canaille-globuzma/tests/oidc/test_token_admin.py

import datetime
import logging

from werkzeug.security import gen_salt

from canaille.app import models


def test_no_logged_no_access(testclient):
    testclient.get("/admin/token", status=403)


def test_no_admin_no_access(testclient, logged_user):
    testclient.get("/admin/token", status=403)


def test_token_list(testclient, token, logged_admin):
    res = testclient.get("/admin/token")
    res.mustcontain(token.token_id)


def test_token_list_pagination(testclient, logged_admin, client, backend):
    res = testclient.get("/admin/token")
    res.mustcontain("0 items")
    tokens = []
    for _ in range(26):
        token = models.Token(
            token_id=gen_salt(48),
            access_token="my-valid-token",
            client=client,
            subject=logged_admin,
            type=None,
            refresh_token=gen_salt(48),
            scope=["openid", "profile"],
            issue_date=(
                datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)
            ),
            lifetime=3600,
        )
        backend.save(token)
        tokens.append(token)

    res = testclient.get("/admin/token")
    res.mustcontain("26 items")
    token_id = res.pyquery(".tokens tbody tr td:nth-of-type(1) a").text()
    assert token_id

    form = res.forms["tableform"]
    res = form.submit(name="form", value="2")
    assert token_id not in res.pyquery(
        ".tokens tbody tr:nth-of-type(1) td:nth-of-type(1) a"
    ).text().split(" ")
    for token in tokens:
        backend.delete(token)

    res = testclient.get("/admin/token")
    res.mustcontain("0 items")


def test_token_list_bad_pages(testclient, logged_admin):
    res = testclient.get("/admin/token")
    form = res.forms["tableform"]
    testclient.post(
        "/admin/token",
        {"csrf_token": form["csrf_token"].value, "page": "2"},
        status=404,
    )

    res = testclient.get("/admin/token")
    form = res.forms["tableform"]
    testclient.post(
        "/admin/token",
        {"csrf_token": form["csrf_token"].value, "page": "-1"},
        status=404,
    )


def test_token_list_search(testclient, logged_admin, client, backend):
    token1 = models.Token(
        token_id=gen_salt(48),
        access_token="this-token-is-ok",
        client=client,
        subject=logged_admin,
        type=None,
        refresh_token=gen_salt(48),
        scope=["openid", "profile"],
        issue_date=(
            datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)
        ),
        lifetime=3600,
    )
    backend.save(token1)
    token2 = models.Token(
        token_id=gen_salt(48),
        access_token="this-token-is-valid",
        client=client,
        subject=logged_admin,
        type=None,
        refresh_token=gen_salt(48),
        scope=["openid", "profile"],
        issue_date=(
            datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)
        ),
        lifetime=3600,
    )
    backend.save(token2)

    res = testclient.get("/admin/token")
    res.mustcontain("2 items")
    res.mustcontain(token1.token_id)
    res.mustcontain(token2.token_id)

    form = res.forms["search"]
    form["query"] = "valid"
    res = form.submit()

    res.mustcontain("1 item")
    res.mustcontain(token2.token_id)
    res.mustcontain(no=token1.token_id)


def test_token_view(testclient, token, logged_admin):
    res = testclient.get("/admin/token/" + token.token_id)
    res.mustcontain(token.access_token)


def test_token_not_found(testclient, logged_admin):
    testclient.get("/admin/token/" + "yolo", status=404)


def test_revoke_bad_request(testclient, token, logged_admin):
    assert not token.revoked

    res = testclient.get(f"/admin/token/{token.token_id}")
    res = res.form.submit(name="action", value="invalid", status=400)


def test_revoke_token(testclient, token, logged_admin, backend, caplog):
    assert not token.revoked

    res = testclient.get(f"/admin/token/{token.token_id}")
    res = res.form.submit(name="action", value="confirm-revoke")
    res = res.form.submit(name="action", value="revoke")
    assert ("success", "The token has successfully been revoked.") in res.flashes
    assert (
        "canaille",
        logging.SECURITY,
        "Revoked token for user in client Some client by admin from unknown IP",
    ) in caplog.record_tuples

    backend.reload(token)
    assert token.revoked


def test_revoke_invalid_token(testclient, logged_admin):
    testclient.get("/admin/token/invalid/revoke", status=404)
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`import datetime`
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`import logging`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00
			`from werkzeug.security import gen_salt`

chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from canaille.app import models`

Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00
Token list and auth code list views 2020-08-26 14:27:08 +00:00			`def test_no_logged_no_access(testclient):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`testclient.get("/admin/token", status=403)`
Token list and auth code list views 2020-08-26 14:27:08 +00:00

			`def test_no_admin_no_access(testclient, logged_user):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`testclient.get("/admin/token", status=403)`
Token list and auth code list views 2020-08-26 14:27:08 +00:00

			`def test_token_list(testclient, token, logged_admin):`
Draft for a 'my accesses' page 2020-08-26 15:23:53 +00:00			`res = testclient.get("/admin/token")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(token.token_id)`
Token list and auth code list views 2020-08-26 14:27:08 +00:00

refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_token_list_pagination(testclient, logged_admin, client, backend):`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`res = testclient.get("/admin/token")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain("0 items")`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`tokens = []`
			`for _ in range(26):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`token = models.Token(`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`token_id=gen_salt(48),`
			`access_token="my-valid-token",`
			`client=client,`
			`subject=logged_admin,`
			`type=None,`
			`refresh_token=gen_salt(48),`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=(`
			`datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)`
			`),`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`lifetime=3600,`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(token)`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`tokens.append(token)`

			`res = testclient.get("/admin/token")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain("26 items")`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`token_id = res.pyquery(".tokens tbody tr td:nth-of-type(1) a").text()`
			`assert token_id`

tests: fix CI 2023-08-31 20:34:12 +00:00			`form = res.forms["tableform"]`
			`res = form.submit(name="form", value="2")`
Fixed unit tests 2023-03-09 19:46:04 +00:00			`assert token_id not in res.pyquery(`
			`".tokens tbody tr:nth-of-type(1) td:nth-of-type(1) a"`
			`).text().split(" ")`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`for token in tokens:`
refactor: move BackendModel.delete to Backend.delete 2024-04-14 18:37:52 +00:00			`backend.delete(token)`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00
			`res = testclient.get("/admin/token")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain("0 items")`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00

			`def test_token_list_bad_pages(testclient, logged_admin):`
			`res = testclient.get("/admin/token")`
tests: fix CI 2023-08-31 20:34:12 +00:00			`form = res.forms["tableform"]`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`testclient.post(`
CSRF protection everywhere 2023-03-28 18:30:29 +00:00			`"/admin/token",`
			`{"csrf_token": form["csrf_token"].value, "page": "2"},`
			`status=404,`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`)`

			`res = testclient.get("/admin/token")`
tests: fix CI 2023-08-31 20:34:12 +00:00			`form = res.forms["tableform"]`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`testclient.post(`
CSRF protection everywhere 2023-03-28 18:30:29 +00:00			`"/admin/token",`
			`{"csrf_token": form["csrf_token"].value, "page": "-1"},`
			`status=404,`
Every list of items is paginated server-side. 2023-02-25 17:11:19 +00:00			`)`


refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`def test_token_list_search(testclient, logged_admin, client, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`token1 = models.Token(`
Table search implementation 2023-03-07 17:29:18 +00:00			`token_id=gen_salt(48),`
			`access_token="this-token-is-ok",`
			`client=client,`
			`subject=logged_admin,`
			`type=None,`
			`refresh_token=gen_salt(48),`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=(`
			`datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)`
			`),`
Table search implementation 2023-03-07 17:29:18 +00:00			`lifetime=3600,`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(token1)`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`token2 = models.Token(`
Table search implementation 2023-03-07 17:29:18 +00:00			`token_id=gen_salt(48),`
			`access_token="this-token-is-valid",`
			`client=client,`
			`subject=logged_admin,`
			`type=None,`
			`refresh_token=gen_salt(48),`
tests: use lists of strings for Token.scope and AuthorizationCode.scope 2023-11-23 21:07:42 +00:00			`scope=["openid", "profile"],`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`issue_date=(`
			`datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0)`
			`),`
Table search implementation 2023-03-07 17:29:18 +00:00			`lifetime=3600,`
			`)`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(token2)`
Table search implementation 2023-03-07 17:29:18 +00:00
			`res = testclient.get("/admin/token")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain("2 items")`
			`res.mustcontain(token1.token_id)`
			`res.mustcontain(token2.token_id)`
Table search implementation 2023-03-07 17:29:18 +00:00
			`form = res.forms["search"]`
			`form["query"] = "valid"`
			`res = form.submit()`

Pagination pluralization 2023-06-30 15:42:16 +00:00			`res.mustcontain("1 item")`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(token2.token_id)`
			`res.mustcontain(no=token1.token_id)`
Table search implementation 2023-03-07 17:29:18 +00:00

Token list and auth code list views 2020-08-26 14:27:08 +00:00			`def test_token_view(testclient, token, logged_admin):`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`res = testclient.get("/admin/token/" + token.token_id)`
Unit tests use WebTest .mustcontain method when possible 2023-03-16 15:25:14 +00:00			`res.mustcontain(token.access_token)`
fix: handle token not found in token view 2022-03-03 09:05:14 +00:00

			`def test_token_not_found(testclient, logged_admin):`
Use ruff linter 2023-05-25 11:37:58 +00:00			`testclient.get("/admin/token/" + "yolo", status=404)`
Implements admin token deletion 2023-02-04 17:41:49 +00:00

modals are HTML pages instead of JS elements This will help providing the very same user experience for users with and without javascript. We will still be able to re-enable javascript modals in the future, but this should be done from the ground up, HTML first and javascript after. 2023-07-06 16:43:37 +00:00			`def test_revoke_bad_request(testclient, token, logged_admin):`
			`assert not token.revoked`

			`res = testclient.get(f"/admin/token/{token.token_id}")`
			`res = res.form.submit(name="action", value="invalid", status=400)`


feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`def test_revoke_token(testclient, token, logged_admin, backend, caplog):`
Implements admin token deletion 2023-02-04 17:41:49 +00:00			`assert not token.revoked`

modals are HTML pages instead of JS elements This will help providing the very same user experience for users with and without javascript. We will still be able to re-enable javascript modals in the future, but this should be done from the ground up, HTML first and javascript after. 2023-07-06 16:43:37 +00:00			`res = testclient.get(f"/admin/token/{token.token_id}")`
			`res = res.form.submit(name="action", value="confirm-revoke")`
			`res = res.form.submit(name="action", value="revoke")`
Implements admin token deletion 2023-02-04 17:41:49 +00:00			`assert ("success", "The token has successfully been revoked.") in res.flashes`
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`assert (`
			`"canaille",`
refactor : added proper security logging level and refactored change email logging 2024-10-21 09:17:55 +00:00			`logging.SECURITY,`
			`"Revoked token for user in client Some client by admin from unknown IP",`
feat: Added security logs for email update, forgotten password mail, token emission/refresh/revokation, new consent, consent revokation #177 2024-10-14 12:04:39 +00:00			`) in caplog.record_tuples`
Implements admin token deletion 2023-02-04 17:41:49 +00:00
refactor: move BackendModel.reload to Backend.reload 2024-04-14 20:51:58 +00:00			`backend.reload(token)`
Implements admin token deletion 2023-02-04 17:41:49 +00:00			`assert token.revoked`


			`def test_revoke_invalid_token(testclient, logged_admin):`
Use ruff linter 2023-05-25 11:37:58 +00:00			`testclient.get("/admin/token/invalid/revoke", status=404)`