
    res = res.form.submit(name="action", value="confirm-delete")
    res = (
        res.form.submit(name="action", value="delete", status=302)
        .follow(status=302)
        .follow(status=200)
    )

    assert backend.get(models.User, user_name="temp") is None

    with testclient.session_transaction() as sess:
        assert not sess.get("user_id")

    testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = []


def test_account_locking(user, backend):
    assert not user.locked
    assert not user.lock_date
    assert backend.check_user_password(user, "correct horse battery staple") == (
        True,
        None,
    )

    user.lock_date = datetime.datetime.now(datetime.timezone.utc)
    assert user.locked
    backend.save(user)
    assert user.locked
    assert backend.get(models.User, id=user.id).locked
    assert backend.check_user_password(user, "correct horse battery staple") == (
        False,
        "Your account has been locked.",
    )

    user.lock_date = None
    backend.save(user)
    assert not user.locked
    assert not backend.get(models.User, id=user.id).locked
    assert backend.check_user_password(user, "correct horse battery staple") == (
        True,
        None,
    )


def test_account_locking_past_date(user, backend):
    assert not user.locked
    assert not user.lock_date
    assert backend.check_user_password(user, "correct horse battery staple") == (
        True,
        None,
    )

    user.lock_date = datetime.datetime.now(datetime.timezone.utc).replace(
        microsecond=0
    ) - datetime.timedelta(days=30)
    backend.save(user)
    assert user.locked
    assert backend.get(models.User, id=user.id).locked
    assert backend.check_user_password(user, "correct horse battery staple") == (
        False,
        "Your account has been locked.",
    )


def test_account_locking_future_date(user, backend):
    assert not user.locked
    assert not user.lock_date
    assert backend.check_user_password(user, "correct horse battery staple") == (
        True,
        None,
    )

    user.lock_date = datetime.datetime.now(datetime.timezone.utc).replace(
        microsecond=0
    ) + datetime.timedelta(days=365 * 4)
    backend.save(user)
    assert not user.locked
    assert not backend.get(models.User, id=user.id).locked
    assert backend.check_user_password(user, "correct horse battery staple") == (
        True,
        None,
    )


def test_account_locked_during_session(testclient, logged_user, backend):
    logged_user.lock_date = datetime.datetime.now(datetime.timezone.utc)
    backend.save(logged_user)
    testclient.get("/profile/user/settings", status=403)


def test_expired_password_redirection_and_register_new_password_for_memory_and_sql(
    testclient,
    logged_user,
    user,
    backend,
    admin,
):
    """time_machine does not work with ldap."""
    if "ldap" in backend.__class__.__module__:
        pytest.skip()

    testclient.app.config["WTF_CSRF_ENABLED"] = False
    backend.reload(logged_user)
    res = testclient.get("/profile/user/settings", status=200)
    res.form["password1"] = "123456789"
    res.form["password2"] = "123456789"

    with time_machine.travel("2020-01-01 01:00:00+00:00", tick=False) as traveller:
        res = res.form.submit(name="action", value="edit-settings")

        testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "P5D"

        traveller.shift(datetime.timedelta(days=5, minutes=1))

        backend.reload(g.user)

        res = testclient.get("/profile/user/settings")

        testclient.get("/reset/admin", status=403)

        assert (
            "info",
            "Your password has expired, please choose a new password.",
        ) in res.flashes
        assert res.location == "/reset/user"

        backend.reload(logged_user)
        res = testclient.get("/reset/user")

        res.form["password"] = "foobarbaz"
        res.form["confirmation"] = "foobarbaz"
        res = res.form.submit()
        assert ("success", "Your password has been updated successfully") in res.flashes


@mock.patch("canaille.core.models.User.has_expired_password")
def test_expired_password_redirection_and_register_new_password_for_ldap_sql_and_memory(
    has_expired,
    testclient,
    logged_user,
    user,
    backend,
    admin,
):
    """time_machine does not work with ldap."""
    has_expired.return_value = False
    assert user.password_last_update is None
    res = testclient.get("/profile/user/settings", status=200)
    res.form["password1"] = "123456789"
    res.form["password2"] = "123456789"
    res = res.form.submit(name="action", value="edit-settings")
    backend.reload(logged_user)
    assert user.password_last_update is not None

