Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/tests/test_auth_backends.py

3867 lines
197 KiB
Python
Raw Normal View History

Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# -*- coding: utf-8 -*-
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
from bs4 import BeautifulSoup
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from django.conf import settings
ldap tests: Move test_ldap into test_auth_backends. These tests belong more in test_auth_backends rather than deserving their own separate file.
2019-11-01 23:26:49 +01:00
from django.contrib.auth import authenticate
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
from django.core import mail
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
from django.http import HttpResponse, HttpRequest
Make LoginEmailValidatorTestCase use ZulipTestCase instead of TestCase.
2017-05-25 02:29:42 +02:00
from django.test import override_settings
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
from django_auth_ldap.backend import LDAPSearch, _LDAPUser
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
from django.test.client import RequestFactory
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
from django.utils.timezone import now as timezone_now
api: Remove unused /get_auth_backends endpoint. This legacy endpoint was designed for the original native Zulip mobile apps, which were deprecated years ago in favor of the React Native app. It was replaced by /server_settings for active use years ago, so it's safe to remove it now.
2019-11-01 05:12:11 +01:00
from typing import Any, Callable, Dict, List, Optional, Tuple
django-2.0: Shift to resolvers from urlresolvers. The old name is deprecated.
2018-01-30 06:05:25 +01:00
from django.urls import reverse
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
import responses
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
import ldap
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
import jwt
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import mock
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
import re
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
import datetime
test_auth_backends: Fix errors after rebasing. Apparently, the rate-limiting PR had some import conflicts with our recent authentication backend testing changes.
2020-02-03 05:21:29 +01:00
import time
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
from zerver.lib.actions import (
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
do_create_user,
do_create_realm,
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
do_deactivate_realm,
do_deactivate_user,
auth: Eliminate if/else block for PreregUser handling with/without SSO. Both branches did very similar things, and the code is better having common handling in all cases.
2019-12-10 18:45:36 +01:00
do_invite_users,
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
do_reactivate_realm,
do_reactivate_user,
ldap: Fix bad interaction between EMAIL_ADDRESS_VISIBILITY and LDAP sync. A block of LDAP integration code related to data synchronization did not correctly handle EMAIL_ADDRESS_VISIBILITY_ADMINS, as it was accessing .email, not .delivery_email, both for logging and doing the mapping between email addresses and LDAP users. Fixes #13539.
2019-12-15 20:10:09 +01:00
do_set_realm_property,
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
ensure_stream,
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
)
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
from zerver.lib.avatar import avatar_url
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
from zerver.lib.avatar_hash import user_avatar_path
ldap: Extract dev_ldap_directory.py. This gets what is fundamentally unit testing code out of backends.py.
2018-12-13 22:46:37 +01:00
from zerver.lib.dev_ldap_directory import generate_dev_ldap_dir
refactor: Extract validate_email_is_valid(). This has two goals: - sets up a future commit to bulk-validate emails - the extracted function is more simple, since it just has errors, and no codes or deactivated flags This commit leaves us in a somewhat funny intermediate state where we have `action.validate_email` being a glorified two-line function with strange parameters, but subsequent commits will clean this up: - we will eliminate validate_email - we will move most of the guts of its other callee to lib/email_validation.py To be clear, the code is correct here, just kinda in an ugly, temporarily-disorganized intermediate state.
2020-03-02 22:26:24 +01:00
from zerver.lib.email_validation import get_realm_email_validator, \
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
validate_email_is_valid, get_existing_user_errors
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
from zerver.lib.exceptions import RateLimited
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
from zerver.lib.mobile_auth_otp import otp_decrypt_api_key
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
from zerver.lib.validator import validate_login_email, \
auth: Add social_backends to /server_settings.
2019-10-22 01:33:44 +02:00
check_bool, check_dict_only, check_list, check_string, Validator
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
from zerver.lib.rate_limiter import add_ratelimit_rule, remove_ratelimit_rule, clear_history
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
from zerver.lib.request import JsonableError
settings: Unset STATIC_ROOT in development. Django’s default FileSystemFinder disallows STATICFILES_DIRS from containing STATIC_ROOT (by raising an ImproperlyConfigured exception), because STATIC_ROOT is supposed to be the result of collecting all the static files in the project, not one of the potentially many sources of static files. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-07-17 02:29:08 +02:00
from zerver.lib.storage import static_path
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
from zerver.lib.upload import resize_avatar, MEDIUM_AVATAR_SIZE
test_auth_backends: Fix errors after rebasing. Apparently, the rate-limiting PR had some import conflicts with our recent authentication backend testing changes.
2020-02-03 05:21:29 +01:00
from zerver.lib.users import get_all_api_keys
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
from zerver.lib.utils import generate_random_token
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
from zerver.lib.initial_password import initial_password
tests: Split out ZulipTestCase and WebhookTestCase to a separate file. Fixes #1671.
2016-11-10 19:30:09 +01:00
from zerver.lib.test_classes import (
ZulipTestCase,
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
)
from zerver.models import \
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
get_realm, email_to_username, CustomProfileField, CustomProfileFieldValue, \
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
UserProfile, PreregistrationUser, Realm, RealmDomain, get_user, MultiuseInvite, \
auth: Use zxcvbn to ensure password strength on server side. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2019-11-18 08:11:03 +01:00
clear_supported_auth_backends_cache, PasswordTooWeakError
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
from zerver.signals import JUST_CREATED_THRESHOLD
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
zerver/tests: Remove unused imports. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-02-02 23:53:44 +01:00
from confirmation.models import Confirmation, create_confirmation_link
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from zproject.backends import ZulipDummyBackend, EmailAuthBackend, \
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
GoogleAuthBackend, ZulipRemoteUserBackend, ZulipLDAPAuthBackend, \
auth: Add support for GitLab authentication. With some tweaks by tabbott to the documentation and comments. Fixes #13694.
2020-01-31 18:19:53 +01:00
ZulipLDAPUserPopulator, DevAuthBackend, GitHubAuthBackend, GitLabAuthBackend, ZulipAuthMixin, \
dev_auth_enabled, password_auth_enabled, github_auth_enabled, gitlab_auth_enabled, \
google_auth_enabled, require_email_format_usernames, AUTH_BACKEND_NAME_MAP, \
ldap tests: Move test_ldap into test_auth_backends. These tests belong more in test_auth_backends rather than deserving their own separate file.
2019-11-01 23:26:49 +01:00
ZulipLDAPConfigurationError, ZulipLDAPExceptionNoMatchingLDAPUser, ZulipLDAPExceptionOutsideDomain, \
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
ZulipLDAPException, query_ldap, sync_user_from_ldap, SocialAuthMixin, \
auth: Add social_backends to /server_settings.
2019-10-22 01:33:44 +02:00
PopulateUserLDAPError, SAMLAuthBackend, saml_auth_enabled, email_belongs_to_ldap, \
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
get_external_method_dicts, AzureADAuthBackend, check_password_strength, \
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
ZulipLDAPUser, RateLimitedAuthenticationByUsername
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
from zerver.views.auth import (maybe_send_to_registration,
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
store_login_data, LOGIN_TOKEN_LENGTH)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.response import OneLogin_Saml2_Response
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
from social_core.exceptions import AuthFailed, AuthStateForbidden
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
from social_django.strategy import DjangoStrategy
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
from social_django.storage import BaseDjangoStorage
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
import base64
auth: Change SAML login url scheme, enabling multiple IdP support. The url scheme is now /accounts/login/social/saml/{idp_name} to initiate login using the IdP configured under "idp_name" name. display_name and display_logo (the name and icon to show on the "Log in with" button) can be customized by adding the apprioprate settings in the configured IdP dictionaries.
2019-10-22 18:23:57 +02:00
import copy
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
import json
Change urllib import to be Python 3-specific.
2017-11-05 05:30:31 +01:00
import urllib
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import ujson
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
from zerver.lib.test_helpers import load_subdomain_token, \
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
use_s3_backend, create_s3_buckets, get_test_image_file
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
class AuthBackendTest(ZulipTestCase):
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def get_username(self, email_to_username: Optional[Callable[[str], str]]=None) -> str:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = self.example_email('hamlet')
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
if email_to_username is not None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = email_to_username(self.example_email('hamlet'))
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
return username
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def verify_backend(self, backend: Any, good_kwargs: Optional[Dict[str, Any]]=None, bad_kwargs: Optional[Dict[str, Any]]=None) -> None:
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
assert good_kwargs is not None
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# If bad_kwargs was specified, verify auth fails in that case
if bad_kwargs is not None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**bad_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated user
do_deactivate_user(user_profile)
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
result = backend.authenticate(**good_kwargs)
if isinstance(backend, SocialAuthMixin):
# Returns a redirect to login page with an error.
self.assertEqual(result.status_code, 302)
auth: Redirect deactivated user to /login when attempting social login. (#12130)
2019-04-17 21:28:57 +02:00
self.assertEqual(result.url, "/login/?is_deactivated=true")
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
else:
# Just takes you back to the login page treating as
# invalid auth; this is correct because the form will
# provide the appropriate validation error for deactivated
# account.
self.assertIsNone(result)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Reactivate the user and verify auth works again
do_reactivate_user(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated realm
do_deactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works again after reactivating the realm
do_reactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
# ZulipDummyBackend isn't a real backend so the remainder
# doesn't make sense for it
if isinstance(backend, ZulipDummyBackend):
return
# Verify auth fails if the auth backend is disabled on server
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',)):
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
# Verify auth fails if the auth backend is disabled for the realm
for backend_name in AUTH_BACKEND_NAME_MAP.keys():
if isinstance(backend, AUTH_BACKEND_NAME_MAP[backend_name]):
break
index = getattr(user_profile.realm.authentication_methods, backend_name).number
user_profile.realm.authentication_methods.set_bit(index, False)
user_profile.realm.save()
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
if 'realm' in good_kwargs:
# Because this test is a little unfaithful to the ordering
# (i.e. we fetched the realm object before this function
# was called, when in fact it should be fetched after we
# changed the allowed authentication methods), we need to
# propagate the changes we just made to the actual realm
# object in good_kwargs.
good_kwargs['realm'] = user_profile.realm
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
user_profile.realm.authentication_methods.set_bit(index, True)
user_profile.realm.save()
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dummy_backend(self) -> None:
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm = get_realm("zulip")
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.verify_backend(ZulipDummyBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=True),
bad_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=False))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm.save()
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_email_auth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
with mock.patch('zproject.backends.email_auth_enabled',
return_value=False), \
mock.patch('zproject.backends.password_auth_enabled',
return_value=True):
return_data = {} # type: Dict[str, bool]
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user = EmailAuthBackend().authenticate(request=mock.MagicMock(),
username=self.example_email('hamlet'),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm("zulip"),
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
password=password,
return_data=return_data)
self.assertEqual(user, None)
self.assertTrue(return_data['email_auth_disabled'])
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(EmailAuthBackend(),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
good_kwargs=dict(request=mock.MagicMock(),
password=password,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
bad_kwargs=dict(request=mock.MagicMock(),
password=password,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr'),
return_data=dict()))
self.verify_backend(EmailAuthBackend(),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
good_kwargs=dict(request=mock.MagicMock(),
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
username=username,
realm=get_realm('zulip'),
return_data=dict()),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
bad_kwargs=dict(request=mock.MagicMock(),
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
username=username,
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zephyr'),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()))
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
CVE-2019-18933: Fix insecure account creation via social authentication. A bug in Zulip's new user signup process meant that users who registered their account using social authentication (e.g. GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. Zulip versions between 1.7.0 and 2.0.6 were affected. This commit fixes the original bug and also contains a database migration to fix any users with corrupt `password` fields in the database as a result of the bug. Out of an abundance of caution (and to protect the users of any installations that delay applying this commit), the migration also resets the API keys of any users where Zulip's logs cannot prove the user's API key was not previously stolen via this bug. Resetting those API keys will be inconvenient for users: * Users of the Zulip mobile and terminal apps whose API keys are reset will be logged out and need to login again. * Users using their personal API keys for any other reason will need to re-fetch their personal API key. We discovered this bug internally and don't believe it was disclosed prior to our publishing it through this commit. Because the algorithm for determining which users might have been affected is very conservative, many users who were never at risk will have their API keys reset by this migration. To avoid this on self-hosted installations that have always used e.g. LDAP authentication, we skip resetting API keys on installations that don't have password authentication enabled. System administrators on installations that used to have email authentication enabled, but no longer do, should temporarily enable EmailAuthBackend before applying this migration. The migration also records which users had their passwords or API keys reset in the usual RealmAuditLog table.
