File: test.py

package info (click to toggle)
python-bottle-cork 0.12.0-6
links: PTS, VCS
area: main
in suites: bookworm, forky, sid, trixie
size: 936 kB
sloc: python: 6,862; makefile: 4
file content (523 lines) | stat: -rw-r--r-- 17,806 bytes
parent folder | download | duplicates (4)
# Cork - Authentication module for the Bottle web framework
# Copyright (C) 2013 Federico Ceratto and others, see AUTHORS file.
# Released under LGPLv3+ license, see LICENSE.txt
#
# Unit testing
#

from base64 import b64encode
import mock
import pytest
import smtplib

import cork.cork
from cork import Cork, JsonBackend, AAAException, AuthException
from cork.base_backend import BackendIOException


class RoAttrDict(dict):
    """Read-only attribute-accessed dictionary.
    Used to mock beaker's session objects
    """
    def __getattr__(self, name):
        return self[name]


class MockedAdminCork(Cork):
    """Mocked module where the current user is always 'admin'"""
    @property
    def _beaker_session(self):
        return RoAttrDict(username=u'admin')

    def _setup_cookie(self, username):
        global cookie_name
        cookie_name = username


class MockedUnauthenticatedCork(Cork):
    """Mocked module where the current user not set"""
    @property
    def _beaker_session(self):
        return RoAttrDict()

    def _setup_cookie(self, username):
        global cookie_name
        cookie_name = username


@pytest.fixture
def json_db_dir(tmpdir, templates_dir):
    """Setup test directory with valid JSON files"""
    tmpdir.join('users.json').write("""{"admin": {"email_addr": null, "desc": null, "role": "admin", "hash": "69f75f38ac3bfd6ac813794f3d8c47acc867adb10b806e8979316ddbf6113999b6052efe4ba95c0fa9f6a568bddf60e8e5572d9254dbf3d533085e9153265623", "creation_date": "2012-04-09 14:22:27.075596"}}""")
    tmpdir.join('roles.json').write("""{"special": 200, "admin": 100, "user": 50}""")
    tmpdir.join('register.json').write("""{}""")
    return tmpdir


@pytest.fixture
def aaa(json_db_dir):
    """Setup a MockedAdminCork instance"""
    aaa = MockedAdminCork(json_db_dir.strpath, smtp_server='localhost', email_sender='test@localhost')
    aaa.mailer.use_threads = False
    return aaa


@pytest.fixture
def aaa_unauth(json_db_dir):
    """Setup test directory and a MockedAdminCork instance"""
    aaa = MockedUnauthenticatedCork(json_db_dir.strpath)
    aaa.mailer.use_threads = False
    return aaa


# Patch SMTP / SMTP_SSL to prevent network interaction
@pytest.fixture(autouse=True)
def mock_smtp(monkeypatch):
    m = mock.Mock()
    monkeypatch.setattr('cork.cork.SMTP', m)
    return m

@pytest.fixture(autouse=True)
def mock_smtp_ssl(monkeypatch):
    m = mock.Mock()
    m.return_value = mock.Mock()
    monkeypatch.setattr('cork.cork.SMTP_SSL', m)
    return m

@pytest.fixture
def mock_send(monkeypatch):
    m = mock.Mock()
    m.return_value = Mock()
    monkeypatch.setattr(Mailer, '_send', m)
    return m

def raises(f, *e):
    def wrapper(*a, **kw):
        return f(*a, **kw)
    return wrapper