    has_expired.return_value = True
    res = testclient.get("/profile/user/settings")
    testclient.get("/reset/admin", status=403)
    assert (
        "info",
        "Your password has expired, please choose a new password.",
    ) in res.flashes
    assert res.location == "/reset/user"
    backend.reload(logged_user)
    backend.reload(g.user)
    backend.reload(user)

    res = testclient.get("/reset/user")

    res.form["password"] = "foobarbaz"
    res.form["confirmation"] = "foobarbaz"
    res = res.form.submit()
    assert ("success", "Your password has been updated successfully") in res.flashes


def test_not_expired_password_or_wrong_user_redirection(
    testclient, logged_user, user, backend, admin
):
    assert user.password_last_update is None
    res = testclient.get("/profile/user/settings", status=200)
    res.form["password1"] = "123456789"
    res.form["password2"] = "123456789"
    res = res.form.submit(name="action", value="edit-settings")
    backend.reload(logged_user)
    assert user.password_last_update is not None

    def test_two_redirections(password_lifetime):
        testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = password_lifetime
        testclient.get("/reset/user", status=403)
        testclient.get("/reset/admin", status=403)

    test_two_redirections(None)

    testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "PT0S"
    res = testclient.get("/profile/user/settings")
    assert (
        "info",
        "Your password has expired, please choose a new password.",
    ) in res.flashes
    assert res.location == "/reset/user"

    testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "P1D"
    res = testclient.get("/profile/user/settings")
    res.form["password1"] = "123456789"
    res.form["password2"] = "123456789"
    res = res.form.submit(name="action", value="edit-settings")

    test_two_redirections("P1D")


def test_expired_password_needed_without_current_user(testclient, user):
    testclient.get("/reset/user", status=403)
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`import datetime`
adds password expiry policy with a new method on User class 2024-12-17 13:45:10 +00:00			`from unittest import mock`
unit tests: first login mail success and error 2022-12-21 20:52:01 +00:00
adds password expiry policy with a new method on User class 2024-12-17 13:45:10 +00:00			`import pytest`
			`import time_machine`
refactor: store user profile in g.user 2023-08-13 20:08:28 +00:00			`from flask import g`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from canaille.app import models`

Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`def test_index(testclient, user, backend):`
index page unit tests 2022-12-04 11:57:59 +00:00			`res = testclient.get("/", status=302)`
			`assert res.location == "/login"`

refactor: store user profile in g.user 2023-08-13 20:08:28 +00:00			`g.user = user`
index page unit tests 2022-12-04 11:57:59 +00:00			`res = testclient.get("/", status=302)`
			`assert res.location == "/profile/user"`

feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = []`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(g.user)`
index page unit tests 2022-12-04 11:57:59 +00:00			`res = testclient.get("/", status=302)`
			`assert res.location == "/about"`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_user_deleted_in_session(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`u = models.User(`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`formatted_name="Jake Doe",`
			`family_name="Jake",`
			`user_name="jake",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`emails=["jake@doe.test"],`
Cleartext password in unit tests 2023-04-10 19:42:14 +00:00			`password="correct horse battery staple",`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(u)`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`testclient.get("/profile/jake", status=403)`

			`with testclient.session_transaction() as session:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = [u.id]`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(u)`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00
Implements a flask User converter 2023-06-28 15:56:49 +00:00			`testclient.get("/profile/jake", status=404)`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`with testclient.session_transaction() as session:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`assert not session.get("user_id")`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_impersonate(testclient, logged_admin, user):`
Wording 2023-06-30 16:10:16 +00:00			`res = testclient.get("/", status=302).follow(status=200).click("Account settings")`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`assert "admin" == res.form["user_name"].value`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00
			`res = (`
			`testclient.get("/impersonate/user", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
Wording 2023-06-30 16:10:16 +00:00			`.click("Account settings")`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`)`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`assert "user" == res.form["user_name"].value`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00
			`testclient.get("/logout", status=302).follow(status=302).follow(status=200)`

