add tests for 2fa

This commit is contained in:
Hugh Rundle 2022-09-24 15:50:02 +10:00
parent 28329c1781
commit b63d4bec60
2 changed files with 251 additions and 1 deletions

View file

@ -2,6 +2,7 @@
from unittest.mock import patch
from django.contrib.auth.models import AnonymousUser
from django.contrib.sessions.middleware import SessionMiddleware
from django.template.response import TemplateResponse
from django.test import TestCase
from django.test.client import RequestFactory
@ -28,10 +29,25 @@ class LoginViews(TestCase):
"password",
local=True,
localname="mouse",
two_factor_auth=False
)
self.rat = models.User.objects.create_user(
"rat@your.domain.here",
"rat@rat.com",
"password",
local=True,
localname="rat",
)
self.badger = models.User.objects.create_user(
"badger@your.domain.here",
"badger@badger.com",
"password",
local=True,
localname="badger",
two_factor_auth=True
)
self.anonymous_user = AnonymousUser
self.anonymous_user.is_authenticated = False
models.SiteSettings.objects.create(id=1, require_confirm_email=False)
def test_login_get(self, *_):
@ -109,3 +125,34 @@ class LoginViews(TestCase):
result.context_data["login_form"].non_field_errors,
"Username or password are incorrect",
)
def test_login_post_no_2fa_set(self, *_):
"""test user with 2FA null value is redirected to 2FA prompt page"""
view = views.Login.as_view()
form = forms.LoginForm()
form.data["localname"] = "rat"
form.data["password"] = "password"
request = self.factory.post("", form.data)
request.user = self.anonymous_user
with patch("bookwyrm.views.landing.login.login"):
result = view(request)
self.assertEqual(result.url, "/login-2FA-prompt")
self.assertEqual(result.status_code, 302)
def test_login_post_with_2fa(self, *_):
"""test user with 2FA turned on is redirected to 2FA login page"""
view = views.Login.as_view()
form = forms.LoginForm()
form.data["localname"] = "badger"
form.data["password"] = "password"
request = self.factory.post("", form.data)
request.user = self.anonymous_user
middleware = SessionMiddleware(request)
middleware.process_request(request)
request.session.save()
with patch("bookwyrm.views.landing.login.login"):
result = view(request)
self.assertEqual(result.url, "/login-2FA-check")
self.assertEqual(result.status_code, 302)

