CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-04 15:04:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
19873e2a092d2d6a1829dae01cf5425147b79090
pretix_original/src/tests/control/test_user.py
Raphael Michel 8a6a515b6a Refs #775 -- Pluggable authentication backends (#1447) 
* Drag-and-drop: Force csrf_token to be present

* Rough design

* Missing file

* b.visble

* Forms

* Docs

* Tests

* Fix variable
2019-10-17 09:11:03 +02:00

429 lines
16 KiB
Python
Raw Blame History

import time
import pytest
from django.utils.timezone import now
from django_otp.oath import TOTP
from django_otp.plugins.otp_static.models import StaticDevice
from django_otp.plugins.otp_totp.models import TOTPDevice
from tests.base import SoupTest, extract_form_fields
from webauthn import WebAuthnCredential
from pretix.base.models import (
Event, Organizer, U2FDevice, User, WebAuthnDevice,
)
from pretix.testutils.mock import mocker_context
class UserSettingsTest(SoupTest):
def setUp(self):
super().setUp()
self.user = User.objects.create_user('dummy@dummy.dummy', 'dummy')
self.client.login(email='dummy@dummy.dummy', password='dummy')
doc = self.get_doc('/control/settings')
self.form_data = extract_form_fields(doc.select('.container-fluid form')[0])
def save(self, data):
form_data = self.form_data.copy()
form_data.update(data)
return self.post_doc('/control/settings', form_data)
def test_set_name(self):
doc = self.save({
'fullname': 'Peter Miller',
})
assert doc.select(".alert-success")
self.user = User.objects.get(pk=self.user.pk)
assert self.user.fullname == 'Peter Miller'
def test_change_email_require_password(self):
doc = self.save({
'email': 'foo@example.com',
})
assert doc.select(".alert-danger")
self.user = User.objects.get(pk=self.user.pk)
assert self.user.email == 'dummy@dummy.dummy'
def test_change_email_success(self):
doc = self.save({
'email': 'foo@example.com',
'old_pw': 'dummy'
})
assert doc.select(".alert-success")
self.user = User.objects.get(pk=self.user.pk)
assert self.user.email == 'foo@example.com'
def test_change_email_no_duplicates(self):
User.objects.create_user('foo@example.com', 'foo')
doc = self.save({
'email': 'foo@example.com',
'old_pw': 'dummy'
})
assert doc.select(".alert-danger")
self.user = User.objects.get(pk=self.user.pk)
assert self.user.email == 'dummy@dummy.dummy'
def test_change_password_require_password(self):
doc = self.save({
'new_pw': 'foo',
'new_pw_repeat': 'foo',
})
assert doc.select(".alert-danger")
pw = self.user.password
self.user = User.objects.get(pk=self.user.pk)
assert self.user.password == pw
def test_change_password_wrong_backend(self):
self.user.auth_backend = 'test_request'
self.user.save()
self.save({
'new_pw': 'foobarbar',
'new_pw_repeat': 'foobarbar',
'old_pw': 'dummy',
})
pw = self.user.password
self.user = User.objects.get(pk=self.user.pk)
assert self.user.password == pw
def test_change_password_success(self):
doc = self.save({
'new_pw': 'foobarbar',
'new_pw_repeat': 'foobarbar',
'old_pw': 'dummy',
})
assert doc.select(".alert-success")
self.user = User.objects.get(pk=self.user.pk)
assert self.user.check_password("foobarbar")
def test_change_password_short(self):
doc = self.save({
'new_pw': 'foo',
'new_pw_repeat': 'foo',
'old_pw': 'dummy',
})
assert doc.select(".alert-danger")
pw = self.user.password
self.user = User.objects.get(pk=self.user.pk)
assert self.user.password == pw
def test_change_password_user_attribute_similarity(self):
doc = self.save({
'new_pw': 'dummy123',
'new_pw_repeat': 'dummy123',
'old_pw': 'dummy',
})
assert doc.select(".alert-danger")
pw = self.user.password
self.user = User.objects.get(pk=self.user.pk)
assert self.user.password == pw
def test_change_password_require_repeat(self):
doc = self.save({
'new_pw': 'foooooooooooooo',
'new_pw_repeat': 'baaaaaaaaaaaar',
'old_pw': 'dummy',
})
assert doc.select(".alert-danger")
pw = self.user.password
self.user = User.objects.get(pk=self.user.pk)
assert self.user.password == pw
@pytest.fixture
def class_monkeypatch(request, monkeypatch):
request.cls.monkeypatch = monkeypatch
@pytest.mark.usefixtures("class_monkeypatch")
class UserSettings2FATest(SoupTest):
def setUp(self):
super().setUp()
self.user = User.objects.create_user('dummy@dummy.dummy', 'dummy')
self.client.login(email='dummy@dummy.dummy', password='dummy')
session = self.client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
def test_require_reauth(self):
session = self.client.session
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 2
session.save()
