From 38e7ba3a7c7a414c5b087f7f32df1a09403fff89 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 16 Jul 2013 19:38:37 +0200 Subject: first take on identity model - still broken --- users/test/unit/identity_test.rb | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 users/test/unit/identity_test.rb (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb new file mode 100644 index 0000000..389ef89 --- /dev/null +++ b/users/test/unit/identity_test.rb @@ -0,0 +1,34 @@ +require 'test_helper' + +class IdentityTest < ActiveSupport::TestCase + + setup do + @user = FactoryGirl.create(:user) + end + + test "user has identity to start with" do + id = Identity.new user_id: @user.id + id.save + assert_equal 1, Identity.by_user_id.key(@user.id).count + identity = Identity.find_by_user_id(@user.id) + assert_equal @user.email_address, identity.address + assert_equal @user.email_address, identity.destination + assert_equal @user, identity.user + end + + test "add alias" do + skip + @user.create_identity address: @alias + end + + test "add forward" do + skip + @user.create_identity destination: @external + end + + test "forward alias" do + skip + @user.create_identity address: @alias, destination: @external + end + +end -- cgit v1.2.3 From 4a071ef1b33525fa2d1052aa7f21b549447fe767 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Jul 2013 11:31:25 +0200 Subject: move identity creation into user class It's always based on a user and most default values are based on user properties. --- users/test/unit/identity_test.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index 389ef89..3130ddc 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -7,13 +7,10 @@ class IdentityTest < ActiveSupport::TestCase end test "user has identity to start with" do - id = Identity.new user_id: @user.id - id.save - assert_equal 1, Identity.by_user_id.key(@user.id).count - identity = Identity.find_by_user_id(@user.id) - assert_equal @user.email_address, identity.address - assert_equal @user.email_address, identity.destination - assert_equal @user, identity.user + id = @user.build_identity + assert_equal @user.email_address, id.address + assert_equal @user.email_address, id.destination + assert_equal @user, id.user end test "add alias" do -- cgit v1.2.3 From cc96c60c4617c09379d5e1ddbefa42407329c19a Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Jul 2013 12:12:07 +0200 Subject: testing all versions of emial identities, emails are now strings --- users/test/unit/identity_test.rb | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index 3130ddc..a5d30b0 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -6,7 +6,11 @@ class IdentityTest < ActiveSupport::TestCase @user = FactoryGirl.create(:user) end - test "user has identity to start with" do + teardown do + @user.destroy + end + + test "initial identity for a user" do id = @user.build_identity assert_equal @user.email_address, id.address assert_equal @user.email_address, id.destination @@ -14,18 +18,32 @@ class IdentityTest < ActiveSupport::TestCase end test "add alias" do - skip - @user.create_identity address: @alias + id = @user.build_identity address: alias_name + assert_equal LocalEmail.new(alias_name), id.address + assert_equal @user.email_address, id.destination + assert_equal @user, id.user end test "add forward" do - skip - @user.create_identity destination: @external + id = @user.build_identity destination: forward_address + assert_equal @user.email_address, id.address + assert_equal Email.new(forward_address), id.destination + assert_equal @user, id.user end test "forward alias" do - skip - @user.create_identity address: @alias, destination: @external + id = @user.build_identity address: alias_name, destination: forward_address + assert_equal LocalEmail.new(alias_name), id.address + assert_equal Email.new(forward_address), id.destination + assert_equal @user, id.user + id.save end + def alias_name + @alias_name ||= Faker::Internet.user_name + end + + def forward_address + @forward_address ||= Faker::Internet.email + end end -- cgit v1.2.3 From a2e49d1b946fa34dd41ce1f07920515df13e09db Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Jul 2013 12:28:51 +0200 Subject: local email adds domain if needed --- users/test/unit/local_email_test.rb | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 users/test/unit/local_email_test.rb (limited to 'users/test') diff --git a/users/test/unit/local_email_test.rb b/users/test/unit/local_email_test.rb new file mode 100644 index 0000000..9031a98 --- /dev/null +++ b/users/test/unit/local_email_test.rb @@ -0,0 +1,27 @@ +require 'test_helper' + +class LocalEmailTest < ActiveSupport::TestCase + + test "appends domain" do + local = LocalEmail.new(handle) + assert_equal LocalEmail.new(email), local + end + + test "returns handle" do + local = LocalEmail.new(email) + assert_equal handle, local.handle + end + + test "prints full email" do + local = LocalEmail.new(handle) + assert_equal email, "#{local}" + end + + def handle + "asdf" + end + + def email + "asdf@" + APP_CONFIG[:domain] + end +end -- cgit v1.2.3 From d96fac2de074bbe3a44d888af5ceaff45b1b9b27 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Jul 2013 12:52:02 +0200 Subject: validations of email format and local domain moved over --- users/test/unit/email_test.rb | 19 +++++++++++++++++++ users/test/unit/local_email_test.rb | 11 +++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 users/test/unit/email_test.rb (limited to 'users/test') diff --git a/users/test/unit/email_test.rb b/users/test/unit/email_test.rb new file mode 100644 index 0000000..7cfbc84 --- /dev/null +++ b/users/test/unit/email_test.rb @@ -0,0 +1,19 @@ +require 'test_helper' + +class EmailTest < ActiveSupport::TestCase + + test "valid format" do + email = Email.new(email_string) + assert email.valid? + end + + test "validates format" do + email = Email.new("email") + assert !email.valid? + assert_equal ["needs to be a valid email address"], email.errors[:email] + end + + def email_string + @email_string ||= Faker::Internet.email + end +end diff --git