# Tests

def test_init(json_db_dir):
    Cork(json_db_dir.strpath)


def test_initialize_storage(json_db_dir):
    jb = JsonBackend(json_db_dir.strpath, initialize=True)
    Cork(backend=jb)
    assert json_db_dir.join('users.json').read() == '{}'
    assert json_db_dir.join('roles.json').read() == '{}'
    assert json_db_dir.join('register.json').read() == '{}'
    return
    with open("%s/views/registration_email.tpl" % testdir) as f:
        assert f.readlines() == [
            'Username:{{username}} Email:{{email_addr}} Code:{{registration_code}}']
    with open("%s/views/password_reset_email.tpl" % testdir) as f:
        assert f.readlines() == [
            'Username:{{username}} Email:{{email_addr}} Code:{{reset_code}}']


def test_unable_to_save(json_db_dir):
    bogus_dir = '/___inexisting_directory___'
    with pytest.raises(BackendIOException):
        Cork(bogus_dir, initialize=True)


def test_loadjson_missing_file(aaa):
    with pytest.raises(BackendIOException):
        aaa._store._loadjson('nonexistent_file', {})

def test_loadjson_broken_file(aaa, json_db_dir):
    json_db_dir.join('broken_file.json').write('-----')
    with pytest.raises(BackendIOException):
        aaa._store._loadjson('broken_file', {})


def test_loadjson_unchanged(aaa):
    # By running _refresh with unchanged files the files should not be reloaded
    mtimes = aaa._store._mtimes
    aaa._store._refresh()
    # The test simply ensures that no mtimes have been updated
    assert mtimes == aaa._store._mtimes


# Test PBKDF2-based password hashing

def test_password_hashing_PBKDF2(aaa):
    shash = aaa._hash(u'user_foo', u'bogus_pwd')
    assert isinstance(shash, bytes)
    assert len(shash) == 88, "hash length should be 88 and is %d" % len(shash)
    assert shash.endswith(b'='), "hash should end with '='"
    assert aaa._verify_password('user_foo', 'bogus_pwd', shash) == True, \
        "Hashing verification should succeed"


def test_hashlib_pbk():
    # Hashlib works under py2 and py3 producing the same output.
    # With iterations = 10 and dklen = 32 the output is also consistent with
    # beaker under py2 as in the previous versions of Cork
    import hashlib
    cleartext = b'hello'
    salt = b'hi'
    h = hashlib.pbkdf2_hmac('sha1', cleartext, salt, 10, dklen=32)
    assert b64encode(h) == b'QTH8vcCFLLqLhxCTnkz6sq+Un3B4RQgWjMPpRC9hfEY='

def test_password_hashing_PBKDF2_known_hash(aaa):
    assert aaa.preferred_hashing_algorithm == 'PBKDF2'
    salt = b's' * 32
    shash = aaa._hash(u'user_foo', u'bogus_pwd', salt=salt)
    assert shash == b'cHNzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzax44AxQgK6uD9q1YWxLos1ispCe1Z7T7pOFK1PwdWEs='

def test_password_hashing_PBKDF2_known_hash_2(aaa):
    assert aaa.preferred_hashing_algorithm == 'PBKDF2'
    salt = b'\0' * 32
    shash = aaa._hash(u'user_foo', u'bogus_pwd', salt=salt)
    assert shash == b'cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/8Uh4pyEOHoRz4j0lDzAmqb7Dvmo8GpeXwiKTDsuYFw='


def test_password_hashing_PBKDF2_known_hash_3(aaa):
    assert aaa.preferred_hashing_algorithm == 'PBKDF2'
    salt = b'x' * 32
    shash = aaa._hash(u'user_foo', u'bogus_pwd', salt=salt)
    assert shash == b'cHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4MEaIU5Op97lmvwX5NpVSTBP8jg8OlrN7c2K8K8tnNks='


def test_password_hashing_PBKDF2_incorrect_hash_len(aaa):
    salt = b'x' * 31 # Incorrect length
    with pytest.raises(AssertionError):
        shash = aaa._hash(u'user_foo', u'bogus_pwd', salt=salt)


def test_password_hashing_PBKDF2_incorrect_hash_value(aaa):
    shash = aaa._hash(u'user_foo', u'bogus_pwd')
    assert len(shash) == 88, "hash length should be 88 and is %d" % len(shash)
    assert shash.endswith(b'='), "hash should end with '='"
    assert aaa._verify_password(u'user_foo', u'####', shash) == False, \
        "Hashing verification should fail"
    assert aaa._verify_password(u'###', u'bogus_pwd', shash) == False, \
        "Hashing verification should fail"


def test_password_hashing_PBKDF2_collision(aaa):
    salt = b'S' * 32
    hash1 = aaa._hash(u'user_foo', u'bogus_pwd', salt=salt)
    hash2 = aaa._hash(u'user_foobogus', u'_pwd', salt=salt)
    assert hash1 != hash2, "Hash collision"