2019-11-18 07:57:36 +01:00
def test_email_auth_backend_empty_password(self) -> None:
user_profile = self.example_user('hamlet')
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
# First, verify authentication works with the a nonempty
# password so we know we've set up the test correctly.
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
self.assertIsNotNone(EmailAuthBackend().authenticate(request=mock.MagicMock(),
username=self.example_email('hamlet'),
CVE-2019-18933: Fix insecure account creation via social authentication. A bug in Zulip's new user signup process meant that users who registered their account using social authentication (e.g. GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. Zulip versions between 1.7.0 and 2.0.6 were affected. This commit fixes the original bug and also contains a database migration to fix any users with corrupt `password` fields in the database as a result of the bug. Out of an abundance of caution (and to protect the users of any installations that delay applying this commit), the migration also resets the API keys of any users where Zulip's logs cannot prove the user's API key was not previously stolen via this bug. Resetting those API keys will be inconvenient for users: * Users of the Zulip mobile and terminal apps whose API keys are reset will be logged out and need to login again. * Users using their personal API keys for any other reason will need to re-fetch their personal API key. We discovered this bug internally and don't believe it was disclosed prior to our publishing it through this commit. Because the algorithm for determining which users might have been affected is very conservative, many users who were never at risk will have their API keys reset by this migration. To avoid this on self-hosted installations that have always used e.g. LDAP authentication, we skip resetting API keys on installations that don't have password authentication enabled. System administrators on installations that used to have email authentication enabled, but no longer do, should temporarily enable EmailAuthBackend before applying this migration. The migration also records which users had their passwords or API keys reset in the usual RealmAuditLog table.
2019-11-18 07:57:36 +01:00
password=password,
realm=get_realm("zulip")))
# Now do the same test with the empty string as the password.
password = ""
auth: Use zxcvbn to ensure password strength on server side. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2019-11-18 08:11:03 +01:00
with self.assertRaises(PasswordTooWeakError):
# UserProfile.set_password protects against setting an empty password.
user_profile.set_password(password)
# We do want to force an empty password for this test, so we bypass the protection
# by using Django's version of this method.
super(UserProfile, user_profile).set_password(password)
CVE-2019-18933: Fix insecure account creation via social authentication. A bug in Zulip's new user signup process meant that users who registered their account using social authentication (e.g. GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. Zulip versions between 1.7.0 and 2.0.6 were affected. This commit fixes the original bug and also contains a database migration to fix any users with corrupt `password` fields in the database as a result of the bug. Out of an abundance of caution (and to protect the users of any installations that delay applying this commit), the migration also resets the API keys of any users where Zulip's logs cannot prove the user's API key was not previously stolen via this bug. Resetting those API keys will be inconvenient for users: * Users of the Zulip mobile and terminal apps whose API keys are reset will be logged out and need to login again. * Users using their personal API keys for any other reason will need to re-fetch their personal API key. We discovered this bug internally and don't believe it was disclosed prior to our publishing it through this commit. Because the algorithm for determining which users might have been affected is very conservative, many users who were never at risk will have their API keys reset by this migration. To avoid this on self-hosted installations that have always used e.g. LDAP authentication, we skip resetting API keys on installations that don't have password authentication enabled. System administrators on installations that used to have email authentication enabled, but no longer do, should temporarily enable EmailAuthBackend before applying this migration. The migration also records which users had their passwords or API keys reset in the usual RealmAuditLog table.
2019-11-18 07:57:36 +01:00
user_profile.save()
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
self.assertIsNone(EmailAuthBackend().authenticate(request=mock.MagicMock(),
username=self.example_email('hamlet'),
CVE-2019-18933: Fix insecure account creation via social authentication. A bug in Zulip's new user signup process meant that users who registered their account using social authentication (e.g. GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. Zulip versions between 1.7.0 and 2.0.6 were affected. This commit fixes the original bug and also contains a database migration to fix any users with corrupt `password` fields in the database as a result of the bug. Out of an abundance of caution (and to protect the users of any installations that delay applying this commit), the migration also resets the API keys of any users where Zulip's logs cannot prove the user's API key was not previously stolen via this bug. Resetting those API keys will be inconvenient for users: * Users of the Zulip mobile and terminal apps whose API keys are reset will be logged out and need to login again. * Users using their personal API keys for any other reason will need to re-fetch their personal API key. We discovered this bug internally and don't believe it was disclosed prior to our publishing it through this commit. Because the algorithm for determining which users might have been affected is very conservative, many users who were never at risk will have their API keys reset by this migration. To avoid this on self-hosted installations that have always used e.g. LDAP authentication, we skip resetting API keys on installations that don't have password authentication enabled. System administrators on installations that used to have email authentication enabled, but no longer do, should temporarily enable EmailAuthBackend before applying this migration. The migration also records which users had their passwords or API keys reset in the usual RealmAuditLog table.
2019-11-18 07:57:36 +01:00
password=password,
realm=get_realm("zulip")))
zerver/tests: Use python 3 syntax for typing (part 4).
2017-11-20 03:22:57 +01:00
def test_email_auth_backend_disabled_password_auth(self) -> None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
# Verify if a realm has password auth disabled, correct password is rejected
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
self.assertIsNone(EmailAuthBackend().authenticate(request=mock.MagicMock(),
username=self.example_email('hamlet'),
authenticate: Use keyword-only parameters. Since positional arguments are interpreted differently by different backends in Django's authentication backend system, it’s safer to disallow them. This had been the motivation for previously declaring the parameters with default values when we were on Python 2, but that was not super effective because Python has no rule against positional default arguments and that convention for our authentication backends was solely enforced by code review. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-08 02:18:34 +02:00
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm("zulip")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
org settings: Add organization profile preview option. This should make it convenient and obvious how verify that their organization profile looks nice after being markdown-rendered. Fixes #12105.
2019-04-13 09:37:53 +02:00
def test_login_preview(self) -> None:
# Test preview=true displays organization login page
# instead of redirecting to app
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
self.login('iago')
org settings: Add organization profile preview option. This should make it convenient and obvious how verify that their organization profile looks nice after being markdown-rendered. Fixes #12105.
2019-04-13 09:37:53 +02:00
realm = get_realm("zulip")
result = self.client_get('/login/?preview=true')
self.assertEqual(result.status_code, 200)
self.assert_in_response(realm.description, result)
self.assert_in_response(realm.name, result)
self.assert_in_response("Log in to Zulip", result)
data = dict(description=ujson.dumps("New realm description"),
name=ujson.dumps("New Zulip"))
result = self.client_patch('/json/realm', data)
self.assert_json_success(result)
result = self.client_get('/login/?preview=true')
self.assertEqual(result.status_code, 200)
self.assert_in_response("New realm description", result)
self.assert_in_response("New Zulip", result)
result = self.client_get('/login/')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, 'http://zulip.testserver')
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_no_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
result = self.client_get('/login/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
result = self.client_get('/register/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_any_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
# testing to avoid false error messages.
result = self.client_get('/login/')
AuthBackendTest: Fix typos in error message checks. Previously, these checks did nothing.
2018-06-05 08:39:01 +02:00
self.assert_not_in_success_response(["No authentication backends are enabled"], result)
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
result = self.client_get('/register/')
AuthBackendTest: Fix typos in error message checks. Previously, these checks did nothing.
2018-06-05 08:39:01 +02:00
self.assert_not_in_success_response(["No authentication backends are enabled"], result)
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_EMAIL_ATTR="mail")
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_backend(self) -> None:
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
self.init_default_ldap_database()
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password = self.ldap_password('hamlet')
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.setup_subdomain(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
backend = ZulipLDAPAuthBackend()
# Test LDAP auth fails when LDAP server rejects password
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
self.assertIsNone(backend.authenticate(request=mock.MagicMock(), username=email,
password="wrongpass", realm=get_realm("zulip")))
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
self.verify_backend(backend,
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
bad_kwargs=dict(request=mock.MagicMock(),
username=username,
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
password=password,
realm=get_realm('zephyr')),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
good_kwargs=dict(request=mock.MagicMock(),
username=username,
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
password=password,
realm=get_realm('zulip')))
self.verify_backend(backend,
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
bad_kwargs=dict(request=mock.MagicMock(),
username=username,
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
password=password,
realm=get_realm('zephyr')),
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
good_kwargs=dict(request=mock.MagicMock(),
username=username,
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
password=password,
realm=get_realm('zulip')))
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_devauth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.verify_backend(DevAuthBackend(),
auth: Convert DevAuthBackend to accept a realm object.
2017-11-21 21:19:20 +01:00
good_kwargs=dict(dev_auth_username=self.get_username(),
realm=get_realm("zulip")),
bad_kwargs=dict(dev_auth_username=self.get_username(),
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm("zephyr")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zulip')),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
mypy: Use Python 3 type syntax in tests/test_auth_backends.py.
2017-12-09 06:57:59 +01:00
def test_remote_user_backend_invalid_realm(self) -> None:
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
username = self.get_username()
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
realm=get_realm('zulip')),
bad_kwargs=dict(remote_user=username,
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zephyr')))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
@override_settings(SSO_APPEND_DOMAIN='zulip.com')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend_sso_append_domain(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username(email_to_username)
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm("zulip")),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',
'zproject.backends.GoogleAuthBackend'))
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
def test_social_auth_backends(self) -> None:
test: Use example_user() in more places. This commit replaces calls to get_user_profile_by_email() with calls to self.example_user() by introducing a local variable.