a/users/test/unit/local_email_test.rb b/users/test/unit/local_email_test.rb index 9031a98..b25f46f 100644 --- a/users/test/unit/local_email_test.rb +++ b/users/test/unit/local_email_test.rb @@ -5,6 +5,7 @@ class LocalEmailTest < ActiveSupport::TestCase test "appends domain" do local = LocalEmail.new(handle) assert_equal LocalEmail.new(email), local + assert local.valid? end test "returns handle" do @@ -17,11 +18,17 @@ class LocalEmailTest < ActiveSupport::TestCase assert_equal email, "#{local}" end + test "validates domain" do + local = LocalEmail.new(Faker::Internet.email) + assert !local.valid? + assert_equal ["needs to end in @#{LocalEmail.domain}"], local.errors[:email] + end + def handle - "asdf" + @handle ||= Faker::Internet.user_name end def email - "asdf@" + APP_CONFIG[:domain] + handle + "@" + APP_CONFIG[:domain] end end -- cgit v1.2.3 From 0acace58c31c96fc1f8836167aeb4f204f72617f Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Jul 2013 17:17:36 +0200 Subject: allow available and unique forwards only --- users/test/unit/identity_test.rb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index a5d30b0..4ebd72e 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -39,6 +39,24 @@ class IdentityTest < ActiveSupport::TestCase id.save end + test "prevents duplicates" do + id = @user.create_identity address: alias_name, destination: forward_address + dup = @user.build_identity address: alias_name, destination: forward_address + assert !dup.valid? + assert_equal ["This alias already exists"], dup.errors[:base] + end + + test "validates availability" do + other_user = FactoryGirl.create(:user) + id = @user.create_identity address: alias_name, destination: forward_address + taken = other_user.build_identity address: alias_name + assert !taken.valid? + assert_equal ["This email has already been taken"], taken.errors[:base] + other_user.destroy + end + + + def alias_name @alias_name ||= Faker::Internet.user_name end -- cgit v1.2.3 From dcaf6232dbd1131cdbd12ac5c2ef997979fd01ff Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 09:50:02 +0200 Subject: add keys to identity --- users/test/unit/identity_test.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index 4ebd72e..6b0a6b1 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -55,7 +55,22 @@ class IdentityTest < ActiveSupport::TestCase other_user.destroy end + test "setting and getting pgp key" do + id = @user.build_identity + id.keys[:pgp] = pgp_key_string + assert_equal pgp_key_string, id.keys[:pgp] + end + test "querying pgp key via couch" do + id = @user.build_identity + id.keys[:pgp] = pgp_key_string + id.save + view = Identity.pgp_key_by_email.key(id.address) + assert_equal 1, view.rows.count + assert result = view.rows.first + assert_equal id.address, result["key"] + assert_equal id.keys[:pgp], result["value"] + end def alias_name @alias_name ||= Faker::Internet.user_name @@ -64,4 +79,8 @@ class IdentityTest < ActiveSupport::TestCase def forward_address @forward_address ||= Faker::Internet.email end + + def pgp_key_string + @pgp_key ||= "DUMMY PGP KEY ... "+SecureRandom.base64(4096) + end end -- cgit v1.2.3 From b6242bbefc1e9fe193bbf3479e8fa822829c6d1a Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 11:07:53 +0200 Subject: remove email aliases test - we'll move them to identities --- users/test/unit/email_aliases_test.rb | 66 ----------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 users/test/unit/email_aliases_test.rb (limited to 'users/test') diff --git a/users/test/unit/email_aliases_test.rb b/users/test/unit/email_aliases_test.rb deleted file mode 100644 index 86d14aa..0000000 --- a/users/test/unit/email_aliases_test.rb +++ /dev/null @@ -1,66 +0,0 @@ -require 'test_helper' - -class EmailAliasTest < ActiveSupport::TestCase - - setup do - @user = FactoryGirl.build :user - @alias = "valid_alias" - # make sure no existing records are in the way... - User.find_by_login_or_alias(@alias).try(:destroy) - end - - test "no email aliases set in the beginning" do - assert_equal [], @user.email_aliases - end - - test "adding email alias through params" do - @user.attributes = {:email_aliases_attributes => {"0" => {:email => @alias}}} - assert @user.changed? - assert @user.save - assert_equal @alias, @user.email_aliases.first.username - end - - test "adding email alias directly" do - @user.email_aliases.build :email => @alias - assert @user.save - assert_equal @alias, @user.email_aliases.first.username - end - - test "duplicated email aliases are invalid" do - @user.email_aliases.build :email => @alias - @user.save - assert_invalid_alias @alias - end - - test "email alias needs to be different from other peoples login" do - other_user = FactoryGirl.create :user, :login => @alias - assert_invalid_alias @alias - other_user.destroy - end - - test "email needs to be different from other peoples email aliases" do - other_user = FactoryGirl.create :user, :email_aliases_attributes => {'1' => @alias} - assert_invalid_alias @alias - other_user.destroy - end - - test "login is invalid as email alias" do - @user.login = @alias - assert_invalid_alias @alias - end - - test "find user by email alias" do - @user.email_aliases.build :email => @alias - assert @user.save - assert_equal @user, User.find_by_login_or_alias(@alias) - assert_equal @user, User.find_by_alias(@alias) - assert_nil User.find_by_login(@alias) - end - - def assert_invalid_alias(string) - email_alias = @user.email_aliases.build :email => string - assert !email_alias.valid? - assert !