# Test password hashing for inexistent algorithms

def test_password_hashing_bogus_algo(aaa):
    with pytest.raises(RuntimeError):
        aaa._hash('user_foo', 'bogus_pwd', algo='bogus_algo')


def test_password_hashing_bogus_algo_during_verify(aaa):
    # Incorrect hash type (starts with "X")
    shash = b64encode(b'X' + b'bogusstring')
    with pytest.raises(RuntimeError):
        aaa._verify_password(u'user_foo', u'bogus_pwd', shash)


# End of password hashing tests

@pytest.mark.xfail
def test_create_empty_role(aaa):
    # TODO: implement empty role check
    with pytest.raises(AAAException):
        aaa.create_role('', 42)


def test_authenticated_is_not_anonymous(aaa):
    assert not aaa.user_is_anonymous


def test_register(aaa, json_db_dir):
    aaa.register(u'foo', u'pwd', u'a@a.a')
    assert len(aaa._store.pending_registrations) == 1, repr(aaa._store.pending_registrations)


def test_smtp_url_parsing_1(aaa):
    c = aaa.mailer._parse_smtp_url('')
    assert c['proto'] == 'smtp'
    assert c['user'] == None
    assert c['pass'] == None
    assert c['fqdn'] == ''
    assert c['port'] == 25


def test_smtp_url_parsing_2(aaa):
    c = aaa.mailer._parse_smtp_url('starttls://foo')
    assert c['proto'] == 'starttls'
    assert c['user'] == None
    assert c['pass'] == None
    assert c['fqdn'] == 'foo'
    assert c['port'] == 25


def test_smtp_url_parsing_3(aaa):
    c = aaa.mailer._parse_smtp_url('foo:443')
    assert c['proto'] == 'smtp'
    assert c['user'] == None
    assert c['pass'] == None
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_4(aaa):
    c = aaa.mailer._parse_smtp_url('ssl://user:pass@foo:443/')
    assert c['proto'] == 'ssl'
    assert c['user'] == 'user'
    assert c['pass'] == 'pass'
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_5(aaa):
    c = aaa.mailer._parse_smtp_url('smtp://smtp.magnet.ie')
    assert c['proto'] == 'smtp'
    assert c['user'] == None
    assert c['pass'] == None
    assert c['fqdn'] == 'smtp.magnet.ie'
    assert c['port'] == 25


def test_smtp_url_parsing_email_as_username_no_password(aaa):
    # the username contains an at sign '@'
    c = aaa.mailer._parse_smtp_url('ssl://us.er@somewhere.net@foo:443/')
    assert c['proto'] == 'ssl'
    assert c['user'] == u'us.er@somewhere.net', \
        "Username is incorrectly parsed as '%s'" % c['user']
    assert c['pass'] == None
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_email_as_username(aaa):
    # the username contains an at sign '@'
    c = aaa.mailer._parse_smtp_url('ssl://us.er@somewhere.net:pass@foo:443/')
    assert c['proto'] == 'ssl'
    assert c['user'] == u'us.er@somewhere.net', \
        "Username is incorrectly parsed as '%s'" % c['user']
    assert c['pass'] == 'pass'
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_at_sign_in_password(aaa):
    # the password contains at signs '@'
    c = aaa.mailer._parse_smtp_url('ssl://username:pass@w@rd@foo:443/')
    assert c['proto'] == 'ssl'
    assert c['user'] == 'username', \
        "Username is incorrectly parsed as '%s'" % c['user']
    assert c['pass'] == 'pass@w@rd', \
        "Password is incorrectly parsed as '%s'" % c['pass']
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_email_as_username_2(aaa):
    # both the username and the password contains an at sign '@'
    c = aaa.mailer._parse_smtp_url('ssl://us.er@somewhere.net:pass@word@foo:443/')
    assert c['proto'] == 'ssl'
    assert c['user'] == u'us.er@somewhere.net', \
        "Username is incorrectly parsed as '%s'" % c['user']
    assert c['pass'] == u'pass@word', \
        "Password is incorrectly parsed as '%s'" % c['pass']
    assert c['fqdn'] == 'foo'
    assert c['port'] == 443


