canaille-globuzma/tests/test_account.py

from canaille.ldap_backend.ldapobject import LDAPObject
from canaille.models import User


def test_signin_and_out(testclient, user):
    with testclient.session_transaction() as session:
        assert not session.get("user_dn")

    res = testclient.get("/login", status=200)

    res.form["login"] = "John (johnny) Doe"
    res = res.form.submit(status=302)
    res = res.follow(status=200)

    with testclient.session_transaction() as session:
        assert "John (johnny) Doe" == session.get("attempt_login")

    res.form["password"] = "correct horse battery staple"
    res = res.form.submit()
    res = res.follow(status=302)
    res = res.follow(status=200)

    with testclient.session_transaction() as session:
        assert [user.dn] == session.get("user_dn")
        assert "attempt_login" not in session

    res = testclient.get("/login", status=302)

    res = testclient.get("/logout")
    res = res.follow(status=302)
    res = res.follow(status=200)

    with testclient.session_transaction() as session:
        assert not session.get("user_dn")


def test_signin_wrong_password(testclient, user):
    with testclient.session_transaction() as session:
        assert not session.get("user_dn")

    res = testclient.get("/login", status=200)

    res.form["login"] = "John (johnny) Doe"
    res = res.form.submit(status=302)
    res = res.follow(status=200)
    res.form["password"] = "incorrect horse"
    res = res.form.submit(status=200)
    assert "Login failed, please check your information" in res.text


def test_signin_with_alternate_attribute(testclient, user):
    res = testclient.get("/login", status=200)

    res.form["login"] = "user"
    res = res.form.submit(status=302)
    res = res.follow(status=200)

    res.form["password"] = "correct horse battery staple"
    res = res.form.submit()
    res = res.follow(status=302)
    res = res.follow(status=200)

    with testclient.session_transaction() as session:
        assert [user.dn] == session.get("user_dn")


def test_user_without_password_first_login(testclient, slapd_connection):
    User.ldap_object_classes(slapd_connection)
    u = User(
        objectClass=["inetOrgPerson"],
        cn="Temp User",
        sn="Temp",
        uid="temp",
        mail="john@doe.com",
    )
    u.save()

    res = testclient.get("/login", status=200)
    res.form["login"] = "Temp User"
    res = res.form.submit(status=302).follow(status=200)

    assert "First login" in res

    u.delete()


def test_user_deleted_in_session(testclient, slapd_connection):
    User.ldap_object_classes(slapd_connection)
    u = User(
        objectClass=["inetOrgPerson"],
        cn="Jake Doe",
        sn="Jake",
        uid="jake",
        mail="jake@doe.com",
        userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",
    )
    u.save()
    testclient.get("/profile/jake", status=403)

    with testclient.session_transaction() as session:
        session["user_dn"] = [u.dn]

    testclient.get("/profile/jake", status=200)
    u.delete()

    testclient.get("/profile/jake", status=403)
    with testclient.session_transaction() as session:
        assert not session.get("user_dn")


def test_impersonate(testclient, logged_admin, user):
    res = testclient.get("/", status=302).follow(status=200)
    assert "admin" == res.form["uid"].value

    res = (
        testclient.get("/impersonate/user", status=302)
        .follow(status=302)
        .follow(status=200)
    )
    assert "user" == res.form["uid"].value

    testclient.get("/logout", status=302).follow(status=302).follow(status=200)

    res = testclient.get("/", status=302).follow(status=200)
    assert "admin" == res.form["uid"].value


def test_wrong_login(testclient, user):
    testclient.app.config["HIDE_INVALID_LOGINS"] = True

    res = testclient.get("/login", status=200)
    res.form["login"] = "invalid"
    res = res.form.submit(status=302)
    res = res.follow(status=200)

    res.form["password"] = "incorrect horse"
    res = res.form.submit(status=200)
    assert "The login 'invalid' does not exist" not in res.text

    testclient.app.config["HIDE_INVALID_LOGINS"] = False

    res = testclient.get("/login", status=200)
    res.form["login"] = "invalid"
    res = res.form.submit(status=200)
    assert "The login &#39;invalid&#39; does not exist" in res.text