@user.valid? - end - -end -- cgit v1.2.3 From 8ddbaa6184e4dbcc6ef7e81cf555cc18d3822dce Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 11:09:25 +0200 Subject: support deprecated API to set users main identity pgp key We'll want to get rid of the #public_key and #public_key= functions but they are still used from the users controller. We'll probably have an identity controller instead at some point. --- users/test/unit/identity_test.rb | 6 +++--- users/test/unit/user_test.rb | 14 ++++++-------- 2 files changed, 9 insertions(+), 11 deletions(-) (limited to 'users/test') diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index 6b0a6b1..d20ad93 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -11,7 +11,7 @@ class IdentityTest < ActiveSupport::TestCase end test "initial identity for a user" do - id = @user.build_identity + id = @user.identity assert_equal @user.email_address, id.address assert_equal @user.email_address, id.destination assert_equal @user, id.user @@ -56,13 +56,13 @@ class IdentityTest < ActiveSupport::TestCase end test "setting and getting pgp key" do - id = @user.build_identity + id = @user.identity id.keys[:pgp] = pgp_key_string assert_equal pgp_key_string, id.keys[:pgp] end test "querying pgp key via couch" do - id = @user.build_identity + id = @user.identity id.keys[:pgp] = pgp_key_string id.save view = Identity.pgp_key_by_email.key(id.address) diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index c8c837b..5d1fe06 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -56,23 +56,21 @@ class UserTest < ActiveSupport::TestCase other_user.destroy end - test "login needs to be different from other peoples email aliases" do - other_user = FactoryGirl.create :user - other_user.email_aliases.build :email => @user.login - other_user.save - assert !@user.valid? - other_user.destroy + test "deprecated public key api still works" do + key = SecureRandom.base64(4096) + @user.public_key = key + assert_equal key, @user.public_key end test "pgp key view" do @user.public_key = SecureRandom.base64(4096) @user.save - view = User.pgp_key_by_handle.key(@user.login) + view = Identity.pgp_key_by_email.key(@user.email_address) assert_equal 1, view.rows.count assert result = view.rows.first - assert_equal @user.login, result["key"] + assert_equal @user.email_address, result["key"] assert_equal @user.public_key, result["value"] end end -- cgit v1.2.3 From 51582a668b04d2c1322ad1babe8599ae8797cd3b Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 11:20:01 +0200 Subject: test user validates uniqueness of login amongst aliases --- users/test/unit/user_test.rb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'users/test') diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index 5d1fe06..f303c8d 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -56,6 +56,13 @@ class UserTest < ActiveSupport::TestCase other_user.destroy end + test "login needs to be unique amongst aliases" do + other_user = FactoryGirl.create :user + other_user.create_identity address: @user.login + assert !@user.valid? + other_user.destroy + end + test "deprecated public key api still works" do key = SecureRandom.base64(4096) @user.public_key = key -- cgit v1.2.3 From c0b88d9e8fe574d6164f48211db50f3b8a4c4d93 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 12:21:40 +0200 Subject: setter for keys for dirty tracking, more robust tests Just altering identity.keys did not mark identities as changed. Also we now have a sane default for keys. --- users/test/integration/api/account_flow_test.rb | 5 +++++ users/test/unit/identity_test.rb | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index 4c94389..93b6507 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -79,8 +79,13 @@ class AccountFlowTest < RackTest test_public_key = 'asdlfkjslfdkjasd' original_login = @user.login new_login = 'zaph' + User.find_by_login(new_login).try(:destroy) + Identity.by_address.key(new_login + '@' + APP_CONFIG[:domain]).each do |identity| + identity.destroy + end put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => test_public_key, :login => new_login}, :format => :json @user.reload + assert last_response.successful? assert_equal test_public_key, @user.public_key assert_equal new_login, @user.login # eventually probably want to remove most of this into a non-integration functional test diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index d20ad93..40b1296 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -57,13 +57,13 @@ class IdentityTest < ActiveSupport::TestCase test "setting and getting pgp key" do id = @user.identity - id.keys[:pgp] = pgp_key_string + id.set_key(:pgp, pgp_key_string) assert_equal pgp_key_string, id.keys[:pgp] end test "querying pgp key via couch" do id = @user.identity - id.keys[:pgp] = pgp_key_string + id.set_key(:pgp, pgp_key_string) id.save view = Identity.pgp_key_by_email.key(id.address) assert_equal 1, view.rows.count -- cgit v1.2.3 From d70c5796a2989b7b43f7e287899fb1394ae28280 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Jul 2013 16:02:02 +0200 Subject: separate signup and settings service objects for user --- users/test/functional/v1/users_controller_test.rb | 8 ++++++-- users/test/integration/api/account_flow_test.rb | 13 +++++-------- users/test/unit/identity_test.rb | 20 ++++++++++---------- users/test/unit/user_test.rb | 2 +- 4 files changed, 22 insertions(+), 21 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/v1/users_controller_test.rb b/users/test/functional/v1/users_controller_test.rb index 0d44e50..a330bf3 100644 --- a/users/test/functional/v1/users_controller_test.rb +++ b/users/test/functional/v1/users_controller_test.rb @@ -5,7 +5,9 @@ class V1::UsersControllerTest < ActionController::TestCase test "user can change settings" do user = find_record :user changed_attribs = record_attributes_for :user_with_settings - user.expects(:update_attributes).with(changed_attribs) + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + AccountSettings.expects(:new).with(user).returns(account_settings) login user put :update, :user => changed_attribs, :id => user.id, :format => :json @@ -18,7 +20,9 @@ class V1::UsersControllerTest < ActionController::TestCase test "admin can update user" do user = find_record :user changed_attribs = record_attributes_for :user_with_settings - user.expects(:update_attributes).with(changed_attribs) + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + AccountSettings.expects(:new).with(user).returns(account_settings) login :is_admin? => true put :update, :user => changed_attribs, :id => user.id, :format => :json diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index 93b6507..c09dcb6 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -84,20 +84,17 @@ class AccountFlowTest < RackTest identity.destroy end put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => test_public_key, :login => new_login}, :format => :json - @user.reload assert last_response.successful? - assert_equal test_public_key, @user.public_key - assert_equal new_login, @user.login + assert_equal test_public_key, Identity.for(@user).keys[:pgp] + # does not change login if no password_verifier is present + assert_equal original_login, @user.login # eventually probably want to remove most of this into a non-integration functional test # should not overwrite public key: put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:blee => :blah}, :format => :json - @user.reload - assert_equal test_public_key, @user.public_key + assert_equal test_public_key, Identity.for(@user).keys[:pgp] # should overwrite public key: put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => nil}, :format => :json - # TODO: not sure why i need this, but when public key is removed, the DB is updated but @user.reload doesn't seem to actually reload. - @user = User.find(@user.id) # @user.reload - assert_nil @user.public_key + assert_nil Identity.for(@user).keys[:pgp] end end diff --git a/users/test/unit/identity_test.rb b/users/test/unit/identity_test.rb index 40b1296..bf24f02 100644 --- a/users/test/unit/identity_test.rb +++ b/users/test/unit/identity_test.rb @@ -11,28 +11,28 @@ class IdentityTest < ActiveSupport::TestCase end test "initial identity for a user" do - id = @user.identity + id = Identity.for(@user) assert_equal @user.email_address, id.address assert_equal @user.email_address, id.destination assert_equal @user, id.user end test "add alias" do - id = @user.build_identity address: alias_name + id = Identity.for @user, address: alias_name assert_equal LocalEmail.new(alias_name), id.address assert_equal @user.email_address, id.destination assert_equal @user, id.user end test "add forward" do - id = @user.build_identity destination: forward_address + id = Identity.for @user, destination: forward_address assert_equal @user.email_address, id.address assert_equal Email.new(forward_address), id.destination assert_equal @user, id.user end test "forward alias" do - id = @user.build_identity address: alias_name, destination: forward_address + id = Identity.for @user, address: alias_name, destination: forward_address assert_equal LocalEmail.new(alias_name), id.address assert_equal Email.new(forward_address), id.destination assert_equal @user, id.user @@ -40,29 +40,29 @@ class IdentityTest < ActiveSupport::TestCase end test "prevents duplicates" do - id = @user.create_identity address: alias_name, destination: forward_address - dup = @user.build_identity address: alias_name, destination: forward_address + id = Identity.create_for @user, address: alias_name, destination: forward_address + dup = Identity.build_for @user, address: alias_name, destination: forward_address assert !dup.valid? assert_equal ["This alias already exists"], dup.errors[:base] end test "validates availability" do other_user = FactoryGirl.create(:user) - id = @user.create_identity address: alias_name, destination: forward_address - taken = other_user.build_identity address: alias_name + id = Identity.create_for @user, address: alias_name, destination: forward_address + taken = Identity.build_for other_user, address: alias_name assert !taken.valid? assert_equal ["This email has already been taken"], taken.errors[:base] other_user.destroy end test "setting and getting pgp key" do - id = @user.identity + id = Identity.for(@user) id.set_key(:pgp, pgp_key_string) assert_equal pgp_key_string, id.keys[:pgp] end test "querying pgp key via couch" do - id = @user.identity + id = Identity.for(@user) id.set_key(:pgp, pgp_key_string) id.save view = Identity.pgp_key_by_email.key(id.address) diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index f303c8d..477c727 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -58,7 +58,7 @@ class UserTest < ActiveSupport::TestCase test "login needs to be unique amongst aliases" do other_user = FactoryGirl.create :user - other_user.create_identity address: @user.login + Identity.create_for other_user, address: @user.login assert !@user.valid? other_user.destroy end -- cgit v1.2.3 From 370be6caa8a366774fba15d09fb03ee4d923b861 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 24 Jul 2013 11:09:04 +0200 Subject: keeping the pgp_key accessors for User so views still work --- users/test/unit/user_test.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'users/test') diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index 477c727..89ee749 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -70,14 +70,16 @@ class UserTest < ActiveSupport::TestCase end test "pgp key view" do - @user.public_key = SecureRandom.base64(4096) - @user.save + key = SecureRandom.base64(4096) + identity = Identity.create_for @user + identity.set_key('pgp', key) + identity.save view = Identity.pgp_key_by_email.key(@user.email_address) assert_equal 1, view.rows.count assert result = view.rows.first assert_equal @user.email_address, result["key"] - assert_equal @user.public_key, result["value"] + assert_equal key, result["value"] end end -- cgit v1.2.3 From b1065710102193ba11e2a18b5f6506ba1d5b31f9 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 24 Jul 2013 12:30:59 +0200 Subject: also destroy the identity for a test user during teardown --- users/test/integration/api/account_flow_test.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'users/test') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index c09dcb6..ec7753c 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -18,7 +18,10 @@ class AccountFlowTest < RackTest end teardown do - @user.destroy if @user + if @user + @user.identity.destroy + @user.destroy + end Warden.test_reset! end -- cgit v1.2.3 From 8e2bff3fb077410fd7facc41e4a460b402e08045 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 7 Aug 2013 17:45:03 +0200 Subject: integration test exploiting srp vulnerability --- users/test/integration/browser/account_test.