def test_smtp_url_parsing_incorrect_URL_port(aaa):
    with pytest.raises(RuntimeError):
        c = aaa.mailer._parse_smtp_url(':99999')


def test_smtp_url_parsing_incorrect_URL_port_len(aaa):
    with pytest.raises(RuntimeError):
        c = aaa.mailer._parse_smtp_url(':123456')


def test_smtp_url_parsing_incorrect_URL_len(aaa):
    with pytest.raises(RuntimeError):
        c = aaa.mailer._parse_smtp_url('a' * 256)


def test_smtp_url_parsing_incorrect_URL_syntax(aaa):
    with pytest.raises(RuntimeError):
        c = aaa.mailer._parse_smtp_url('::')


def test_smtp_url_parsing_IPv4(aaa):
    c = aaa.mailer._parse_smtp_url('127.0.0.1')
    assert c['fqdn'] == '127.0.0.1'


def test_smtp_url_parsing_IPv6(aaa):
    c = aaa.mailer._parse_smtp_url('[2001:0:0123:4567:89ab:cdef]')
    assert c['fqdn'] == '[2001:0:0123:4567:89ab:cdef]'


def test_send_email_SMTP(aaa, mock_smtp):
    aaa.mailer.send_email(u'address', u' sbj', u'text')
    aaa.mailer.join()

    mock_smtp.assert_called_once_with('localhost', 25)
    session = mock_smtp.return_value
    assert session.sendmail.call_count == 1
    assert session.quit.call_count == 1


def test_send_email_SMTP_SSL(aaa, mock_smtp_ssl):
    aaa.mailer._conf['proto'] = 'ssl'
    aaa.mailer.send_email('address', ' sbj', 'text')
    aaa.mailer.join()

    mock_smtp_ssl.assert_called_once_with('localhost', 25)
    session = mock_smtp_ssl.return_value
    assert session.sendmail.call_count == 1
    assert session.quit.call_count == 1
    assert len(session.method_calls) == 2


def test_send_email_SMTP_SSL_with_login(aaa, mock_smtp_ssl):
    aaa.mailer._conf['proto'] = 'ssl'
    aaa.mailer._conf['user'] = u'username'
    aaa.mailer.send_email('address', ' sbj', 'text')
    aaa.mailer.join()

    mock_smtp_ssl.assert_called_once_with('localhost', 25)
    session = mock_smtp_ssl.return_value
    assert session.login.call_count == 1
    assert session.sendmail.call_count == 1
    assert session.quit.call_count == 1
    assert len(session.method_calls) == 3


def test_send_email_SMTP_STARTTLS(aaa, mock_smtp):
    aaa.mailer._conf['proto'] = 'starttls'
    aaa.mailer.send_email(u'address', u' sbj', u'text')
    aaa.mailer.join()

    mock_smtp.assert_called_once_with('localhost', 25)
    session = mock_smtp.return_value
    assert session.ehlo.call_count == 2
    assert session.starttls.call_count == 1
    assert session.sendmail.call_count == 1
    assert session.quit.call_count == 1
    assert len(session.method_calls) == 5


def test_do_not_send_email(aaa):
    aaa.mailer._conf['fqdn'] = None  # disable email delivery
    with pytest.raises(AAAException):
        aaa.mailer.send_email(u'address', u'sbj', u'text')

    aaa.mailer.join()



def test_purge_expired_registration(aaa, json_db_dir):
    aaa.register(u'foo', u'pwd', u'a@a.a')
    assert len(aaa._store.pending_registrations) == 1, "The registration should" \
        " be present"
    aaa._purge_expired_registrations()
    assert len(aaa._store.pending_registrations) == 1, "The registration should " \
        "be still there"
    aaa._purge_expired_registrations(exp_time=0)
    assert len(aaa._store.pending_registrations) == 0, "The registration should " \
        "have been removed"


def test_prevent_double_registration(aaa, json_db_dir):
    # Create two registration requests, then validate them.
    # The first should succeed, the second one fail as the account has been created.