response = self.client.get('/control/settings/2fa/')
self.assertIn('/control/reauth', response['Location'])
self.assertEqual(response.status_code, 302)
response = self.client.post('/control/reauth/?next=/control/settings/2fa/', {
'password': 'dummy'
})
self.assertIn('/control/settings/2fa/', response['Location'])
self.assertEqual(response.status_code, 302)
def test_enable_require_device(self):
r = self.client.post('/control/settings/2fa/enable', follow=True)
assert 'alert-danger' in r.content.decode()
self.user.refresh_from_db()
assert not self.user.require_2fa
def test_enable(self):
U2FDevice.objects.create(user=self.user, name='Test')
r = self.client.post('/control/settings/2fa/enable', follow=True)
assert 'alert-success' in r.content.decode()
self.user.refresh_from_db()
assert self.user.require_2fa
def test_disable(self):
self.user.require_2fa = True
self.user.save()
r = self.client.post('/control/settings/2fa/disable', follow=True)
assert 'alert-success' in r.content.decode()
self.user.refresh_from_db()
assert not self.user.require_2fa
def test_gen_emergency(self):
self.client.get('/control/settings/2fa/')
d = StaticDevice.objects.get(user=self.user, name='emergency')
assert d.token_set.count() == 10
old_tokens = set(t.token for t in d.token_set.all())
self.client.post('/control/settings/2fa/regenemergency')
new_tokens = set(t.token for t in d.token_set.all())
assert d.token_set.count() == 10
assert old_tokens != new_tokens
def test_delete_u2f(self):
d = U2FDevice.objects.create(user=self.user, name='Test')
self.client.get('/control/settings/2fa/u2f/{}/delete'.format(d.pk))
self.client.post('/control/settings/2fa/u2f/{}/delete'.format(d.pk))
assert not U2FDevice.objects.exists()
def test_delete_webauthn(self):
d = WebAuthnDevice.objects.create(user=self.user, name='Test')
self.client.get('/control/settings/2fa/webauthn/{}/delete'.format(d.pk))
self.client.post('/control/settings/2fa/webauthn/{}/delete'.format(d.pk))
assert not WebAuthnDevice.objects.exists()
def test_delete_totp(self):
d = TOTPDevice.objects.create(user=self.user, name='Test')
self.client.get('/control/settings/2fa/totp/{}/delete'.format(d.pk))
self.client.post('/control/settings/2fa/totp/{}/delete'.format(d.pk))
assert not TOTPDevice.objects.exists()
def test_create_webauthn_require_https(self):
r = self.client.post('/control/settings/2fa/add', {
'devicetype': 'webauthn',
'name': 'Foo'
})
assert 'alert-danger' in r.content.decode()
def test_create_webauthn(self):
with mocker_context() as mocker:
mocker.patch('django.http.request.HttpRequest.is_secure')
self.client.post('/control/settings/2fa/add', {
'devicetype': 'webauthn',
'name': 'Foo'
})
d = WebAuthnDevice.objects.first()
assert d.name == 'Foo'
assert not d.confirmed
def test_create_totp(self):
self.client.post('/control/settings/2fa/add', {
'devicetype': 'totp',
'name': 'Foo'
})
d = TOTPDevice.objects.first()
assert d.name == 'Foo'
def test_confirm_totp(self):
self.client.post('/control/settings/2fa/add', {
'devicetype': 'totp',
'name': 'Foo'
}, follow=True)
d = TOTPDevice.objects.first()
totp = TOTP(d.bin_key, d.step, d.t0, d.digits, d.drift)
totp.time = time.time()
r = self.client.post('/control/settings/2fa/totp/{}/confirm'.format(d.pk), {
'token': str(totp.token()),
'activate': 'on'
}, follow=True)
d.refresh_from_db()
assert d.confirmed
assert 'alert-success' in r.content.decode()
self.user.refresh_from_db()
assert self.user.require_2fa
def test_confirm_totp_failed(self):
self.client.post('/control/settings/2fa/add', {
'devicetype': 'totp',
'name': 'Foo'
}, follow=True)
d = TOTPDevice.objects.first()
totp = TOTP(d.bin_key, d.step, d.t0, d.digits, d.drift)
totp.time = time.time()
r = self.client.post('/control/settings/2fa/totp/{}/confirm'.format(d.pk), {
'token': str(totp.token() - 2)
}, follow=True)
assert 'alert-danger' in r.content.decode()
d.refresh_from_db()
assert not d.confirmed
def test_confirm_webauthn_failed(self):
with mocker_context() as mocker:
mocker.patch('django.http.request.HttpRequest.is_secure')
self.client.post('/control/settings/2fa/add', {
'devicetype': 'webauthn',
'name': 'Foo'
}, follow=True)
d = WebAuthnDevice.objects.first()
r = self.client.post('/control/settings/2fa/webauthn/{}/confirm'.format(d.pk), {
'token': 'FOO'
}, follow=True)
assert 'alert-danger' in r.content.decode()
d.refresh_from_db()
assert not d.confirmed
def test_confirm_webauthn_success(self):
with mocker_context() as mocker:
mocker.patch('django.http.request.HttpRequest.is_secure')
self.client.post('/control/settings/2fa/add', {