Wording 2023-06-30 16:10:16 +00:00			`res = testclient.get("/", status=302).follow(status=200).click("Account settings")`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`assert "admin" == res.form["user_name"].value`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_admin_self_deletion(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`admin = models.User(`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`formatted_name="Temp admin",`
			`family_name="admin",`
			`user_name="temp",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`emails=["temp@temp.test"],`
Cleartext password in unit tests 2023-04-10 19:42:14 +00:00			`password="admin",`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(admin)`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`with testclient.session_transaction() as sess:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`sess["user_id"] = [admin.id]`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
Split the profile page in two 2023-03-16 17:39:28 +00:00			`res = testclient.get("/profile/temp/settings")`
modals are HTML pages instead of JS elements This will help providing the very same user experience for users with and without javascript. We will still be able to re-enable javascript modals in the future, but this should be done from the ground up, HTML first and javascript after. 2023-07-06 16:43:37 +00:00			`res = res.form.submit(name="action", value="confirm-delete")`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`res = (`
			`res.form.submit(name="action", value="delete", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
			`)`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert backend.get(models.User, user_name="temp") is None`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
			`with testclient.session_transaction() as sess:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`assert not sess.get("user_id")`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_user_self_deletion(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user = models.User(`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`formatted_name="Temp user",`
			`family_name="user",`
			`user_name="temp",`
refactor: all domains used in the unit test suite are now .test this ensures they will never be valid, and will never generate real world requests 2024-11-20 22:30:44 +00:00			`emails=["temp@temp.test"],`
Cleartext password in unit tests 2023-04-10 19:42:14 +00:00			`password="correct horse battery staple",`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(user)`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`with testclient.session_transaction() as sess:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`sess["user_id"] = [user.id]`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = ["edit_self"]`
Split the profile page in two 2023-03-16 17:39:28 +00:00			`res = testclient.get("/profile/temp/settings")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(no="Delete my account")`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = [`
Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`"edit_self",`
			`"delete_account",`
			`]`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00			`# Simulate an app restart`
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(user)`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00
Split the profile page in two 2023-03-16 17:39:28 +00:00			`res = testclient.get("/profile/temp/settings")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain("Delete my account")`
modals are HTML pages instead of JS elements This will help providing the very same user experience for users with and without javascript. We will still be able to re-enable javascript modals in the future, but this should be done from the ground up, HTML first and javascript after. 2023-07-06 16:43:37 +00:00			`res = res.form.submit(name="action", value="confirm-delete")`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`res = (`
			`res.form.submit(name="action", value="delete", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
			`)`

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert backend.get(models.User, user_name="temp") is None`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
			`with testclient.session_transaction() as sess:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`assert not sess.get("user_id")`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`testclient.app.config["CANAILLE"]["ACL"]["DEFAULT"]["PERMISSIONS"] = []`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00

			`def test_account_locking(user, backend):`
			`assert not user.locked`
			`assert not user.lock_date`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
			`True,`
			`None,`
			`)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00
refactored User locking mechanism 2023-05-26 15:44:15 +00:00			`user.lock_date = datetime.datetime.now(datetime.timezone.utc)`
tests: backport tests from sqlachemy branch 2023-11-24 11:10:17 +00:00			`assert user.locked`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(user)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`assert user.locked`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert backend.get(models.User, id=user.id).locked`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`False,`
			`"Your account has been locked.",`
			`)`

refactor: remove models __delattr__ methods 2023-11-21 13:57:28 +00:00			`user.lock_date = None`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(user)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`assert not user.locked`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert not backend.get(models.User, id=user.id).locked`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
			`True,`
			`None,`
			`)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00

			`def test_account_locking_past_date(user, backend):`
			`assert not user.locked`
			`assert not user.lock_date`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
			`True,`
			`None,`
			`)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00
refactored User locking mechanism 2023-05-26 15:44:15 +00:00			`user.lock_date = datetime.datetime.now(datetime.timezone.utc).replace(`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`microsecond=0`
			`) - datetime.timedelta(days=30)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(user)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`assert user.locked`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert backend.get(models.User, id=user.id).locked`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`False,`
			`"Your account has been locked.",`
			`)`


			`def test_account_locking_future_date(user, backend):`
			`assert not user.locked`
			`assert not user.lock_date`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
			`True,`
			`None,`
			`)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00
refactored User locking mechanism 2023-05-26 15:44:15 +00:00			`user.lock_date = datetime.datetime.now(datetime.timezone.utc).replace(`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`microsecond=0`
			`) + datetime.timedelta(days=365 * 4)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(user)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`assert not user.locked`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`assert not backend.get(models.User, id=user.id).locked`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`assert backend.check_user_password(user, "correct horse battery staple") == (`
			`True,`
			`None,`
			`)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_account_locked_during_session(testclient, logged_user, backend):`
refactored User locking mechanism 2023-05-26 15:44:15 +00:00			`logged_user.lock_date = datetime.datetime.now(datetime.timezone.utc)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(logged_user)`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`testclient.get("/profile/user/settings", status=403)`
adds password expiry policy with a new method on User class 2024-12-17 13:45:10 +00:00