def test_admin_self_deletion(testclient, slapd_connection):
    LDAPObject.ldap_object_classes(slapd_connection)
    LDAPObject.ldap_object_attributes(slapd_connection)

    admin = User(
        objectClass=["inetOrgPerson"],
        cn="Temp admin",
        sn="admin",
        uid="temp",
        mail="temp@temp.com",
        userPassword="{SSHA}Vmgh2jkD0idX3eZHf8RzGos31oerjGiU",
    )
    admin.save()
    with testclient.session_transaction() as sess:
        sess["user_dn"] = [admin.dn]

    res = testclient.get("/profile/temp")
    res = (
        res.form.submit(name="action", value="delete", status=302)
        .follow(status=302)
        .follow(status=200)
    )

    assert User.get("temp") is None

    with testclient.session_transaction() as sess:
        assert not sess.get("user_dn")


def test_user_self_deletion(testclient, slapd_connection):
    LDAPObject.ldap_object_classes(slapd_connection)
    LDAPObject.ldap_object_attributes(slapd_connection)

    user = User(
        objectClass=["inetOrgPerson"],
        cn="Temp user",
        sn="user",
        uid="temp",
        mail="temp@temp.com",
        userPassword="{SSHA}Vmgh2jkD0idX3eZHf8RzGos31oerjGiU",
    )
    user.save()
    with testclient.session_transaction() as sess:
        sess["user_dn"] = [user.dn]

    testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = ["edit_self"]
    res = testclient.get("/profile/temp")
    assert "Delete my account" not in res

    testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = [
        "edit_self",
        "delete_account",
    ]
    res = testclient.get("/profile/temp")
    assert "Delete my account" in res
    res = (
        res.form.submit(name="action", value="delete", status=302)
        .follow(status=302)
        .follow(status=200)
    )

    assert User.get("temp") is None

    with testclient.session_transaction() as sess:
        assert not sess.get("user_dn")

    testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = []


def test_login_placeholder(testclient):
    testclient.app.config["LDAP"]["USER_FILTER"] = "(uid={login})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "jdoe"

    testclient.app.config["LDAP"]["USER_FILTER"] = "(cn={login})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "John Doe"

    testclient.app.config["LDAP"]["USER_FILTER"] = "(mail={login})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "john@doe.com"

    testclient.app.config["LDAP"]["USER_FILTER"] = "(|(uid={login})(email={login}))"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "jdoe or john@doe.com"
Test refactoring 2022-05-18 09:31:26 +00:00			`from canaille.ldap_backend.ldapobject import LDAPObject`
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from canaille.models import User`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_signin_and_out(testclient, user):`
Login tests 2020-08-20 08:31:36 +00:00			`with testclient.session_transaction() as session:`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`assert not session.get("user_dn")`
Login tests 2020-08-20 08:31:36 +00:00
Minor test refactoring 2020-10-30 18:19:34 +00:00			`res = testclient.get("/login", status=200)`
Login tests 2020-08-20 08:31:36 +00:00
Escape filters 2021-12-06 14:40:30 +00:00			`res.form["login"] = "John (johnny) Doe"`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00			`res = res.form.submit(status=302)`
			`res = res.follow(status=200)`

			`with testclient.session_transaction() as session:`
Escape filters 2021-12-06 14:40:30 +00:00			`assert "John (johnny) Doe" == session.get("attempt_login")`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00
Login tests 2020-08-20 08:31:36 +00:00			`res.form["password"] = "correct horse battery staple"`
			`res = res.form.submit()`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=302)`
			`res = res.follow(status=200)`
Login tests 2020-08-20 08:31:36 +00:00
			`with testclient.session_transaction() as session:`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`assert [user.dn] == session.get("user_dn")`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00			`assert "attempt_login" not in session`
Login tests 2020-08-20 08:31:36 +00:00
Redirecting login page to profile page when user is already connected 2021-12-06 22:17:08 +00:00			`res = testclient.get("/login", status=302)`