2017-05-08 16:23:43 +02:00
user = self.example_user('hamlet')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
github_email_data = [
dict(email=user.email,
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
verified=True,
primary=True),
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
dict(email="nonprimary@zulip.com",
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
verified=True),
dict(email="ignored@example.com",
verified=False),
]
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
google_email_data = dict(email=user.email,
name=user.full_name,
email_verified=True)
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
backends_to_test = {
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
'google': {
'urls': [
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
# The limited process that we test here doesn't require mocking any urls.
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
],
'backend': GoogleAuthBackend,
},
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
'github': {
'urls': [
{
'url': "https://api.github.com/user/emails",
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
'method': responses.GET,
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
'status': 200,
'body': json.dumps(github_email_data),
},
],
'backend': GitHubAuthBackend,
}
} # type: Dict[str, Any]
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
authenticate: Use keyword-only parameters. Since positional arguments are interpreted differently by different backends in Django's authentication backend system, it’s safer to disallow them. This had been the motivation for previously declaring the parameters with default values when we were on Python 2, but that was not super effective because Python has no rule against positional default arguments and that convention for our authentication backends was solely enforced by code review. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-08 02:18:34 +02:00
def patched_authenticate(**kwargs: Any) -> Any:
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
# This is how we pass the subdomain to the authentication
# backend in production code, so we need to do this setup
# here.
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if 'subdomain' in kwargs:
backend.strategy.session_set("subdomain", kwargs["subdomain"])
del kwargs['subdomain']
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
# Because we're not simulating the full python-social-auth
# pipeline here, we need to provide the user's choice of
# which email to select in the partial phase of the
# pipeline when we display an email picker for the GitHub
# authentication backend. We do that here.
def return_email() -> Dict[str, str]:
return {'email': user.email}
backend.strategy.request_data = return_email
authenticate: Use keyword-only parameters. Since positional arguments are interpreted differently by different backends in Django's authentication backend system, it’s safer to disallow them. This had been the motivation for previously declaring the parameters with default values when we were on Python 2, but that was not super effective because Python has no rule against positional default arguments and that convention for our authentication backends was solely enforced by code review. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-08 02:18:34 +02:00
result = orig_authenticate(backend, **kwargs)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return result
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
def patched_get_verified_emails(*args: Any, **kwargs: Any) -> Any:
return google_email_data['email']
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
for backend_name in backends_to_test:
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
with responses.RequestsMock(assert_all_requests_are_fired=True) as requests_mock:
urls = backends_to_test[backend_name]['urls'] # type: List[Dict[str, Any]]
for details in urls:
requests_mock.add(
details['method'],
details['url'],
status=details['status'],
body=details['body'])
backend_class = backends_to_test[backend_name]['backend']
backend = backend_class()
backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
orig_authenticate = backend_class.authenticate
backend.authenticate = patched_authenticate
orig_get_verified_emails = backend_class.get_verified_emails
if backend_name == "google":
backend.get_verified_emails = patched_get_verified_emails
good_kwargs = dict(backend=backend, strategy=backend.strategy,
storage=backend.strategy.storage,
response=token_data_dict,
subdomain='zulip')
bad_kwargs = dict(subdomain='acme')
with mock.patch('zerver.views.auth.redirect_and_log_into_subdomain',
return_value=user):
self.verify_backend(backend,
good_kwargs=good_kwargs,
bad_kwargs=bad_kwargs)
bad_kwargs['subdomain'] = "zephyr"
self.verify_backend(backend,
good_kwargs=good_kwargs,
bad_kwargs=bad_kwargs)
backend.authenticate = orig_authenticate
backend.get_verified_emails = orig_get_verified_emails
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
class RateLimitAuthenticationTests(ZulipTestCase):
@override_settings(RATE_LIMITING_AUTHENTICATE=True)
def do_test_auth_rate_limiting(self,
attempt_authentication_func: Callable[[HttpRequest, str, str],
Optional[UserProfile]],
username: str, correct_password: str, wrong_password: str,
expected_user_profile: UserProfile) -> None:
# We have to mock RateLimitedAuthenticationByUsername.key_fragment to avoid key collisions
# if tests run in parallel.
original_key_fragment_method = RateLimitedAuthenticationByUsername.key_fragment
salt = generate_random_token(32)
def _mock_key_fragment(self: RateLimitedAuthenticationByUsername) -> str:
return "{}:{}".format(salt, original_key_fragment_method(self))
def attempt_authentication(username: str, password: str) -> Optional[UserProfile]:
request = HttpRequest()
return attempt_authentication_func(request, username, password)
rate_limiter: Rename authenticate domain to authenticate_by_username. This prepares for adding authenticate_by_ip_address.
2019-12-30 21:17:11 +01:00
add_ratelimit_rule(10, 2, domain='authenticate_by_username')
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
with mock.patch.object(RateLimitedAuthenticationByUsername, 'key_fragment', new=_mock_key_fragment):
try:
start_time = time.time()
with mock.patch('time.time', return_value=start_time):
self.assertIsNone(attempt_authentication(username, wrong_password))
self.assertIsNone(attempt_authentication(username, wrong_password))
# 2 failed attempts is the limit, so the next ones should get blocked,
# even with the correct password.
with self.assertRaises(RateLimited):
attempt_authentication(username, correct_password)
with self.assertRaises(RateLimited):
attempt_authentication(username, wrong_password)
# After enough time passes, more authentication attempts can be made:
with mock.patch('time.time', return_value=start_time + 11.0):
self.assertIsNone(attempt_authentication(username, wrong_password))
self.assertEqual(attempt_authentication(username, correct_password), expected_user_profile) # Correct password
# A correct login attempt should reset the rate limits for this user profile,
# so the next two attempts shouldn't get limited:
self.assertIsNone(attempt_authentication(username, wrong_password))
self.assertIsNone(attempt_authentication(username, wrong_password))
# But the third attempt goes over the limit:
with self.assertRaises(RateLimited):
attempt_authentication(username, wrong_password)
finally:
# Clean up to avoid affecting other tests.
clear_history(RateLimitedAuthenticationByUsername(username))
rate_limiter: Rename authenticate domain to authenticate_by_username. This prepares for adding authenticate_by_ip_address.
2019-12-30 21:17:11 +01:00
remove_ratelimit_rule(10, 2, domain='authenticate_by_username')
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
def test_email_auth_backend_user_based_rate_limiting(self) -> None:
user_profile = self.example_user('hamlet')
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
def attempt_authentication(request: HttpRequest, username: str, password: str) -> Optional[UserProfile]:
return EmailAuthBackend().authenticate(request=request,
username=username,
realm=get_realm("zulip"),
password=password,
return_data=dict())
self.do_test_auth_rate_limiting(attempt_authentication, user_profile.email, password, 'wrong_password',
user_profile)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_EMAIL_ATTR="mail")
def test_ldap_backend_user_based_rate_limiting(self) -> None:
self.init_default_ldap_database()
user_profile = self.example_user('hamlet')
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password = self.ldap_password('hamlet')
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
def attempt_authentication(request: HttpRequest, username: str, password: str) -> Optional[UserProfile]:
return ZulipLDAPAuthBackend().authenticate(request=request,
username=username,
realm=get_realm("zulip"),
password=password,
return_data=dict())
self.do_test_auth_rate_limiting(attempt_authentication, user_profile.email, password, 'wrong_password',
user_profile)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_EMAIL_ATTR="mail")
def test_email_and_ldap_backends_user_based_rate_limiting(self) -> None:
self.init_default_ldap_database()
user_profile = self.example_user('hamlet')
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
ldap_password = self.ldap_password('hamlet')
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
email_password = "email_password"
user_profile.set_password(email_password)
user_profile.save()
def attempt_authentication(request: HttpRequest, username: str, password: str) -> Optional[UserProfile]:
return authenticate(request=request,
username=username,
realm=get_realm("zulip"),
password=password,
return_data=dict())
self.do_test_auth_rate_limiting(attempt_authentication, user_profile.email,
email_password, 'wrong_password',
user_profile)
self.do_test_auth_rate_limiting(attempt_authentication, user_profile.email,
ldap_password, 'wrong_password',
user_profile)
auth: Use zxcvbn to ensure password strength on server side. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2019-11-18 08:11:03 +01:00
class CheckPasswordStrengthTest(ZulipTestCase):
def test_check_password_strength(self) -> None:
with self.settings(PASSWORD_MIN_LENGTH=0, PASSWORD_MIN_GUESSES=0):
# Never allow empty password.
self.assertFalse(check_password_strength(''))
with self.settings(PASSWORD_MIN_LENGTH=6, PASSWORD_MIN_GUESSES=1000):
self.assertFalse(check_password_strength(''))
self.assertFalse(check_password_strength('short'))
# Long enough, but too easy:
self.assertFalse(check_password_strength('longer'))
# Good password:
self.assertTrue(check_password_strength('f657gdGGk9'))
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
class DesktopFlowTestingLib(ZulipTestCase):
def verify_desktop_flow_end_page(self, response: HttpResponse, email: str,
desktop_flow_otp: str) -> None:
self.assertEqual(response.status_code, 200)
soup = BeautifulSoup(response.content, "html.parser")
links = [a['href'] for a in soup.find_all('a', href=True)]
self.assert_length(links, 2)
for url in links:
if url.startswith("zulip://"):
desktop_app_url = url
else:
browser_url = url
meta_refresh_content = soup.find('meta', {'http-equiv': lambda value: value == "Refresh"})['content']
auto_redirect_url = meta_refresh_content.split('; ')[1]
self.assertEqual(auto_redirect_url, desktop_app_url)
decrypted_key = self.verify_desktop_app_url_and_return_key(desktop_app_url, email, desktop_flow_otp)
self.assertEqual(browser_url, 'http://zulip.testserver/accounts/login/subdomain/%s' % (decrypted_key,))
result = self.client_get(browser_url)
self.assertEqual(result.status_code, 302)
realm = get_realm("zulip")
user_profile = get_user(email, realm)
self.assert_logged_in_user_id(user_profile.id)
def verify_desktop_app_url_and_return_key(self, url: str, email: str, desktop_flow_otp: str) -> str:
parsed_url = urllib.parse.urlparse(url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [email])
encrypted_key = query_params["otp_encrypted_login_key"][0]
decrypted_key = otp_decrypt_api_key(encrypted_key, desktop_flow_otp)
return decrypted_key
class SocialAuthBase(DesktopFlowTestingLib, ZulipTestCase):
auth: Fix camel case name for register_extra_endpoints.
2019-07-22 04:26:47 +02:00
"""This is a base class for testing social-auth backends. These
methods are often overriden by subclasses:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
auth: Fix camel case name for register_extra_endpoints.
2019-07-22 04:26:47 +02:00
register_extra_endpoints() - If the backend being tested calls some extra
endpoints then they can be added here.
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
get_account_data_dict() - Return the data returned by the user info endpoint
according to the respective backend.
"""
# Don't run base class tests, make sure to set it to False
# in subclass otherwise its tests will not run.
__unittest_skip__ = True
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: setUp overrides should call super().setUp(). MigrationsTestCase is intentionally omitted from this, since migrations tests are different in their nature and so whatever setUp() ZulipTestCase may do in the future, MigrationsTestCase may not necessarily want to replicate.
2019-10-19 20:47:00 +02:00
super().setUp()
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.name = self.user_profile.full_name
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.backend = self.BACKEND_CLASS
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
self.backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.user_profile.backend = self.backend
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
# This is a workaround for the fact that Python social auth
# caches the set of authentication backends that are enabled
# the first time that `social_django.utils` is imported. See
# https://github.com/python-social-auth/social-app-django/pull/162
# for details.
from social_core.backends.utils import load_backends
load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True)
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
def register_extra_endpoints(self, requests_mock: responses.RequestsMock,
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
account_data_dict: Dict[str, str],
**extra_data: Any) -> None:
pass
social auth tests: Extract prepare_login_url_and_headers method. It will be reused in SAML tests in upcoming commits.