			`def test_expired_password_redirection_and_register_new_password_for_memory_and_sql(`
			`testclient,`
			`logged_user,`
			`user,`
			`backend,`
			`admin,`
			`):`
			`"""time_machine does not work with ldap."""`
			`if "ldap" in backend.__class__.__module__:`
			`pytest.skip()`

			`testclient.app.config["WTF_CSRF_ENABLED"] = False`
			`backend.reload(logged_user)`
			`res = testclient.get("/profile/user/settings", status=200)`
			`res.form["password1"] = "123456789"`
			`res.form["password2"] = "123456789"`

			`with time_machine.travel("2020-01-01 01:00:00+00:00", tick=False) as traveller:`
			`res = res.form.submit(name="action", value="edit-settings")`

			`testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "P5D"`

			`traveller.shift(datetime.timedelta(days=5, minutes=1))`

			`backend.reload(g.user)`

			`res = testclient.get("/profile/user/settings")`

			`testclient.get("/reset/admin", status=403)`

			`assert (`
			`"info",`
			`"Your password has expired, please choose a new password.",`
			`) in res.flashes`
			`assert res.location == "/reset/user"`

			`backend.reload(logged_user)`
			`res = testclient.get("/reset/user")`

			`res.form["password"] = "foobarbaz"`
			`res.form["confirmation"] = "foobarbaz"`
			`res = res.form.submit()`
			`assert ("success", "Your password has been updated successfully") in res.flashes`


			`@mock.patch("canaille.core.models.User.has_expired_password")`
			`def test_expired_password_redirection_and_register_new_password_for_ldap_sql_and_memory(`
			`has_expired,`
			`testclient,`
			`logged_user,`
			`user,`
			`backend,`
			`admin,`
			`):`
			`"""time_machine does not work with ldap."""`
			`has_expired.return_value = False`
			`assert user.password_last_update is None`
			`res = testclient.get("/profile/user/settings", status=200)`
			`res.form["password1"] = "123456789"`
			`res.form["password2"] = "123456789"`
			`res = res.form.submit(name="action", value="edit-settings")`
			`backend.reload(logged_user)`
			`assert user.password_last_update is not None`

			`has_expired.return_value = True`
			`res = testclient.get("/profile/user/settings")`
			`testclient.get("/reset/admin", status=403)`
			`assert (`
			`"info",`
			`"Your password has expired, please choose a new password.",`
			`) in res.flashes`
			`assert res.location == "/reset/user"`
			`backend.reload(logged_user)`
			`backend.reload(g.user)`
			`backend.reload(user)`

			`res = testclient.get("/reset/user")`

			`res.form["password"] = "foobarbaz"`
			`res.form["confirmation"] = "foobarbaz"`
			`res = res.form.submit()`
			`assert ("success", "Your password has been updated successfully") in res.flashes`


			`def test_not_expired_password_or_wrong_user_redirection(`
			`testclient, logged_user, user, backend, admin`
			`):`
			`assert user.password_last_update is None`
			`res = testclient.get("/profile/user/settings", status=200)`
			`res.form["password1"] = "123456789"`
			`res.form["password2"] = "123456789"`
			`res = res.form.submit(name="action", value="edit-settings")`
			`backend.reload(logged_user)`
			`assert user.password_last_update is not None`

			`def test_two_redirections(password_lifetime):`
			`testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = password_lifetime`
			`testclient.get("/reset/user", status=403)`
			`testclient.get("/reset/admin", status=403)`

			`test_two_redirections(None)`

			`testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "PT0S"`
			`res = testclient.get("/profile/user/settings")`
			`assert (`
			`"info",`
			`"Your password has expired, please choose a new password.",`
			`) in res.flashes`
			`assert res.location == "/reset/user"`

			`testclient.app.config["CANAILLE"]["PASSWORD_LIFETIME"] = "P1D"`
			`res = testclient.get("/profile/user/settings")`
			`res.form["password1"] = "123456789"`
			`res.form["password2"] = "123456789"`
			`res = res.form.submit(name="action", value="edit-settings")`

			`test_two_redirections("P1D")`


			`def test_expired_password_needed_without_current_user(testclient, user):`
			`testclient.get("/reset/user", status=403)`