View file

@ -0,0 +1,203 @@
""" test for app two factor auth functionality """
from unittest.mock import patch
import pyotp
from datetime import datetime
import time
from django.contrib.auth.models import AnonymousUser
from django.contrib.sessions.middleware import SessionMiddleware
from django.template.response import TemplateResponse
from django.test import TestCase
from django.test.client import RequestFactory
from bookwyrm import forms, models, views
from bookwyrm.tests.validate_html import validate_html
# pylint: disable=too-many-public-methods
@patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
@patch("bookwyrm.activitystreams.populate_stream_task.delay")
class TwoFactorViews(TestCase):
"""Two Factor Authentication management"""
def setUp(self):
"""we need basic test data and mocks"""
self.factory = RequestFactory()
with patch("bookwyrm.suggested_users.rerank_suggestions_task.delay"), patch(
"bookwyrm.activitystreams.populate_stream_task.delay"
), patch("bookwyrm.lists_stream.populate_lists_task.delay"):
self.local_user = models.User.objects.create_user(
"mouse@your.domain.here",
"mouse@mouse.com",
"password",
local=True,
localname="mouse",
two_factor_auth=True,
otp_secret="UEWMVJHO23G5XLMVSOCL6TNTSSACJH2X",
hotp_secret="DRMNMOU7ZRKH5YPW7PADOEYUF7MRIH46",
hotp_count=0
)
self.anonymous_user = AnonymousUser
self.anonymous_user.is_authenticated = False
def test_get_edit_2fa(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.Edit2FA.as_view()
request = self.factory.get("")
request.user = self.local_user
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_get_edit_2fa_logged_out(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.Edit2FA.as_view()
request = self.factory.get("")
request.user = self.anonymous_user
result = view(request)
self.assertEqual(result.status_code, 302)
def test_post_edit_2fa(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.Edit2FA.as_view()
form = forms.ConfirmPasswordForm()
form.data["password"] = "password"
request = self.factory.post("", form.data)
request.user = self.local_user
with patch("bookwyrm.views.preferences.two_factor_auth.Edit2FA"):
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_post_confirm_2fa(self, *_):
"""check 2FA login works"""
view = views.Confirm2FA.as_view()
form = forms.Confirm2FAForm()
totp = pyotp.TOTP('UEWMVJHO23G5XLMVSOCL6TNTSSACJH2X')
form.data["otp"] = totp.now()
request = self.factory.post("", form.data)
request.user = self.local_user
with patch("bookwyrm.views.preferences.two_factor_auth.Confirm2FA"):
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_get_disable_2fa(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.Disable2FA.as_view()
request = self.factory.get("")
request.user = self.local_user
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_post_disable_2fa(self, *_):
"""check 2FA login works"""
view = views.Disable2FA.as_view()
request = self.factory.post("")
request.user = self.local_user
with patch("bookwyrm.views.preferences.two_factor_auth.Disable2FA"):
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_get_login_with_2fa(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.LoginWith2FA.as_view()
request = self.factory.get("")
request.user = self.local_user
result = view(request)
self.assertIsInstance(result, TemplateResponse)
self.assertEqual(result.status_code, 200)
def test_post_login_with_2fa(self, *_):
"""check 2FA login works"""
# NOTE this throws a redis error.
# Possibly because the function it tests wants to check the user database?
# can we mock that?
# view = views.LoginWith2FA.as_view()
# form = forms.Confirm2FAForm()
# totp = pyotp.TOTP('UEWMVJHO23G5XLMVSOCL6TNTSSACJH2X')
# form.data["otp"] = totp.now()
# request = self.factory.post("", form.data)
# request.user = self.local_user
# middleware = SessionMiddleware(request)
# middleware.process_request(request)
# request.session['2fa_auth_time'] = time.time()
# request.session['2fa_user'] = self.local_user.username
# request.session.save()
# with patch("bookwyrm.views.preferences.two_factor_auth.LoginWith2FA"):
# result = view(request)
# self.assertIsInstance(result, TemplateResponse)
# self.assertEqual(result.status_code, 200)
pass
def test_post_login_with_2fa_wrong_code(self, *_):
"""check 2FA login fails"""
view = views.LoginWith2FA.as_view()
form = forms.Confirm2FAForm()
form.data["otp"] = "111111"
request = self.factory.post("", form.data)
request.user = self.local_user
middleware = SessionMiddleware(request)
middleware.process_request(request)
request.session['2fa_auth_time'] = time.time()
request.session['2fa_user'] = self.local_user.username
request.session.save()
with patch("bookwyrm.views.preferences.two_factor_auth.LoginWith2FA"):
result = view(request)
self.assertEqual(result.status_code, 200)
self.assertEqual(
result.context_data["form"]["otp"].errors[0],
'Incorrect code',
)
def test_post_login_with_2fa_expired(self, *_):
"""check 2FA login fails"""
view = views.LoginWith2FA.as_view()
form = forms.Confirm2FAForm()
totp = pyotp.TOTP('UEWMVJHO23G5XLMVSOCL6TNTSSACJH2X')
form.data["otp"] = totp.now()
request = self.factory.post("", form.data)
request.user = self.local_user
middleware = SessionMiddleware(request)
middleware.process_request(request)
request.session['2fa_user'] = self.local_user.username
request.session['2fa_auth_time'] = "1663977030"
with patch("bookwyrm.views.preferences.two_factor_auth.LoginWith2FA"):
result = view(request)
self.assertEqual(result.url, "/")
self.assertEqual(result.status_code, 302)
"""
Edit2FA
- get
- post
- create_qr_code
Confirm2FA
- post
Disable2FA
- get
- post
LoginWith2FA
- get
- post
GenerateBackupCodes
- get
- generate_backup_codes
Prompt2FA
- get
"""