2019-09-29 02:25:46 +02:00
def prepare_login_url_and_headers(self,
subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
desktop_flow_otp: Optional[str]=None,
social auth tests: Extract prepare_login_url_and_headers method. It will be reused in SAML tests in upcoming commits.
2019-09-29 02:25:46 +02:00
is_signup: Optional[str]=None,
next: str='',
multiuse_object_key: str='',
alternative_start_url: Optional[str]=None
) -> Tuple[str, Dict[str, Any]]:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
url = self.LOGIN_URL
auth: Add a test for the legacy /accounts/login/google/ mobile flow. This is needed to return 100% URL coverage, and should also help ensure we don't accidentally break the fix from a43b231f90705a5704fbf178b4fc4e4ac36a2c92.
2019-08-27 05:51:04 +02:00
if alternative_start_url is not None:
url = alternative_start_url
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
params = {}
headers = {}
if subdomain is not None:
headers['HTTP_HOST'] = subdomain + ".testserver"
if mobile_flow_otp is not None:
params['mobile_flow_otp'] = mobile_flow_otp
headers['HTTP_USER_AGENT'] = "ZulipAndroid"
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
if desktop_flow_otp is not None:
params['desktop_flow_otp'] = desktop_flow_otp
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
if is_signup is not None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
url = self.SIGNUP_URL
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
params['next'] = next
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
params['multiuse_object_key'] = multiuse_object_key
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
if len(params) > 0:
lint: Fix code that evaded our lint checks for string % non-tuple. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-04-20 01:00:46 +02:00
url += "?%s" % (urllib.parse.urlencode(params),)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
social auth tests: Extract prepare_login_url_and_headers method. It will be reused in SAML tests in upcoming commits.
2019-09-29 02:25:46 +02:00
return url, headers
def social_auth_test(self, account_data_dict: Dict[str, str],
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
desktop_flow_otp: Optional[str]=None,
social auth tests: Extract prepare_login_url_and_headers method. It will be reused in SAML tests in upcoming commits.
2019-09-29 02:25:46 +02:00
is_signup: Optional[str]=None,
next: str='',
multiuse_object_key: str='',
expect_choose_email_screen: bool=False,
alternative_start_url: Optional[str]=None,
**extra_data: Any) -> HttpResponse:
url, headers = self.prepare_login_url_and_headers(
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
subdomain, mobile_flow_otp, desktop_flow_otp, is_signup, next,
multiuse_object_key, alternative_start_url
social auth tests: Extract prepare_login_url_and_headers method. It will be reused in SAML tests in upcoming commits.
2019-09-29 02:25:46 +02:00
)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
result = self.client_get(url, **headers)
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
expected_result_url_prefix = 'http://testserver/login/%s/' % (self.backend.name,)
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
if settings.SOCIAL_AUTH_SUBDOMAIN is not None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
expected_result_url_prefix = ('http://%s.testserver/login/%s/' %
(settings.SOCIAL_AUTH_SUBDOMAIN, self.backend.name,))
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
if result.status_code != 302 or not result.url.startswith(expected_result_url_prefix):
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
return result
result = self.client_get(result.url, **headers)
self.assertEqual(result.status_code, 302)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
assert self.AUTHORIZATION_URL in result.url
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.client.cookies = result.cookies
# Next, the browser requests result["Location"], and gets
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
# redirected back to the registered redirect uri.
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
GitHubAuthBackendTest: Remove token_data_dict argument. This was always the same, and there's not much reason to customize it.
2018-06-07 00:22:20 +02:00
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
auth: Add email_data option to github_oauth2_test. Removes email_not_verified option. That option was used to assign email_data a different set of emails for a test. Instead of that, this refactor allows to specify the email_data itself in the function which calls github_oauth2_test. Flags like email_not_verified are generally used in one test. This is a preparatory refactor for choose email screen which may have introduced multiple flags otherwise.
2018-07-19 00:12:07 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
# We register callbacks for the key URLs on Identity Provider that
# auth completion url will call
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
with responses.RequestsMock(assert_all_requests_are_fired=False) as requests_mock:
requests_mock.add(
requests_mock.POST,
self.ACCESS_TOKEN_URL,
match_querystring=False,
status=200,
body=json.dumps(token_data_dict))
requests_mock.add(
requests_mock.GET,
self.USER_INFO_URL,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
status=200,
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
body=json.dumps(account_data_dict)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
)
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
self.register_extra_endpoints(requests_mock, account_data_dict, **extra_data)
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
result = self.client_get(self.AUTH_FINISH_URL,
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
dict(state=csrf_state), **headers)
if expect_choose_email_screen and result.status_code == 200:
# For authentication backends such as GitHub that
# successfully authenticate multiple email addresses,
# we'll have an additional screen where the user selects
# which email address to login using (this screen is a
# "partial" state of the python-social-auth pipeline).
#
# TODO: Generalize this testing code for use with other
# authentication backends; for now, we just assert that
# it's definitely the GitHub authentication backend.
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
if self.AUTH_FINISH_URL == "/complete/github/":
self.assert_in_success_response(["Select account"], result)
result = self.client_get(self.AUTH_FINISH_URL,
dict(state=csrf_state, email=account_data_dict['email']), **headers)
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
elif self.AUTH_FINISH_URL == "/complete/github/":
# We want to be explicit about when we expect a test to
# use the "choose email" screen, but of course we should
# only check for that screen with the GitHub backend,
# because this test code is shared with other
# authentication backends that structurally will never use
# that screen.
assert not expect_choose_email_screen
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
return result
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_no_key(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with self.settings(**{self.CLIENT_KEY_SETTING: None}):
result = self.social_auth_test(account_data_dict,
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
def test_config_error_development(self) -> None:
if hasattr(self, 'CLIENT_KEY_SETTING') and hasattr(self, 'CLIENT_SECRET_SETTING'):
with self.settings(**{self.CLIENT_KEY_SETTING: None}):
result = self.client_get(self.LOGIN_URL)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
result = self.client_get(result.url)
self.assert_in_success_response([self.CLIENT_KEY_SETTING.lower()], result)
self.assert_in_success_response([self.CLIENT_SECRET_SETTING.lower()], result)
self.assert_in_success_response(["zproject/dev-secrets.conf"], result)
self.assert_not_in_success_response([self.CLIENT_KEY_SETTING], result)
self.assert_not_in_success_response(["zproject/dev_settings.py"], result)
self.assert_not_in_success_response(["/etc/zulip/settings.py"], result)
self.assert_not_in_success_response(["/etc/zulip/zulip-secrets.conf"], result)
@override_settings(DEVELOPMENT=False)
def test_config_error_production(self) -> None:
if hasattr(self, 'CLIENT_KEY_SETTING') and hasattr(self, 'CLIENT_SECRET_SETTING'):
with self.settings(**{self.CLIENT_KEY_SETTING: None}):
result = self.client_get(self.LOGIN_URL)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
result = self.client_get(result.url)
self.assert_in_success_response([self.CLIENT_KEY_SETTING], result)
self.assert_in_success_response(["/etc/zulip/settings.py"], result)
self.assert_in_success_response([self.CLIENT_SECRET_SETTING.lower()], result)
self.assert_in_success_response(["/etc/zulip/zulip-secrets.conf"], result)
self.assert_not_in_success_response([self.CLIENT_KEY_SETTING.lower()], result)
self.assert_not_in_success_response(["zproject/dev_settings.py"], result)
self.assert_not_in_success_response(["zproject/dev-secrets.conf"], result)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip', next='/user_uploads/image')
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.assertEqual(data['name'], self.name)
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
@override_settings(SOCIAL_AUTH_SUBDOMAIN=None)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_when_social_auth_subdomain_is_not_set(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
next='/user_uploads/image')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.assertEqual(data['name'], self.name)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_deactivated_user(self) -> None:
test_auth_backends: Move GitHub deactivated test to new suite.
2018-05-31 02:20:01 +02:00
user_profile = self.example_user("hamlet")
do_deactivate_user(user_profile)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
# We expect to go through the "choose email" screen here,
# because there won't be an existing user account we can
# auto-select for the user.
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
auth: Redirect deactivated user to /login when attempting social login. (#12130)
2019-04-17 21:28:57 +02:00
self.assertEqual(result.url, "/login/?is_deactivated=true")
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
# TODO: verify whether we provide a clear error message
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_invalid_realm(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
with mock.patch('zerver.middleware.get_realm', return_value=get_realm("zulip")):
# This mock.patch case somewhat hackishly arranges it so
# that we switch realms halfway through the test
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict,
subdomain='invalid', next='/user_uploads/image')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
social_auth: Take user to find_account if invalid subdomain is given. This allows to also clean up some code that's not really useful.
2020-02-15 17:08:09 +01:00
self.assertEqual(result.url, "/accounts/find/")
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_invalid_email(self) -> None:
account_data_dict = self.get_account_data_dict(email="invalid", name=self.name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip', next='/user_uploads/image')
test_auth_backends: Move GitHub deactivated test to new suite.
2018-05-31 02:20:01 +02:00
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/?next=/user_uploads/image")
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
def test_user_cannot_log_into_nonexisting_realm(self) -> None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='nonexistent')
auth: Use HTTP status 404 for invalid realms. Apparently, our invalid realm error page had HTTP status 200, which could be confusing and in particular broken our mobile app's error handling for this case.
2019-03-12 01:56:52 +01:00
self.assert_in_response("There is no Zulip organization hosted at this subdomain.",
result)
self.assertEqual(result.status_code, 404)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
def test_user_cannot_log_into_wrong_subdomain(self) -> None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zephyr')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertTrue(result.url.startswith("http://zephyr.testserver/accounts/login/subdomain/"))
result = self.client_get(result.url.replace('http://zephyr.testserver', ''),
subdomain="zephyr")
self.assert_in_success_response(['Your email address, hamlet@zulip.com, is not in one of the domains ',
'that are allowed to register for accounts in this organization.'], result)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_mobile_success(self) -> None:
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
mobile_flow_otp = '1234abcd' * 8
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name='Full Name')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(len(mail.outbox), 0)
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
self.user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=JUST_CREATED_THRESHOLD + 1)
self.user_profile.save()
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
with self.settings(SEND_LOGIN_EMAILS=True):
# Verify that the right thing happens with an invalid-format OTP
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
mobile_flow_otp="1234")
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assert_json_error(result, "Invalid OTP")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
mobile_flow_otp="invalido" * 8)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
mobile_flow_otp=mobile_flow_otp)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
def test_social_auth_desktop_success(self) -> None:
desktop_flow_otp = '1234abcd' * 8
account_data_dict = self.get_account_data_dict(email=self.email, name='Full Name')
# Verify that the right thing happens with an invalid-format OTP
result = self.social_auth_test(account_data_dict, subdomain='zulip',
desktop_flow_otp="1234")
self.assert_json_error(result, "Invalid OTP")
result = self.social_auth_test(account_data_dict, subdomain='zulip',
desktop_flow_otp="invalido" * 8)
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
result = self.social_auth_test(account_data_dict, subdomain='zulip',
expect_choose_email_screen=True,
desktop_flow_otp=desktop_flow_otp)
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
self.verify_desktop_flow_end_page(result, self.email, desktop_flow_otp)
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
social_auth: Clear session fields leftover from previous auth attempts. Fixes #13560.