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'users/test') diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index ce63baf..b5776ff 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -20,4 +20,23 @@ class AccountTest < BrowserIntegrationTest assert_equal '/', current_path end + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + user = FactoryGirl.create :user + visit '/sessions/new' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert !page.has_content?("Welcome") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end end -- cgit v1.2.3 From a0b276e4b8ae86dec7deee898e85b65784d89933 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 7 Aug 2013 18:09:20 +0200 Subject: close srp vulnerability and report error in webapp --- users/test/integration/browser/account_test.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'users/test') diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index b5776ff..c65c491 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -29,6 +29,7 @@ class AccountTest < BrowserIntegrationTest inject_malicious_js click_on 'Log In' assert !page.has_content?("Welcome") + assert page.has_content?("Invalid random key") end def inject_malicious_js -- cgit v1.2.3 From 54243290c1550d88be0a39cdabeaf47a4a13075c Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 21 Aug 2013 07:30:36 +0200 Subject: integration test updating users password --- users/test/integration/api/account_flow_test.rb | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'users/test') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index ec7753c..507f0b9 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -5,6 +5,7 @@ class AccountFlowTest < RackTest setup do @login = "integration_test_user" + Identity.find_by_address(@login + '@' + APP_CONFIG[:domain]).tap{|i| i.destroy if i} User.find_by_login(@login).tap{|u| u.destroy if u} @password = "srp, verify me!" @srp = SRP::Client.new @login, :password => @password @@ -18,7 +19,7 @@ class AccountFlowTest < RackTest end teardown do - if @user + if @user.reload @user.identity.destroy @user.destroy end @@ -77,6 +78,25 @@ class AccountFlowTest < RackTest assert_nil server_auth end + test "update password via api" do + @srp.authenticate(self) + @password = "No! Verify me instead." + @srp = SRP::Client.new @login, :password => @password + @user_params = { + # :login => @login, + :password_verifier => @srp.verifier.to_s(16), + :password_salt => @srp.salt.to_s(16) + } + puts @user_params.inspect + put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', + :user => @user_params, + :format => :json + server_auth = @srp.authenticate(self) + assert last_response.successful? + assert_nil server_auth["errors"] + assert server_auth["M2"] + end + test "update user" do server_auth = @srp.authenticate(self) test_public_key = 'asdlfkjslfdkjasd' -- cgit v1.2.3 From 76bc9d708b119d8c5047b487ccedaa9c70fec78b Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 21 Aug 2013 07:58:52 +0200 Subject: also test updating the user password in python against dev.bm --- users/test/integration/api/python/flow_with_srp.py | 63 +++++++++++++--------- 1 file changed, 39 insertions(+), 24 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 7b741d6..d37c6af 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -16,24 +16,24 @@ def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) # using globals for a start -server = 'https://api.bitmask.net:4430/1' -login = id_generator() +server = 'https://dev.bitmask.net/1' +login = 'test_' + id_generator() password = id_generator() + id_generator() -# print ' username = "' + login + '"' -# print ' password = "' + password + '"' - # log the server communication def print_and_parse(response): - print response.request.method + ': ' + response.url - print " " + json.dumps(response.request.data) + request = response.request + print request.method + ': ' + response.url + if hasattr(request, 'data'): + print " " + json.dumps(response.request.data) print " -> " + response.text - return json.loads(response.text) + try: + return json.loads(response.text) + except ValueError: + return None def signup(session): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - # print ' salt = "' + binascii.hexlify(salt) + '"' - # print ' v = "' + binascii.hexlify(vkey) + '"' user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -41,38 +41,53 @@ def signup(session): } return session.post(server + '/users.json', data = user_params, verify = False) -usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) +def change_password(session): + password = id_generator() + id_generator() + salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) + user_params = { + 'user[password_verifier]': binascii.hexlify(vkey), + 'user[password_salt]': binascii.hexlify(salt) + } + print user_params + print_and_parse(session.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False)) + return srp.User( login, password, srp.SHA256, srp.NG_1024 ) + def authenticate(session, login): uname, A = usr.start_authentication() - # print ' aa = "' + binascii.hexlify(A) + '"' params = { 'login': uname, 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params, verify=False)) - # print ' b = "' + init['b'] + '"' - # print ' bb = "' + init['B'] + '"' M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - # print ' m = "' + binascii.hexlify(M) + '"' return session.put(server + '/sessions/' + login, verify = False, data = {'client_auth': binascii.hexlify(M)}) +def verify_or_debug(auth): + if ( 'errors' in auth ): + print ' u = "%x"' % usr.u + print ' x = "%x"' % usr.x + print ' v = "%x"' % usr.v + print ' S = "%x"' % usr.S + print ' K = "' + binascii.hexlify(usr.K) + '"' + print ' M = "' + binascii.hexlify(usr.M) + '"' + else: + usr.verify_session( safe_unhexlify(auth["M2"]) ) + +usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) session = requests.session() user = print_and_parse(signup(session)) # SRP