Login tests 2020-08-20 08:31:36 +00:00			`res = testclient.get("/logout")`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=302)`
			`res = res.follow(status=200)`
Login tests 2020-08-20 08:31:36 +00:00
			`with testclient.session_transaction() as session:`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`assert not session.get("user_dn")`
Login tests 2020-08-20 08:31:36 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_signin_wrong_password(testclient, user):`
Login tests 2020-08-20 08:31:36 +00:00			`with testclient.session_transaction() as session:`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`assert not session.get("user_dn")`
Login tests 2020-08-20 08:31:36 +00:00
Minor test refactoring 2020-10-30 18:19:34 +00:00			`res = testclient.get("/login", status=200)`
Login tests 2020-08-20 08:31:36 +00:00
Escape filters 2021-12-06 14:40:30 +00:00			`res.form["login"] = "John (johnny) Doe"`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00			`res = res.form.submit(status=302)`
			`res = res.follow(status=200)`
Login tests 2020-08-20 08:31:36 +00:00			`res.form["password"] = "incorrect horse"`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(status=200)`
Minor test refactoring 2020-10-30 22:52:05 +00:00			`assert "Login failed, please check your information" in res.text`
Login tests 2020-08-20 08:31:36 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_signin_with_alternate_attribute(testclient, user):`
Minor test refactoring 2020-10-30 18:19:34 +00:00			`res = testclient.get("/login", status=200)`
Alternate login filters 2020-08-20 08:45:33 +00:00
			`res.form["login"] = "user"`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00			`res = res.form.submit(status=302)`
			`res = res.follow(status=200)`

Alternate login filters 2020-08-20 08:45:33 +00:00			`res.form["password"] = "correct horse battery staple"`
			`res = res.form.submit()`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.follow(status=302)`
			`res = res.follow(status=200)`
Alternate login filters 2020-08-20 08:45:33 +00:00
			`with testclient.session_transaction() as session:`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`assert [user.dn] == session.get("user_dn")`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00

Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`def test_user_without_password_first_login(testclient, slapd_connection):`
ldaputils variable renaming 2021-12-08 14:01:35 +00:00			`User.ldap_object_classes(slapd_connection)`
Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`u = User(`
			`objectClass=["inetOrgPerson"],`
			`cn="Temp User",`
			`sn="Temp",`
			`uid="temp",`
			`mail="john@doe.com",`
			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`u.save()`
Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00
			`res = testclient.get("/login", status=200)`
			`res.form["login"] = "Temp User"`
			`res = res.form.submit(status=302).follow(status=200)`

			`assert "First login" in res`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`u.delete()`
Test refactoring 2022-05-18 09:31:26 +00:00
Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00			`def test_user_deleted_in_session(testclient, slapd_connection):`
ldaputils variable renaming 2021-12-08 14:01:35 +00:00			`User.ldap_object_classes(slapd_connection)`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00			`u = User(`
			`objectClass=["inetOrgPerson"],`
			`cn="Jake Doe",`
			`sn="Jake",`
			`uid="jake",`
			`mail="jake@doe.com",`
			`userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",`
			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`u.save()`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`testclient.get("/profile/jake", status=403)`

			`with testclient.session_transaction() as session:`
			`session["user_dn"] = [u.dn]`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00
			`testclient.get("/profile/jake", status=200)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`u.delete()`
Fixed a bug happening when a user is deleted during his session 2020-11-25 16:41:03 +00:00
			`testclient.get("/profile/jake", status=403)`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`with testclient.session_transaction() as session:`
			`assert not session.get("user_dn")`


Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_impersonate(testclient, logged_admin, user):`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`res = testclient.get("/", status=302).follow(status=200)`
			`assert "admin" == res.form["uid"].value`

			`res = (`
			`testclient.get("/impersonate/user", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
			`)`
			`assert "user" == res.form["uid"].value`

			`testclient.get("/logout", status=302).follow(status=302).follow(status=200)`

			`res = testclient.get("/", status=302).follow(status=200)`
			`assert "admin" == res.form["uid"].value`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00