2020-01-27 12:05:32 +01:00
def test_social_auth_session_fields_cleared_correctly(self) -> None:
mobile_flow_otp = '1234abcd' * 8
def initiate_auth(mobile_flow_otp: Optional[str]=None) -> None:
url, headers = self.prepare_login_url_and_headers(subdomain='zulip',
mobile_flow_otp=mobile_flow_otp)
result = self.client_get(url, **headers)
self.assertEqual(result.status_code, 302)
result = self.client_get(result.url, **headers)
self.assertEqual(result.status_code, 302)
# Start social auth with mobile_flow_otp param. It should get saved into the session
# on SOCIAL_AUTH_SUBDOMAIN.
initiate_auth(mobile_flow_otp)
self.assertEqual(self.client.session['mobile_flow_otp'], mobile_flow_otp)
# Make a request without mobile_flow_otp param and verify the field doesn't persist
# in the session from the previous request.
initiate_auth()
self.assertNotIn('mobile_flow_otp', self.client.session)
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
def test_social_auth_mobile_and_desktop_flow_in_one_request_error(self) -> None:
otp = '1234abcd' * 8
account_data_dict = self.get_account_data_dict(email=self.email, name='Full Name')
result = self.social_auth_test(account_data_dict, subdomain='zulip',
expect_choose_email_screen=True,
desktop_flow_otp=otp, mobile_flow_otp=otp)
self.assert_json_error(result, "Can't use both mobile_flow_otp and desktop_flow_otp together.")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_existing_account(self) -> None:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""If the user already exists, signup flow just logs them in"""
email = "hamlet@zulip.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip', is_signup='1')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Full Name')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
hamlet = self.example_user("hamlet")
# Name wasn't changed at all
self.assertEqual(hamlet.full_name, "King Hamlet")
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
def stage_two_of_registration(self, result: HttpResponse, realm: Realm, subdomain: str,
email: str, name: str, expected_final_name: str,
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
skip_registration_form: bool,
mobile_flow_otp: Optional[str]=None,
desktop_flow_otp: Optional[str]=None) -> None:
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
confirmation = Confirmation.objects.all().last()
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
if not skip_registration_form:
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
self.assert_in_response("We just need you to do one last thing", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Verify the name field gets correctly pre-populated:
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
self.assert_in_success_response([expected_final_name], result)
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
{'full_name': expected_final_name,
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
'key': confirmation_key,
'terms': True})
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
# Mobile and desktop flow have additional steps:
if mobile_flow_otp:
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [email])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
user_api_keys = get_all_api_keys(get_user(email, realm))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), user_api_keys)
return
elif desktop_flow_otp:
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
self.verify_desktop_flow_end_page(result, email, desktop_flow_otp)
# Now the desktop app is logged in, continue with the logged in check.
else:
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
self.assertEqual(result.status_code, 302)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
user_profile = get_user(email, realm)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
self.assertEqual(user_profile.full_name, expected_final_name)
auth: Use zxcvbn to ensure password strength on server side. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2019-11-18 08:11:03 +01:00
self.assertFalse(user_profile.has_usable_password())
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_registration(self) -> None:
"""If the user doesn't exist yet, social auth can be used to register an account"""
email = "newuser@zulip.com"
name = 'Full Name'
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
subdomain = 'zulip'
social_auth tests: Extract some common logic in the long signup tests.
2019-11-01 00:23:05 +01:00
realm = get_realm("zulip")
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
subdomain=subdomain, is_signup='1')
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
self.BACKEND_CLASS.full_name_validated)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_mobile_registration(self) -> None:
email = "newuser@zulip.com"
name = 'Full Name'
subdomain = 'zulip'
realm = get_realm("zulip")
mobile_flow_otp = '1234abcd' * 8
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict, subdomain='zulip',
expect_choose_email_screen=True,
is_signup='1',
mobile_flow_otp=mobile_flow_otp)
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
self.BACKEND_CLASS.full_name_validated,
mobile_flow_otp=mobile_flow_otp)
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_desktop_registration(self) -> None:
email = "newuser@zulip.com"
name = 'Full Name'
subdomain = 'zulip'
realm = get_realm("zulip")
desktop_flow_otp = '1234abcd' * 8
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict, subdomain='zulip',
expect_choose_email_screen=True,
is_signup='1',
desktop_flow_otp=desktop_flow_otp)
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
self.BACKEND_CLASS.full_name_validated,
desktop_flow_otp=desktop_flow_otp)
auth: Eliminate if/else block for PreregUser handling with/without SSO. Both branches did very similar things, and the code is better having common handling in all cases.
2019-12-10 18:45:36 +01:00
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_registration_invitation_exists(self) -> None:
"""
This tests the registration flow in the case where an invitation for the user
was generated.
"""
email = "newuser@zulip.com"
name = 'Full Name'
subdomain = 'zulip'
realm = get_realm("zulip")
iago = self.example_user("iago")
do_invite_users(iago, [email], [])
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain=subdomain, is_signup='1')
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
self.BACKEND_CLASS.full_name_validated)
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
@override_settings(TERMS_OF_SERVICE=None)
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
def test_social_auth_registration_using_multiuse_invite(self) -> None:
"""If the user doesn't exist yet, social auth can be used to register an account"""
email = "newuser@zulip.com"
name = 'Full Name'
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
subdomain = 'zulip'
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
stream = ensure_stream(realm, stream_name)
streams.append(stream)
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
multiuse_obj.streams.set(streams)
create_confirmation_link(multiuse_obj, realm.host, Confirmation.MULTIUSE_INVITE)
multiuse_confirmation = Confirmation.objects.all().last()
multiuse_object_key = multiuse_confirmation.confirmation_key
account_data_dict = self.get_account_data_dict(email=email, name=name)
# First, try to signup for closed realm without using an invitation
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
subdomain=subdomain, is_signup='1')
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
result = self.client_get(result.url)
# Verify that we're unable to signup, since this is a closed realm
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(["Sign up"], result)
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
result = self.social_auth_test(account_data_dict, subdomain=subdomain, is_signup='1',
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
multiuse_object_key=multiuse_object_key)
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
self.BACKEND_CLASS.full_name_validated)
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_without_is_signup(self) -> None:
"""If `is_signup` is not set then a new account isn't created"""
test_auth_backends: Move GitHub signup tests to new suite. This eliminates a lot of duplicated, mocking-heavy code.
2018-05-31 02:27:43 +02:00
email = "newuser@zulip.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip')
test_auth_backends: Move GitHub signup tests to new suite. This eliminates a lot of duplicated, mocking-heavy code.
2018-05-31 02:27:43 +02:00
self.assertEqual(result.status_code, 302)
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 200)
self.assert_in_response("No account found for newuser@zulip.com.", result)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_without_is_signup_closed_realm(self) -> None:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""If the user doesn't exist yet in closed realm, give an error"""
populate_db: Don't restrict email domains by default in tests and dev. The email domain restriction to @zulip.com is annoying in development environment when trying to test sign up. For consistency, it's best to have tests use the same default, and the tests that require domain restriction can be adjusted to set that configuration up for themselves explicitly.
2020-03-06 16:22:23 +01:00
realm = get_realm("zulip")
do_set_realm_property(realm, "emails_restricted_to_domains", True)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
email = "nonexisting@phantom.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
result = self.client_get(result.url)
self.assertEqual(result.status_code, 200)
self.assert_in_response('action="/register/"', result)
self.assert_in_response('Your email address, {}, is not '
'in one of the domains that are allowed to register '
'for accounts in this organization.'.format(email), result)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
social_auth tests: Test registration with ldap populator enabled. Finishes testing for the last remaining case and thus closes #13298.
2019-11-01 00:33:56 +01:00
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_with_ldap_populate_registration_from_confirmation(self) -> None:
self.init_default_ldap_database()
email = "newuser@zulip.com"
name = "Full Name"
realm = get_realm("zulip")
subdomain = "zulip"
ldap_user_attr_map = {'full_name': 'cn'}
account_data_dict = self.get_account_data_dict(email=email, name=name)
backend_path = 'zproject.backends.{}'.format(self.BACKEND_CLASS.__name__)
with self.settings(
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
AUTHENTICATION_BACKENDS=(backend_path,
'zproject.backends.ZulipLDAPUserPopulator',
'zproject.backends.ZulipDummyBackend')
):
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain=subdomain, is_signup='1')
# Full name should get populated from ldap:
self.stage_two_of_registration(result, realm, subdomain, email, name, "New LDAP fullname",
skip_registration_form=True)
register: Improve handling of non-ldap users in LDAPPopulator configs. The problem was that, for example, given a configuration of social backend + LDAPPopulator, if a user that's not in ldap was being registered, the Full Name field in the registration form would be empty instead of getting prefilled with the name provided by the social backend. This fixes it - first we try to get the name from ldap. If that succeeds, a form is created pre-filled with that name. Otherwise, we proceed to attempt to pre-fill with other means. This also has a nice side effect of reorganizing most of the logic to be more parallel between LDAP and other sources of name data.
2019-11-09 07:01:05 +01:00
# Now try a user that doesn't exist in ldap:
email = self.nonreg_email("alice")
name = "Alice Social"
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain=subdomain, is_signup='1')
# Full name should get populated as provided by the social backend, because
# this user isn't in the ldap dictionary:
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
register: Allow creating non-ldap users via social backends. In configurations that use the ldap authentication backend and a social backend, make it possible to create non-ldap users via the social backend.
2019-11-21 14:48:49 +01:00
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_with_ldap_auth_registration_from_confirmation(self) -> None:
"""
This test checks that in configurations that use the ldap authentication backend
and a social backend, it is possible to create non-ldap users via the social backend.
"""
self.init_default_ldap_database()
email = self.nonreg_email("alice")
name = "Alice Social"
realm = get_realm("zulip")
subdomain = "zulip"
ldap_user_attr_map = {'full_name': 'cn'}
account_data_dict = self.get_account_data_dict(email=email, name=name)
backend_path = 'zproject.backends.{}'.format(self.BACKEND_CLASS.__name__)
with self.settings(
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_EMAIL_ATTR='mail',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
AUTHENTICATION_BACKENDS=(backend_path,
'zproject.backends.ZulipLDAPAuthBackend',
'zproject.backends.ZulipDummyBackend')
):
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain=subdomain, is_signup='1')
# Full name should get populated as provided by the social backend, because
# this user isn't in the ldap dictionary:
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_complete(self) -> None:
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
side_effect=AuthFailed('Not found')):
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.client_get(reverse('social:complete', args=[self.backend.name]))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_complete_when_base_exc_is_raised(self) -> None:
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
with mock.patch('social_core.backends.oauth.BaseOAuth2.auth_complete',
side_effect=AuthStateForbidden('State forbidden')), \
mock.patch('zproject.backends.logging.warning'):
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.client_get(reverse('social:complete', args=[self.backend.name]))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
class SAMLAuthBackendTest(SocialAuthBase):
__unittest_skip__ = False
BACKEND_CLASS = SAMLAuthBackend
auth: Change SAML login url scheme, enabling multiple IdP support. The url scheme is now /accounts/login/social/saml/{idp_name} to initiate login using the IdP configured under "idp_name" name. display_name and display_logo (the name and icon to show on the "Log in with" button) can be customized by adding the apprioprate settings in the configured IdP dictionaries.