signup would happen here and calculate M hex auth = print_and_parse(authenticate(session, user['login'])) -if ( 'errors' in auth ): - print ' u = "%x"' % usr.u - print ' x = "%x"' % usr.x - print ' v = "%x"' % usr.v - print ' S = "%x"' % usr.S - print ' K = "' + binascii.hexlify(usr.K) + '"' - print ' M = "%x"' % usr.M -else: - usr.verify_session( safe_unhexlify(auth["M2"]) ) +verify_or_debug(auth) +assert usr.authenticated() + +usr = change_password(session) +auth = print_and_parse(authenticate(session, user['login'])) +verify_or_debug(auth) # At this point the authentication process is complete. assert usr.authenticated() -- cgit v1.2.3 From 75db45671d432a0d81805ad50c6cc9f8f7eff7a7 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 21 Aug 2013 09:49:26 +0200 Subject: use the same login validations on sessions and users The session ones were outdated so valid usernames could not login if they contained a '.' Refactored so both models use the same module for this validation to ensure consistency. --- users/test/integration/browser/account_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'users/test') diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index c65c491..b412980 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -28,8 +28,8 @@ class AccountTest < BrowserIntegrationTest fill_in 'Password', with: "password" inject_malicious_js click_on 'Log In' - assert !page.has_content?("Welcome") assert page.has_content?("Invalid random key") + assert page.has_no_content?("Welcome") end def inject_malicious_js -- cgit v1.2.3 From 441db4736e0cd003caf9c8f7b3fbdb1ffa72b969 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:57:18 +0200 Subject: minor: remove puts line --- users/test/integration/api/account_flow_test.rb | 1 - 1 file changed, 1 deletion(-) (limited to 'users/test') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index 507f0b9..e41befa 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -87,7 +87,6 @@ class AccountFlowTest < RackTest :password_verifier => @srp.verifier.to_s(16), :password_salt => @srp.salt.to_s(16) } - puts @user_params.inspect put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => @user_params, :format => :json -- cgit v1.2.3 From 7ad6d054d72d3c76098f689e4e7890265a3604c8 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 10:59:18 +0200 Subject: first steps towards enabling token based auth --- users/test/functional/v1/sessions_controller_test.rb | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 0c4e325..8a16997 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -7,7 +7,7 @@ class V1::SessionsControllerTest < ActionController::TestCase setup do @request.env['HTTP_HOST'] = 'api.lvh.me' - @user = stub_record :user + @user = stub_record :user, {}, true @client_hex = 'a123' end @@ -48,13 +48,24 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_response :success assert json_response.keys.include?("id") assert json_response.keys.include?("token") + assert token = Token.find(json_response['token']) + assert_equal @user.id, token.user_id end test "logout should reset warden user" do expect_warden_logout delete :destroy - assert_response :redirect - assert_redirected_to root_url + assert_response 204 + end + + test "logout should remove token" do + login + expect_warden_logout + skip "TODO: implement token removal" + assert_difference "Token.count", -1 do + delete :destroy + assert_response 204 + end end def expect_warden_logout -- cgit v1.2.3 From e60ee749cab0f80cf23ca57e28c7de6d1b3a395b Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 11:14:30 +0200 Subject: basic testing for token based auth in tests --- users/test/factories.rb | 3 +++ users/test/functional/helper_methods_test.rb | 2 +- users/test/functional/test_helpers_test.rb | 38 ++++++++++++++++++++++++++++ users/test/support/auth_test_helper.rb | 9 ++++++- users/test/support/stub_record_helper.rb | 2 +- 5 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 users/test/functional/test_helpers_test.rb (limited to 'users/test') diff --git a/users/test/factories.rb b/users/test/factories.rb index 777704b..c87e290 100644 --- a/users/test/factories.rb +++ b/users/test/factories.rb @@ -18,4 +18,7 @@ FactoryGirl.define do end end end + + factory :token + end diff --git a/users/test/functional/helper_methods_test.rb b/users/test/functional/helper_methods_test.rb index 2b2375c..44226ae 100644 --- a/users/test/functional/helper_methods_test.rb +++ b/users/test/functional/helper_methods_test.rb @@ -11,7 +11,7 @@ class HelperMethodsTest < ActionController::TestCase # we test them right in here... include ApplicationController._helpers - # they all reference the controller. + # the helpers all reference the controller. def controller @controller end diff --git a/users/test/functional/test_helpers_test.rb b/users/test/functional/test_helpers_test.rb new file mode 100644 index 0000000..d1bdb64 --- /dev/null +++ b/users/test/functional/test_helpers_test.rb @@ -0,0 +1,38 @@ +# +# There are a few test helpers for dealing with login etc. +# We test them here and also document their behaviour. +# + +require 'test_helper' + +class TestHelpersTest < ActionController::TestCase + tests ApplicationController # testing no controller in particular + + def test_login_stubs_warden + login + assert_equal @current_user, request.env['warden'].user + end + + def test_login_token_authenticates + login + assert_equal @current_user, @controller.send(:token_authenticate) + end + + def test_login_stubs_token + login + assert @token + assert_equal @current_user.id, @token.user_id + end + + def test_login_adds_token_header + login + token_present = @controller.authenticate_with_http_token do |token, options| + assert_equal @token.id, token + end + # authenticate_with_http_token just returns nil and does not + # execute the block if there is no token. So we have to also + # ensure it was run: + assert token_present + end +end + diff --git a/users/test/support/auth_test_helper.rb b/users/test/support/auth_test_helper.rb index 555b5db..ab6b1ac 100644 --- a/users/test/support/auth_test_helper.rb +++ b/users/test/support/auth_test_helper.rb @@ -13,8 +13,9 @@ module AuthTestHelper if user_or_method_hash.respond_to?