'devicetype': 'webauthn',
'name': 'Foo'
}, follow=True)
m = self.monkeypatch
m.setattr("webauthn.WebAuthnRegistrationResponse.verify",
lambda *args, **kwargs: WebAuthnCredential(
'', '', b'asd', b'foo', 1
))
d = WebAuthnDevice.objects.first()
r = self.client.post('/control/settings/2fa/webauthn/{}/confirm'.format(d.pk), {
'token': '{}',
'activate': 'on'
}, follow=True)
d.refresh_from_db()
assert d.confirmed
assert 'alert-success' in r.content.decode()
self.user.refresh_from_db()
assert self.user.require_2fa
m.undo()
class UserSettingsNotificationsTest(SoupTest):
def setUp(self):
super().setUp()
self.user = User.objects.create_user('dummy@dummy.dummy', 'dummy')
self.client.login(email='dummy@dummy.dummy', password='dummy')
o = Organizer.objects.create(name='Dummy', slug='dummy')
self.event = Event.objects.create(
organizer=o, name='Dummy', slug='dummy',
date_from=now(), plugins='pretix.plugins.banktransfer'
)
t = o.teams.create(can_change_orders=True, all_events=True)
t.members.add(self.user)
def test_toggle_all(self):
assert self.user.notifications_send
self.client.post('/control/settings/notifications/', {
'notifications_send': 'off'
})
self.user.refresh_from_db()
assert not self.user.notifications_send
self.client.post('/control/settings/notifications/', {
'notifications_send': 'on'
})
self.user.refresh_from_db()
assert self.user.notifications_send
def test_global_enable(self):
self.client.post('/control/settings/notifications/', {
'mail:pretix.event.order.placed': 'on'
})
assert self.user.notification_settings.get(
event__isnull=True, method='mail', action_type='pretix.event.order.placed'
).enabled is True
def test_global_disable(self):
self.user.notification_settings.create(
event=None, method='mail', action_type='pretix.event.order.placed', enabled=True
)
self.client.post('/control/settings/notifications/', {
'mail:pretix.event.order.placed': 'off'
})
assert self.user.notification_settings.get(
event__isnull=True, method='mail', action_type='pretix.event.order.placed'
).enabled is False
def test_event_enabled_disable(self):
self.user.notification_settings.create(
event=self.event, method='mail', action_type='pretix.event.order.placed', enabled=True
)
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'off'
})
assert self.user.notification_settings.get(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).enabled is False
def test_event_global_disable(self):
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'off'
})
assert self.user.notification_settings.get(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).enabled is False
def test_event_disabled_enable(self):
self.user.notification_settings.create(
event=self.event, method='mail', action_type='pretix.event.order.placed', enabled=False
)
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'on'
})
assert self.user.notification_settings.get(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).enabled is True
def test_event_global_enable(self):
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'on'
})
assert self.user.notification_settings.get(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).enabled is True
def test_event_enabled_global(self):
self.user.notification_settings.create(
event=self.event, method='mail', action_type='pretix.event.order.placed', enabled=True
)
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'global'
})
assert not self.user.notification_settings.filter(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).exists()
def test_event_disabled_global(self):
self.user.notification_settings.create(
event=self.event, method='mail', action_type='pretix.event.order.placed', enabled=False
)
self.client.post('/control/settings/notifications/?event={}'.format(self.event.pk), {
'mail:pretix.event.order.placed': 'global'
})
assert not self.user.notification_settings.filter(
event=self.event, method='mail', action_type='pretix.event.order.placed'
).exists()
def test_disable_all_via_link(self):
assert self.user.notifications_send
self.client.get('/control/settings/notifications/off/{}/{}/'.format(self.user.pk, self.user.notifications_token))
self.user.refresh_from_db()
assert not self.user.notifications_send
def test_disable_all_via_link_anonymous(self):
self.client.logout()
assert self.user.notifications_send
self.client.get('/control/settings/notifications/off/{}/{}/'.format(self.user.pk, self.user.notifications_token))
self.user.refresh_from_db()
assert not self.user.notifications_send
Reference in New Issue View Git Blame Copy Permalink