2019-10-22 18:23:57 +02:00
LOGIN_URL = "/accounts/login/social/saml/test_idp"
SIGNUP_URL = "/accounts/register/social/saml/test_idp"
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
AUTHORIZATION_URL = "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"
AUTH_FINISH_URL = "/complete/saml/"
CONFIG_ERROR_URL = "/config-error/saml"
# We have to define our own social_auth_test as the flow of SAML authentication
# is different from the other social backends.
def social_auth_test(self, account_data_dict: Dict[str, str],
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
desktop_flow_otp: Optional[str]=None,
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
is_signup: Optional[str]=None,
next: str='',
multiuse_object_key: str='',
**extra_data: Any) -> HttpResponse:
url, headers = self.prepare_login_url_and_headers(
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
subdomain, mobile_flow_otp, desktop_flow_otp, is_signup, next, multiuse_object_key
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
)
result = self.client_get(url, **headers)
expected_result_url_prefix = 'http://testserver/login/%s/' % (self.backend.name,)
if settings.SOCIAL_AUTH_SUBDOMAIN is not None:
expected_result_url_prefix = (
'http://%s.testserver/login/%s/' % (settings.SOCIAL_AUTH_SUBDOMAIN, self.backend.name)
)
if result.status_code != 302 or not result.url.startswith(expected_result_url_prefix):
return result
result = self.client_get(result.url, **headers)
self.assertEqual(result.status_code, 302)
assert self.AUTHORIZATION_URL in result.url
assert "samlrequest" in result.url.lower()
self.client.cookies = result.cookies
parsed_url = urllib.parse.urlparse(result.url)
relay_state = urllib.parse.parse_qs(parsed_url.query)['RelayState'][0]
# Make sure params are getting encoded into RelayState:
data = SAMLAuthBackend.get_data_from_redis(relay_state)
if next:
self.assertEqual(data['next'], next)
if is_signup:
self.assertEqual(data['is_signup'], is_signup)
saml_response = self.generate_saml_response(**account_data_dict)
post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
# The mock below is necessary, so that python3-saml accepts our SAMLResponse,
# and doesn't verify the cryptographic signatures etc., since generating
# a perfectly valid SAMLResponse for the purpose of these tests would be too complex,
# and we simply use one loaded from a fixture file.
with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
result = self.client_post(self.AUTH_FINISH_URL, post_params, **headers)
return result
def generate_saml_response(self, email: str, name: str) -> str:
"""
The samlresponse.txt fixture has a pre-generated SAMLResponse,
with {email}, {first_name}, {last_name} placeholders, that can
be filled out with the data we want.
"""
name_parts = name.split(' ')
first_name = name_parts[0]
last_name = name_parts[1]
unencoded_saml_response = self.fixture_data("samlresponse.txt", type="saml").format(
email=email,
first_name=first_name,
last_name=last_name
)
# SAMLResponse needs to be base64-encoded.
saml_response = base64.b64encode(unencoded_saml_response.encode()).decode() # type: str
return saml_response
def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
return dict(email=email, name=name)
def test_social_auth_no_key(self) -> None:
"""
Since in the case of SAML there isn't a direct equivalent of CLIENT_KEY_SETTING,
we override this test, to test for the case where the obligatory
SOCIAL_AUTH_SAML_ENABLED_IDPS isn't configured.
"""
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with self.settings(SOCIAL_AUTH_SAML_ENABLED_IDPS=None):
result = self.social_auth_test(account_data_dict,
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
saml: Sanity-check configuration in both login and signup codepaths.
2019-10-26 01:51:48 +02:00
# Test the signup path too:
result = self.social_auth_test(account_data_dict, is_signup='1',
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
def test_config_error_page(self) -> None:
result = self.client_get("/accounts/login/social/saml")
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, '/config-error/saml')
result = self.client_get(result.url)
self.assert_in_success_response(["SAML authentication"], result)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
def test_saml_auth_works_without_private_public_keys(self) -> None:
with self.settings(SOCIAL_AUTH_SAML_SP_PUBLIC_CERT='', SOCIAL_AUTH_SAML_SP_PRIVATE_KEY=''):
self.test_social_auth_success()
def test_saml_auth_enabled(self) -> None:
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.SAMLAuthBackend',)):
self.assertTrue(saml_auth_enabled())
result = self.client_get("/saml/metadata.xml")
self.assert_in_success_response(
['entityID="{}"'.format(settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID)], result
)
def test_social_auth_complete(self) -> None:
with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
with mock.patch.object(OneLogin_Saml2_Auth, 'is_authenticated', return_value=False), \
mock.patch('zproject.backends.logging.info') as m:
# This mock causes AuthFailed to be raised.
saml_response = self.generate_saml_response(self.email, self.name)
relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
result = self.client_post('/complete/saml/', post_params)
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
m.assert_called_with("Authentication failed: SAML login failed: [] (None)")
def test_social_auth_complete_when_base_exc_is_raised(self) -> None:
with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
with mock.patch('social_core.backends.saml.SAMLAuth.auth_complete',
side_effect=AuthStateForbidden('State forbidden')), \
mock.patch('zproject.backends.logging.warning') as m:
saml_response = self.generate_saml_response(self.email, self.name)
relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
result = self.client_post('/complete/saml/', post_params)
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
m.assert_called_with("Wrong state parameter given.")
def test_social_auth_complete_bad_params(self) -> None:
# Simple GET for /complete/saml without the required parameters.
# This tests the auth_complete wrapped in our SAMLAuthBackend,
# ensuring it prevents this requests from causing an internal server error.
with mock.patch('zproject.backends.logging.info') as m:
result = self.client_get('/complete/saml/')
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
m.assert_called_with("SAML authentication failed: missing RelayState.")
# Check that POSTing the RelayState, but with missing SAMLResponse,
# doesn't cause errors either:
with mock.patch('zproject.backends.logging.info') as m:
relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
post_params = {"RelayState": relay_state}
result = self.client_post('/complete/saml/', post_params)
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
m.assert_called_with(
# OneLogin_Saml2_Error exception:
"SAML Response not found, Only supported HTTP_POST Binding"
)
with mock.patch('zproject.backends.logging.info') as m:
relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
relay_state = relay_state[:-1] # Break the token by removing the last character
post_params = {"RelayState": relay_state}
result = self.client_post('/complete/saml/', post_params)
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
m.assert_called_with("SAML authentication failed: bad RelayState token.")
def test_social_auth_saml_bad_idp_param_on_login_page(self) -> None:
with mock.patch('zproject.backends.logging.info') as m:
result = self.client_get('/login/saml/')
self.assertEqual(result.status_code, 302)
self.assertEqual('/login/', result.url)
saml: Make the bad idp param KeyError log message more verbose. Original idea was that KeyError was only going to happen there in case of user passing bad input params to the endpoint, so logging a generic message seemed sufficient. But this can also happen in case of misconfiguration, so it's worth logging more info as it may help in debugging the configuration.
2020-02-20 15:54:39 +01:00
m.assert_called_with("/login/saml/ : Bad idp param: KeyError: 'idp'.")
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
with mock.patch('zproject.backends.logging.info') as m:
result = self.client_get('/login/saml/?idp=bad_idp')
self.assertEqual(result.status_code, 302)
self.assertEqual('/login/', result.url)
saml: Make the bad idp param KeyError log message more verbose. Original idea was that KeyError was only going to happen there in case of user passing bad input params to the endpoint, so logging a generic message seemed sufficient. But this can also happen in case of misconfiguration, so it's worth logging more info as it may help in debugging the configuration.
2020-02-20 15:54:39 +01:00
m.assert_called_with("/login/saml/ : Bad idp param: KeyError: 'bad_idp'.")
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
def test_social_auth_invalid_email(self) -> None:
"""
This test needs an override from the original class. For security reasons,
the 'next' and 'mobile_flow_otp' params don't get passed on in the session
if the authentication attempt failed. See SAMLAuthBackend.auth_complete for details.
"""
account_data_dict = self.get_account_data_dict(email="invalid", name=self.name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
def test_social_auth_saml_multiple_idps_configured(self) -> None:
"""
Using multiple IdPs is not supported right now, and having multiple configured
should lead to misconfiguration page.
"""
auth: Change SAML login url scheme, enabling multiple IdP support. The url scheme is now /accounts/login/social/saml/{idp_name} to initiate login using the IdP configured under "idp_name" name. display_name and display_logo (the name and icon to show on the "Log in with" button) can be customized by adding the apprioprate settings in the configured IdP dictionaries.
2019-10-22 18:23:57 +02:00
# Setup a new SOCIAL_AUTH_SAML_ENABLED_IDPS dict with two idps.
# We deepcopy() dictionaries around for the sake of brevity,
# to avoid having to spell them out explicitly here.
# The second idp's configuration is a copy of the first one,
# with name test_idp2 and altered url.
idps_dict = copy.deepcopy(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS)
idps_dict['test_idp2'] = copy.deepcopy(idps_dict['test_idp'])
idps_dict['test_idp2']['url'] = 'https://idp2.example.com/idp/profile/SAML2/Redirect/SSO'
idps_dict['test_idp2']['display_name'] = 'Second Test IdP'
# Run tests with multiple idps configured:
with self.settings(SOCIAL_AUTH_SAML_ENABLED_IDPS=idps_dict):
# Go to the login page and check that buttons to log in show up for both IdPs:
result = self.client_get('/accounts/login/')
self.assert_in_success_response(["Log in with Test IdP"], result)
self.assert_in_success_response(["/accounts/login/social/saml/test_idp"], result)
self.assert_in_success_response(["Log in with Second Test IdP"], result)
self.assert_in_success_response(["/accounts/login/social/saml/test_idp2"], result)
# Try succesful authentication with the regular idp from all previous tests:
self.test_social_auth_success()
# Now test with the second idp:
original_LOGIN_URL = self.LOGIN_URL
original_SIGNUP_URL = self.SIGNUP_URL
original_AUTHORIZATION_URL = self.AUTHORIZATION_URL
self.LOGIN_URL = "/accounts/login/social/saml/test_idp2"
self.SIGNUP_URL = "/accounts/register/social/saml/test_idp2"
self.AUTHORIZATION_URL = idps_dict['test_idp2']['url']
try:
self.test_social_auth_success()
finally:
# Restore original values at the end, regardless of what happens
# in the block above, to avoid affecting other tests in unpredictable
# ways.
self.LOGIN_URL = original_LOGIN_URL
self.SIGNUP_URL = original_SIGNUP_URL
self.AUTHORIZATION_URL = original_AUTHORIZATION_URL
def test_social_auth_saml_login_bad_idp_arg(self) -> None:
for action in ['login', 'register']:
result = self.client_get('/accounts/{}/social/saml'.format(action))
# Missing idp argument.
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, '/config-error/saml')
result = self.client_get('/accounts/{}/social/saml/nonexistent_idp'.format(action))
# No such IdP is configured.
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, '/config-error/saml')
result = self.client_get('/accounts/{}/social/saml/'.format(action))
# No matching url pattern.
self.assertEqual(result.status_code, 404)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
class GitHubAuthBackendTest(SocialAuthBase):
__unittest_skip__ = False
BACKEND_CLASS = GitHubAuthBackend
CLIENT_KEY_SETTING = "SOCIAL_AUTH_GITHUB_KEY"
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
CLIENT_SECRET_SETTING = "SOCIAL_AUTH_GITHUB_SECRET"
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
LOGIN_URL = "/accounts/login/social/github"
SIGNUP_URL = "/accounts/register/social/github"
AUTHORIZATION_URL = "https://github.com/login/oauth/authorize"
ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token"
USER_INFO_URL = "https://api.github.com/user"
AUTH_FINISH_URL = "/complete/github/"
CONFIG_ERROR_URL = "/config-error/github"
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
def register_extra_endpoints(self, requests_mock: responses.RequestsMock,
auth: Fix camel case name for register_extra_endpoints.