(:reverse_merge) user_or_method_hash.reverse_merge! :is_admin? => false end - @current_user = stub_record(:user, user_or_method_hash, true) + @current_user = find_record(:user, user_or_method_hash) request.env['warden'] = stub :user => @current_user + request.env['HTTP_AUTHORIZATION'] = header_for_token_auth return @current_user end @@ -37,6 +38,12 @@ module AuthTestHelper end end + protected + + def header_for_token_auth + @token = find_record(:token, :user_id => @current_user.id) + ActionController::HttpAuthentication::Token.encode_credentials @token.id + end end class ActionController::TestCase diff --git a/users/test/support/stub_record_helper.rb b/users/test/support/stub_record_helper.rb index 8aa1973..b3460d2 100644 --- a/users/test/support/stub_record_helper.rb +++ b/users/test/support/stub_record_helper.rb @@ -1,7 +1,7 @@ module StubRecordHelper # - # We will stub find_by_param or find_by_id to be called on klass and + # We will stub find_by_param or find to be called on klass and # return the record given. # # If no record is given but a hash or nil will create a stub based on -- cgit v1.2.3 From 420bfb326f974eec14b04d6a170ed2d28c14180f Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:36:27 +0200 Subject: clear token on logout with test --- users/test/functional/v1/sessions_controller_test.rb | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 8a16997..ff9fca1 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -52,20 +52,18 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_equal @user.id, token.user_id end - test "logout should reset warden user" do + test "logout should reset session" do expect_warden_logout delete :destroy assert_response 204 end - test "logout should remove token" do + test "logout should destroy token" do login expect_warden_logout - skip "TODO: implement token removal" - assert_difference "Token.count", -1 do - delete :destroy - assert_response 204 - end + @token.expects(:destroy) + delete :destroy + assert_response 204 end def expect_warden_logout @@ -76,5 +74,4 @@ class V1::SessionsControllerTest < ActionController::TestCase request.env['warden'].expects(:logout) end - end -- cgit v1.2.3 From 0b8df3c03f440147f36858246e1003a2d0e2e54a Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:51:56 +0200 Subject: make sure find_record still works with real records --- users/test/support/stub_record_helper.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/support/stub_record_helper.rb b/users/test/support/stub_record_helper.rb index b3460d2..5bccb66 100644 --- a/users/test/support/stub_record_helper.rb +++ b/users/test/support/stub_record_helper.rb @@ -1,15 +1,14 @@ module StubRecordHelper # - # We will stub find_by_param or find to be called on klass and + # We will stub find_by_param or find_by_id to be called on klass and # return the record given. # # If no record is given but a hash or nil will create a stub based on # that instead and returns the stub. # - def find_record(factory, attribs_hash = {}) - attribs_hash = attribs_hash.reverse_merge(:id => Random.rand(10000).to_s) - record = stub_record factory, attribs_hash + def find_record(factory, record_or_attribs_hash = {}) + record = stub_record factory, record_or_attribs_hash, true klass = record.class finder = klass.respond_to?(:find_by_param) ? :find_by_param : :find klass.stubs(finder).with(record.to_param.to_s).returns(record) -- cgit v1.2.3 From 5e6a2a2995598489372676bf8e045dc2dfda6c81 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:55:43 +0200 Subject: token.user will get you the right user This way we can stub the token to return the user directly. Stubbing User.find_by_param is not a good idea as it will make all calls to User#find_by_param with a different id fail. --- users/test/functional/test_helpers_test.rb | 2 +- users/test/support/auth_test_helper.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/test_helpers_test.rb b/users/test/functional/test_helpers_test.rb index d1bdb64..9bd01ad 100644 --- a/users/test/functional/test_helpers_test.rb +++ b/users/test/functional/test_helpers_test.rb @@ -21,7 +21,7 @@ class TestHelpersTest < ActionController::TestCase def test_login_stubs_token login assert @token - assert_equal @current_user.id, @token.user_id + assert_equal @current_user, @token.user end def test_login_adds_token_header diff --git a/users/test/support/auth_test_helper.rb b/users/test/support/auth_test_helper.rb index ab6b1ac..47147fc 100644 --- a/users/test/support/auth_test_helper.rb +++ b/users/test/support/auth_test_helper.rb @@ -13,7 +13,7 @@ module AuthTestHelper if user_or_method_hash.respond_to?(:reverse_merge) user_or_method_hash.reverse_merge! :is_admin? => false end - @current_user = find_record(:user, user_or_method_hash) + @current_user = stub_record(:user, user_or_method_hash) request.env['warden'] = stub :user => @current_user request.env['HTTP_AUTHORIZATION'] = header_for_token_auth return @current_user @@ -41,7 +41,7 @@ module AuthTestHelper protected def header_for_token_auth - @token = find_record(:token, :user_id => @current_user.id) + @token = find_record(:token, :user => @current_user) ActionController::HttpAuthentication::Token.encode_credentials @token.id end end -- cgit v1.2.3 From 1e6e6d82ed53b1db558b7c1f4e14740962cc406a Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:56:41 +0200 Subject: separate different tests for showing non existant user This way the failed stubbing errors were more telling --- users/test/functional/users_controller_test.