    # create first registration
    aaa.register(u'user_foo', u'first_pwd', u'a@a.a')
    assert len(aaa._store.pending_registrations) == 1, repr(aaa._store.pending_registrations)
    for first_registration_code in aaa._store.pending_registrations:
        break

    # create second registration
    aaa.register(u'user_foo', u'second_pwd', u'b@b.b')
    assert len(aaa._store.pending_registrations) == 2, repr(aaa._store.pending_registrations)
    registration_codes = list(aaa._store.pending_registrations)
    if first_registration_code == registration_codes[0]:
        second_registration_code = registration_codes[1]
    else:
        second_registration_code = registration_codes[0]

    # Only the 'admin' account exists
    assert len(aaa._store.users) == 1

    # Run validate_registration with the first registration
    aaa.validate_registration(first_registration_code)
    assert 'user_foo' in aaa._store.users, "Account should have been added"
    assert len(aaa._store.users) == 2

    # After the first registration only one pending registration should be left
    # The registration having 'a@a.a' email address should be gone
    assert len(aaa._store.pending_registrations) == 1, repr(aaa._store.pending_registrations)
    for pr_code, pr_data in aaa._store.pending_registrations.items():
        break
    assert pr_data['email_addr'] == u'b@b.b', "Incorrect registration in the datastore"

    # Logging in using the first login should succeed
    login = aaa.login('user_foo', 'first_pwd')
    assert login == True, "Login must succed"
    assert len(aaa._store.pending_registrations) == 1, repr(aaa._store.pending_registrations)

    # Run validate_registration with the second registration code
    # The second registration should fail as the user account exists
    with pytest.raises(AAAException):
        aaa.validate_registration(second_registration_code)

    # test login
    login = aaa.login('user_foo', 'second_pwd')
    assert login == False, "Login must fail"


def test_send_password_reset_email_no_params(aaa):
    with pytest.raises(AAAException):
        aaa.send_password_reset_email()


def test_send_password_reset_email_incorrect_addr(aaa):
    with pytest.raises(AAAException):
        aaa.send_password_reset_email(email_addr=u'incorrect_addr')


def test_send_password_reset_email_incorrect_user(aaa):
    with pytest.raises(AAAException):
        aaa.send_password_reset_email(username=u'bogus_name')


def test_send_password_reset_email_missing_email_addr(aaa):
    with pytest.raises(AAAException):
        aaa.send_password_reset_email(username=u'admin')


def test_send_password_reset_email_incorrect_pair(aaa):
    with pytest.raises(AuthException):
        aaa.send_password_reset_email(username=u'admin', email_addr=u'incorrect_addr')


def test_send_password_reset_email_by_email_addr(aaa, json_db_dir):
    aaa._store.users['admin']['email_addr'] = u'admin@localhost.local'
    aaa.send_password_reset_email(email_addr=u'admin@localhost.local')


def test_send_password_reset_email_by_username(aaa, json_db_dir, mock_smtp):
    aaa._store.users['admin']['email_addr'] = u'admin@localhost.local'
    assert aaa._store.users['admin']['email_addr'] == u'admin@localhost.local'
    assert not mock_smtp.called
    aaa.send_password_reset_email(username='admin')
    aaa.mailer.join()
    assert mock_smtp.called
    session = mock_smtp.return_value
    assert session.sendmail.called
    assert session.sendmail.call_args[0][1] == u'admin@localhost.local'
    assert session.quit.called