2019-07-22 04:26:47 +02:00
account_data_dict: Dict[str, str],
**extra_data: Any) -> None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
# Keeping a verified email before the primary email makes sure
# get_verified_emails puts the primary email at the start of the
# email list returned as social_associate_user_helper assumes the
# first email as the primary email.
email_data = [
dict(email="notprimary@example.com",
verified=True),
dict(email=account_data_dict["email"],
verified=True,
primary=True),
dict(email="ignored@example.com",
verified=False),
]
email_data = extra_data.get("email_data", email_data)
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
requests_mock.add(
requests_mock.GET,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
"https://api.github.com/user/emails",
status=200,
body=json.dumps(email_data)
)
tests: Replace httpretty with responses. responses is an module analogous to httpretty for mocking external URLs, with a very similar interface (potentially cleaner in that it makes use of context managers). The most important (in the moment) problem with httpretty is that it breaks the ability to use redis in parts of code where httpretty is enabled. From more research, the module in general has tendency to have various troublesome bugs with breaking URLs that it shouldn't be affecting, caused by it working at the socket interface layer. While those issues could be fixed, responses seems to be less buggy (based on both third-party reports like ckan/ckan#4755 and our own experience in removing workarounds for bugs in httpretty) and is more actively maintained.
2020-01-22 17:41:49 +01:00
requests_mock.add(
requests_mock.GET,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
"https://api.github.com/teams/zulip-webapp/members/None",
status=200,
body=json.dumps(email_data)
)
self.email_data = email_data
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
return dict(email=email, name=name)
def test_social_auth_email_not_verified(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
email_data = [
dict(email=account_data_dict["email"],
verified=False,
primary=True),
]
with mock.patch('logging.warning') as mock_warning:
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
email_data=email_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_warning.assert_called_once_with("Social auth (GitHub) failed "
"because user has no verified emails")
@override_settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp')
def test_social_auth_github_team_not_member_failed(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Monkey patch a fix for Github deprecation notice spam. This is a way to monkey-patch a fix for https://github.com/python-social-auth/social-core/issues/430 Changes from this commit should be reverted once the issue is fixed upstream.
2020-03-01 15:27:36 +01:00
with mock.patch('zproject.backends.GithubTeamBackend.user_data',
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info') as mock_info:
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_info.assert_called_once_with("GitHub user is not member of required team")
@override_settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp')
def test_social_auth_github_team_member_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Monkey patch a fix for Github deprecation notice spam. This is a way to monkey-patch a fix for https://github.com/python-social-auth/social-core/issues/430 Changes from this commit should be reverted once the issue is fixed upstream.
2020-03-01 15:27:36 +01:00
with mock.patch('zproject.backends.GithubTeamBackend.user_data',
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
return_value=account_data_dict):
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.assertEqual(data['name'], self.name)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.assertEqual(data['subdomain'], 'zulip')
@override_settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip')
def test_social_auth_github_organization_not_member_failed(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Monkey patch a fix for Github deprecation notice spam. This is a way to monkey-patch a fix for https://github.com/python-social-auth/social-core/issues/430 Changes from this commit should be reverted once the issue is fixed upstream.
2020-03-01 15:27:36 +01:00
with mock.patch('zproject.backends.GithubOrganizationBackend.user_data',
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info') as mock_info:
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_info.assert_called_once_with("GitHub user is not member of required organization")
@override_settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip')
def test_social_auth_github_organization_member_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Monkey patch a fix for Github deprecation notice spam. This is a way to monkey-patch a fix for https://github.com/python-social-auth/social-core/issues/430 Changes from this commit should be reverted once the issue is fixed upstream.
2020-03-01 15:27:36 +01:00
with mock.patch('zproject.backends.GithubOrganizationBackend.user_data',
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
return_value=account_data_dict):
result = self.social_auth_test(account_data_dict,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
expect_choose_email_screen=True,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
subdomain='zulip')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.assertEqual(data['name'], self.name)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.assertEqual(data['subdomain'], 'zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def test_github_auth_enabled(self) -> None:
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',)):
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertTrue(github_auth_enabled())
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
auth: Move GitHub auth tests out of SocialAuthBase. During the time between when we refactored the GitHub authentication backend to use SocialAuthBase and now (when we're about to migrate GoogleAuthBackend to use that code path as well), we accidentally added some GitHub-specific authentication backend tests to the common test class. Fix this by moving them to the GitHub-specific subclass.
2019-07-22 04:26:47 +02:00
def test_github_oauth2_success_non_primary(self) -> None:
account_data_dict = dict(email='nonprimary@zulip.com', name="Non Primary")
email_data = [
dict(email=account_data_dict["email"],
verified=True),
dict(email='hamlet@zulip.com',
verified=True,
primary=True),
dict(email="ignored@example.com",
verified=False),
]
result = self.social_auth_test(account_data_dict,
subdomain='zulip', email_data=email_data,
expect_choose_email_screen=True,
next='/user_uploads/image')
data = load_subdomain_token(result)
self.assertEqual(data['email'], 'nonprimary@zulip.com')
self.assertEqual(data['name'], 'Non Primary')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
def test_github_oauth2_success_single_email(self) -> None:
# If the user has a single email associated with its GitHub account,
# the choose email screen should not be shown and the first email
# should be used for user's signup/login.
account_data_dict = dict(email='not-hamlet@zulip.com', name=self.name)
email_data = [
dict(email='hamlet@zulip.com',
verified=True,
primary=True),
]
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
email_data=email_data,
expect_choose_email_screen=False,
next='/user_uploads/image')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
social auth tests: Consistently refer to hamlet's name via self.name.
2019-09-29 00:55:10 +02:00
self.assertEqual(data['name'], self.name)
auth: Move GitHub auth tests out of SocialAuthBase. During the time between when we refactored the GitHub authentication backend to use SocialAuthBase and now (when we're about to migrate GoogleAuthBackend to use that code path as well), we accidentally added some GitHub-specific authentication backend tests to the common test class. Fix this by moving them to the GitHub-specific subclass.
2019-07-22 04:26:47 +02:00
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
def test_github_oauth2_email_no_reply_dot_github_dot_com(self) -> None:
# As emails ending with `noreply.github.com` are excluded from
# verified_emails, choosing it as an email should raise a `email
# not associated` warning.
auth: Remove `@users.noreply.github.com` from the email selection list. Apparently GitHub changed the email address for these; we need to update our code accordingly. One cannot receive emails on the username@users.noreply.github.com, so if someone tries creating an account with this email address, that person would not be able to verify the account.
2019-08-05 15:15:56 +02:00
account_data_dict = dict(email="hamlet@users.noreply.github.com", name=self.name)
auth: Move GitHub auth tests out of SocialAuthBase. During the time between when we refactored the GitHub authentication backend to use SocialAuthBase and now (when we're about to migrate GoogleAuthBackend to use that code path as well), we accidentally added some GitHub-specific authentication backend tests to the common test class. Fix this by moving them to the GitHub-specific subclass.
2019-07-22 04:26:47 +02:00
email_data = [
dict(email="notprimary@zulip.com",
verified=True),
dict(email="hamlet@zulip.com",
verified=True,
primary=True),
dict(email=account_data_dict["email"],
verified=True),
]
with mock.patch('logging.warning') as mock_warning:
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
expect_choose_email_screen=True,
email_data=email_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_warning.assert_called_once_with("Social auth (GitHub) failed because user has no verified"
" emails associated with the account")
def test_github_oauth2_email_not_associated(self) -> None:
account_data_dict = dict(email='not-associated@zulip.com', name=self.name)
email_data = [
dict(email='nonprimary@zulip.com',
verified=True,),
dict(email='hamlet@zulip.com',
verified=True,
primary=True),
]
with mock.patch('logging.warning') as mock_warning:
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
expect_choose_email_screen=True,
email_data=email_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_warning.assert_called_once_with("Social auth (GitHub) failed because user has no verified"
" emails associated with the account")
auth: Add support for GitLab authentication. With some tweaks by tabbott to the documentation and comments. Fixes #13694.
2020-01-31 18:19:53 +01:00
class GitLabAuthBackendTest(SocialAuthBase):
__unittest_skip__ = False
BACKEND_CLASS = GitLabAuthBackend
CLIENT_KEY_SETTING = "SOCIAL_AUTH_GITLAB_KEY"
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
CLIENT_SECRET_SETTING = "SOCIAL_AUTH_GITLAB_SECRET"
auth: Add support for GitLab authentication. With some tweaks by tabbott to the documentation and comments. Fixes #13694.
2020-01-31 18:19:53 +01:00
LOGIN_URL = "/accounts/login/social/gitlab"
SIGNUP_URL = "/accounts/register/social/gitlab"
AUTHORIZATION_URL = "https://gitlab.com/oauth/authorize"
ACCESS_TOKEN_URL = "https://gitlab.com/oauth/token"
USER_INFO_URL = "https://gitlab.com/api/v4/user"
AUTH_FINISH_URL = "/complete/gitlab/"
CONFIG_ERROR_URL = "/config-error/gitlab"
def test_gitlab_auth_enabled(self) -> None:
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitLabAuthBackend',)):
self.assertTrue(gitlab_auth_enabled())
def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
return dict(email=email, name=name, email_verified=True)
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
class GoogleAuthBackendTest(SocialAuthBase):
__unittest_skip__ = False
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
BACKEND_CLASS = GoogleAuthBackend
CLIENT_KEY_SETTING = "SOCIAL_AUTH_GOOGLE_KEY"
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
CLIENT_SECRET_SETTING = "SOCIAL_AUTH_GOOGLE_SECRET"
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
LOGIN_URL = "/accounts/login/social/google"
SIGNUP_URL = "/accounts/register/social/google"
AUTHORIZATION_URL = "https://accounts.google.com/o/oauth2/auth"
ACCESS_TOKEN_URL = "https://accounts.google.com/o/oauth2/token"
USER_INFO_URL = "https://www.googleapis.com/oauth2/v3/userinfo"
AUTH_FINISH_URL = "/complete/google/"
CONFIG_ERROR_URL = "/config-error/google"
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
return dict(email=email, name=name, email_verified=True)
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
def test_social_auth_email_not_verified(self) -> None:
account_data_dict = dict(email=self.email, name=self.name)
with mock.patch('logging.warning') as mock_warning:
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_warning.assert_called_once_with("Social auth (Google) failed "
"because user has no verified emails")
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
auth: Add a test for the legacy /accounts/login/google/ mobile flow. This is needed to return 100% URL coverage, and should also help ensure we don't accidentally break the fix from a43b231f90705a5704fbf178b4fc4e4ac36a2c92.