Avoid slapd_connection fixture in tests 2022-05-19 10:36:39 +00:00			`def test_wrong_login(testclient, user):`
Fixed documentation about HIDE_INVALID_LOGINS 2022-04-06 15:32:11 +00:00			`testclient.app.config["HIDE_INVALID_LOGINS"] = True`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00
			`res = testclient.get("/login", status=200)`
			`res.form["login"] = "invalid"`
Two-steps signin. Fixes #49 2021-01-23 21:30:43 +00:00			`res = res.form.submit(status=302)`
			`res = res.follow(status=200)`

Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00			`res.form["password"] = "incorrect horse"`
			`res = res.form.submit(status=200)`
Customizable error message for invalid login in forgotten login page. #48 2021-01-01 12:55:20 +00:00			`assert "The login 'invalid' does not exist" not in res.text`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00
Fixed documentation about HIDE_INVALID_LOGINS 2022-04-06 15:32:11 +00:00			`testclient.app.config["HIDE_INVALID_LOGINS"] = False`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00
			`res = testclient.get("/login", status=200)`
			`res.form["login"] = "invalid"`
			`res = res.form.submit(status=200)`
Fixed documentation about HIDE_INVALID_LOGINS 2022-04-06 15:32:11 +00:00			`assert "The login 'invalid' does not exist" in res.text`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00

			`def test_admin_self_deletion(testclient, slapd_connection):`
Test refactoring 2022-05-18 09:31:26 +00:00			`LDAPObject.ldap_object_classes(slapd_connection)`
			`LDAPObject.ldap_object_attributes(slapd_connection)`

Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`admin = User(`
			`objectClass=["inetOrgPerson"],`
			`cn="Temp admin",`
			`sn="admin",`
			`uid="temp",`
			`mail="temp@temp.com",`
			`userPassword="{SSHA}Vmgh2jkD0idX3eZHf8RzGos31oerjGiU",`
			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`admin.save()`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`with testclient.session_transaction() as sess:`
			`sess["user_dn"] = [admin.dn]`

			`res = testclient.get("/profile/temp")`
			`res = (`
			`res.form.submit(name="action", value="delete", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
			`)`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`assert User.get("temp") is None`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
			`with testclient.session_transaction() as sess:`
			`assert not sess.get("user_dn")`


			`def test_user_self_deletion(testclient, slapd_connection):`
Test refactoring 2022-05-18 09:31:26 +00:00			`LDAPObject.ldap_object_classes(slapd_connection)`
			`LDAPObject.ldap_object_attributes(slapd_connection)`

Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`user = User(`
			`objectClass=["inetOrgPerson"],`
			`cn="Temp user",`
			`sn="user",`
			`uid="temp",`
			`mail="temp@temp.com",`
			`userPassword="{SSHA}Vmgh2jkD0idX3eZHf8RzGos31oerjGiU",`
			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`user.save()`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`with testclient.session_transaction() as sess:`
			`sess["user_dn"] = [user.dn]`

Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = ["edit_self"]`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`res = testclient.get("/profile/temp")`
			`assert "Delete my account" not in res`

Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = [`
			`"edit_self",`
			`"delete_account",`
			`]`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00			`res = testclient.get("/profile/temp")`
			`assert "Delete my account" in res`
			`res = (`
			`res.form.submit(name="action", value="delete", status=302)`
			`.follow(status=302)`
			`.follow(status=200)`
			`)`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`assert User.get("temp") is None`
Users can delete their own accounts. #35 2021-01-01 15:42:13 +00:00
			`with testclient.session_transaction() as sess:`
			`assert not sess.get("user_dn")`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`testclient.app.config["ACL"]["DEFAULT"]["PERMISSIONS"] = []`
Login placeholder depends on the USER_FILTER configuration attribute 2021-12-07 18:30:13 +00:00

			`def test_login_placeholder(testclient):`
			`testclient.app.config["LDAP"]["USER_FILTER"] = "(uid={login})"`
			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "jdoe"`

			`testclient.app.config["LDAP"]["USER_FILTER"] = "(cn={login})"`
			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "John Doe"`

			`testclient.app.config["LDAP"]["USER_FILTER"] = "(mail={login})"`
			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "john@doe.com"`

			`testclient.app.config["LDAP"]["USER_FILTER"] = "(\|(uid={login})(email={login}))"`
			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "jdoe or john@doe.com"`