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb index 0ce5cc2..96ae48c 100644 --- a/users/test/functional/users_controller_test.rb +++ b/users/test/functional/users_controller_test.rb @@ -59,19 +59,23 @@ class UsersControllerTest < ActionController::TestCase assert_access_denied end - test "show for non-existing user" do + test "may not show non-existing user without auth" do nonid = 'thisisnotanexistinguserid' - # when unauthenticated: get :show, :id => nonid assert_access_denied(true, false) + end - # when authenticated but not admin: + test "may not show non-existing user without admin" do + nonid = 'thisisnotanexistinguserid' login + get :show, :id => nonid assert_access_denied + end - # when authenticated as admin: + test "redirect admin to user list for non-existing user" do + nonid = 'thisisnotanexistinguserid' login :is_admin? => true get :show, :id => nonid assert_response :redirect -- cgit v1.2.3 From d4a253d0564d4b1735fb8be5faac6a0fed174238 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 16:20:27 +0200 Subject: use token to update user password --- users/test/integration/api/python/flow_with_srp.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index d37c6af..72c513f 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -16,7 +16,8 @@ def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) # using globals for a start -server = 'https://dev.bitmask.net/1' +# server = 'https://dev.bitmask.net/1' +server = 'http://api.lvh.me:3000/1' login = 'test_' + id_generator() password = id_generator() + id_generator() @@ -41,15 +42,16 @@ def signup(session): } return session.post(server + '/users.json', data = user_params, verify = False) -def change_password(session): +def change_password(token): password = id_generator() + id_generator() salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[password_verifier]': binascii.hexlify(vkey), 'user[password_salt]': binascii.hexlify(salt) } + auth_headers = { 'Authorization': 'Token token="' + token + '"'} print user_params - print_and_parse(session.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False)) + print_and_parse(requests.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False, headers = auth_headers)) return srp.User( login, password, srp.SHA256, srp.NG_1024 ) @@ -84,7 +86,7 @@ auth = print_and_parse(authenticate(session, user['login'])) verify_or_debug(auth) assert usr.authenticated() -usr = change_password(session) +usr = change_password(auth['token']) auth = print_and_parse(authenticate(session, user['login'])) verify_or_debug(auth) -- cgit v1.2.3 From fdf9c5f9ea605020ea371de8e221efe8e5d5ba32 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 16:35:09 +0200 Subject: refactor: Changing the py test to use less globals and session only locally. --- users/test/integration/api/python/flow_with_srp.py | 59 +++++++++++----------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'users/test') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 72c513f..9fc168b 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -11,16 +11,31 @@ import binascii safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) +# using globals for now +# server = 'https://dev.bitmask.net/1' +server = 'http://api.lvh.me:3000/1' + +def run_tests(): + login = 'test_' + id_generator() + password = id_generator() + id_generator() + usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) + print_and_parse(signup(login, password)) + + auth = print_and_parse(authenticate(usr)) + verify_or_debug(auth, usr) + assert usr.authenticated() + + usr = change_password(auth['id'], login, auth['token']) + + auth = print_and_parse(authenticate(usr)) + verify_or_debug(auth, usr) + # At this point the authentication process is complete. + assert usr.authenticated() + # let's have some random name def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) -# using globals for a start -# server = 'https://dev.bitmask.net/1' -server = 'http://api.lvh.me:3000/1' -login = 'test_' + id_generator() -password = id_generator() + id_generator() - # log the server communication def print_and_parse(response): request = response.request @@ -33,16 +48,16 @@ def print_and_parse(response): except ValueError: return None -def signup(session): +def signup(login, password): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), 'user[password_salt]': binascii.hexlify(salt) } - return session.post(server + '/users.json', data = user_params, verify = False) + return requests.post(server + '/users.json', data = user_params, verify = False) -def change_password(token): +def change_password(user_id, login, token): password = id_generator() + id_generator() salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { @@ -51,11 +66,12 @@ def change_password(token): } auth_headers = { 'Authorization': 'Token token="' + token + '"'} print user_params - print_and_parse(requests.put(server + '/users/' + auth['id'] + '.json', data = user_params, verify = False, headers = auth_headers)) + print_and_parse(requests.put(server + '/users/' + user_id + '.json', data = user_params, verify = False, headers = auth_headers)) return srp.User( login, password, srp.SHA256, srp.NG_1024 ) -def authenticate(session, login): +def authenticate(usr): + session = requests.session() uname, A = usr.start_authentication() params = { 'login': uname, @@ -63,10 +79,10 @@ def authenticate(session, login): } init = print_and_parse(session.post(server + '/sessions', data = params, verify=False)) M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - return session.put(server + '/sessions/' + login, verify = False, + return session.put(server + '/sessions/' + uname, verify = False, data = {'client_auth': binascii.hexlify(M)}) -def verify_or_debug(auth): +def verify_or_debug(auth, usr): if ( 'errors' in auth ): print ' u = "%x"' % usr.u print ' x = "%x"' % usr.x @@ -77,19 +93,4 @@ def verify_or_debug(auth): else: usr.verify_session( safe_unhexlify(auth["M2"]) ) -usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) -session = requests.session() -user = print_and_parse(signup(session)) - -# SRP signup would happen here and calculate M hex -auth = print_and_parse(authenticate(session, user['login'])) -verify_or_debug(auth) -assert usr.authenticated() - -usr = change_password(auth['token']) - -auth = print_and_parse(authenticate(session, user['login'])) -verify_or_debug(auth) -# At this point the authentication process is complete. -assert usr.authenticated() - +run_tests() -- cgit v1.2.3