2019-08-27 05:51:04 +02:00
def test_social_auth_mobile_success_legacy_url(self) -> None:
mobile_flow_otp = '1234abcd' * 8
account_data_dict = self.get_account_data_dict(email=self.email, name='Full Name')
self.assertEqual(len(mail.outbox), 0)
self.user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=JUST_CREATED_THRESHOLD + 1)
self.user_profile.save()
with self.settings(SEND_LOGIN_EMAILS=True):
# Verify that the right thing happens with an invalid-format OTP
result = self.social_auth_test(account_data_dict, subdomain='zulip',
alternative_start_url="/accounts/login/google/",
mobile_flow_otp="1234")
self.assert_json_error(result, "Invalid OTP")
result = self.social_auth_test(account_data_dict, subdomain='zulip',
alternative_start_url="/accounts/login/google/",
mobile_flow_otp="invalido" * 8)
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
result = self.social_auth_test(account_data_dict, subdomain='zulip',
expect_choose_email_screen=True,
alternative_start_url="/accounts/login/google/",
mobile_flow_otp=mobile_flow_otp)
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
def test_google_auth_enabled(self) -> None:
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleAuthBackend',)):
self.assertTrue(google_auth_enabled())
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
def get_log_into_subdomain(self, data: Dict[str, Any], *, subdomain: str='zulip',
force_token: Optional[str]=None) -> HttpResponse:
if force_token is None:
token = store_login_data(data)
else:
token = force_token
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
url_path = reverse('zerver.views.auth.log_into_subdomain', args=[token])
return self.client_get(url_path, subdomain=subdomain)
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
def test_redirect_to_next_url_for_log_into_subdomain(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_redirect_to_next_url(next: str='') -> HttpResponse:
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
data = {'name': 'Hamlet',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
'is_signup': False,
'next': next}
user_profile = self.example_user('hamlet')
with mock.patch(
'zerver.views.auth.authenticate_remote_user',
login_or_register_remote_user: Remove unused invalid_subdomain parameter. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 00:40:30 +02:00
return_value=user_profile):
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
with mock.patch('zerver.views.auth.do_login'):
result = self.get_log_into_subdomain(data)
return result
res = test_redirect_to_next_url()
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = test_redirect_to_next_url('/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
res = test_redirect_to_next_url('/#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/#narrow/stream/7-test-here')
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
def test_log_into_subdomain_when_token_is_malformed(self) -> None:
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
with mock.patch("logging.warning") as mock_warn:
result = self.get_log_into_subdomain(data, force_token='nonsense')
mock_warn.assert_called_once_with("log_into_subdomain: Malformed token given: nonsense")
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertEqual(result.status_code, 400)
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
def test_log_into_subdomain_when_token_not_found(self) -> None:
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
with mock.patch("logging.warning") as mock_warn:
token = generate_random_token(LOGIN_TOKEN_LENGTH)
result = self.get_log_into_subdomain(data, force_token=token)
mock_warn.assert_called_once_with("log_into_subdomain: Invalid token given: %s" % (token,))
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
self.assertEqual(result.status_code, 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_is_signup_is_true(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_response('hamlet@zulip.com already has an account', result)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_true_and_new_user(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_false_and_new_user(self) -> None:
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
'is_signup': False,
'next': ''}
result = self.get_log_into_subdomain(data)
self.assertEqual(result.status_code, 200)
self.assert_in_response('No account found for', result)
portico: Update text on confirm_continue_registration. A common path is a new user goes to realm_uri, which redirects to realm_uri/login, and clicks the google auth button thinking it is a registration button. This commit just changes the wording on the page they land on to be friendlier for that use case.
2018-04-25 02:59:20 +02:00
self.assert_in_response('new@zulip.com.', result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response('action="http://zulip.testserver/accounts/do_confirm/', result)
url = re.findall('action="(http://zulip.testserver/accounts/do_confirm[^"]*)"', result.content.decode('utf-8'))[0]
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, url)
result = self.client_get(url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_using_invite_link(self) -> None:
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
stream = ensure_stream(realm, stream_name)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
streams.append(stream)
# Without the invite link, we can't create an account due to invite_required
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(['Sign up for Zulip'], result)
# Now confirm an invitation link works
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
django-2.0: Don't assign directly to Many-to-Many field. The old pattern of setting the value and then using .save() here has been deprecated. set() also saves the record.
2018-01-31 08:22:07 +01:00
multiuse_obj.streams.set(streams)
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
create_confirmation_link(multiuse_obj, realm.host, Confirmation.MULTIUSE_INVITE)
multiuse_confirmation = Confirmation.objects.all().last()
multiuse_object_key = multiuse_confirmation.confirmation_key
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
data["multiuse_object_key"] = multiuse_object_key
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().last()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data2 = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data2, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': 'New User Name',
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
tests: Use users for common_subscribe_to_streams. We also use users for get_streams().
2020-03-09 21:41:26 +01:00
new_user = get_user('new@zulip.com', realm)
new_streams = self.get_streams(new_user)
self.assertEqual(sorted(new_streams), stream_names)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_email_is_none(self) -> None:
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
data = {'name': None,
'email': None,
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
with mock.patch('logging.warning'):
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_success_response(["You need an invitation to join this organization."], result)
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_wrong_subdomain_with_cookie(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
'subdomain': 'zephyr'}
auth: Use tokens, with data stored in redis, for log_into_subdomain. The desktop otp flow (to be added in next commits) will want to generate one-time tokens for the app that will allow it to obtain an authenticated session. log_into_subdomain will be the endpoint to pass the one-time token to. Currently it uses signed data as its input "tokens", which is not compatible with the otp flow, which requires simpler (and fixed-length) token. Thus the correct scheme to use is to store the authenticated data in redis and return a token tied to the data, which should be passed to the log_into_subdomain endpoint. In this commit, we replace the "pass signed data around" scheme with the redis scheme, because there's no point having both.
2020-01-23 12:21:55 +01:00
result = self.get_log_into_subdomain(data)
self.assert_json_error(result, "Invalid subdomain")
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
class JSONFetchAPIKeyTest(ZulipTestCase):
def test_success(self) -> None:
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
user = self.example_user('hamlet')
self.login_user(user)
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
result = self.client_post("/json/fetch_api_key",
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
dict(user_profile=user,
password=initial_password(user.email)))
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
self.assert_json_success(result)
def test_not_loggedin(self) -> None:
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
user = self.example_user('hamlet')
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
result = self.client_post("/json/fetch_api_key",
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
dict(user_profile=user,
password=initial_password(user.email)))
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
self.assert_json_error(result,
"Not logged in: API authentication or user session required", 401)
def test_wrong_password(self) -> None:
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
user = self.example_user('hamlet')
self.login_user(user)
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
result = self.client_post("/json/fetch_api_key",
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
dict(user_profile=user,
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 400)
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: setUp overrides should call super().setUp(). MigrationsTestCase is intentionally omitted from this, since migrations tests are different in their nature and so whatever setUp() ZulipTestCase may do in the future, MigrationsTestCase may not necessarily want to replicate.
2019-10-19 20:47:00 +02:00
super().setUp()
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_success(result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect." The only backend which can accept a non-email username is LDAP. So we check if it is enabled before showing the custom message.
2017-04-07 08:21:29 +02:00
result = self.client_post("/api/v1/fetch_api_key",
dict(username='hamlet',
password=initial_password(self.email)))
self.assert_json_error(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_wrong_password(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_disabled(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Password auth is disabled", 403)
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_auth_email_auth_disabled_success(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.init_default_ldap_database()
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
result = self.client_post("/api/v1/fetch_api_key",
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
dict(username=self.example_email('hamlet'),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet')))
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
self.assert_json_success(result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevFetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: setUp overrides should call super().setUp(). MigrationsTestCase is intentionally omitted from this, since migrations tests are different in their nature and so whatever setUp() ZulipTestCase may do in the future, MigrationsTestCase may not necessarily want to replicate.
2019-10-19 20:47:00 +02:00
super().setUp()
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
self.assertEqual(data["email"], self.email)
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
user_api_keys = get_all_api_keys(self.user_profile)
self.assertIn(data['api_key'], user_api_keys)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_dev_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_unregistered_user(self) -> None:
api: Handle unregistered users in dev_fetch_api_key. Fixes #4851.
2017-05-22 01:34:21 +02:00
email = 'foo@zulip.com'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "This user is not registered.", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevGetEmailsTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_success(result)
zerver/tests: Use unicode strings. * Use unicode strings for strings containing non-ASCII characters. * Decode response content when text output is expected.
2016-07-12 15:41:45 +02:00
self.assert_in_response("direct_admins", result)
self.assert_in_response("direct_users", result)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
class ExternalMethodDictsTests(ZulipTestCase):
login: Make authentication_methods data available to JavaScript. This is intended to simplify overriding these buttons' controls in the desktop app to do the authentication in the user's default browser.
2020-01-31 15:03:55 +01:00
def get_configured_saml_backend_idp_names(self) -> List[str]:
return settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys()
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
def test_get_external_method_dicts_correctly_sorted(self) -> None:
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.GitHubAuthBackend',
'zproject.backends.GoogleAuthBackend',
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
'zproject.backends.ZulipRemoteUserBackend',
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
'zproject.backends.SAMLAuthBackend',
'zproject.backends.AzureADAuthBackend')
):
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
external_auth_methods = get_external_method_dicts()
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
# First backends in the list should be SAML:
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
self.assertIn('saml:', external_auth_methods[0]['name'])
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
self.assertEqual(
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
[social_backend['name'] for social_backend in external_auth_methods[1:]],
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
[social_backend.name for social_backend in sorted(
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
[ZulipRemoteUserBackend, GitHubAuthBackend, AzureADAuthBackend, GoogleAuthBackend],
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
key=lambda x: x.sort_order,
reverse=True
)]
)
login: Make authentication_methods data available to JavaScript. This is intended to simplify overriding these buttons' controls in the desktop app to do the authentication in the user's default browser.
2020-01-31 15:03:55 +01:00
def test_get_external_method_buttons(self) -> None:
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.GitHubAuthBackend',
'zproject.backends.GoogleAuthBackend',
'zproject.backends.SAMLAuthBackend')
):
saml_idp_names = self.get_configured_saml_backend_idp_names()
expected_button_id_strings = [
'id="{}_auth_button_github"',
'id="{}_auth_button_google"'
]
for name in saml_idp_names:
expected_button_id_strings.append('id="{}_auth_button_saml:%s"' % (name,))
result = self.client_get("/login/")
self.assert_in_success_response([string.format("login") for string in expected_button_id_strings],
result)
result = self.client_get("/register/")
self.assert_in_success_response([string.format("register") for string in expected_button_id_strings],
result)
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAuthBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def assert_on_error(self, error: Optional[str]) -> None:
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
if error:
raise AssertionError(error)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_server_settings(self) -> None:
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
def check_result(result: HttpResponse, extra_fields: List[Tuple[str, Validator]]=[]) -> None:
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
authentication_methods_list = [
('password', check_bool),
]
for backend_name_with_case in AUTH_BACKEND_NAME_MAP:
authentication_methods_list.append((backend_name_with_case.lower(), check_bool))
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
external_auth_methods = get_external_method_dicts()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
self.assert_json_success(result)
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
checker = check_dict_only([
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
('authentication_methods', check_dict_only(authentication_methods_list)),
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
('external_authentication_methods', check_list(None, length=len(external_auth_methods))),
server_settings: Add email auth related features to data sent to clients. This should make it possible for the mobile app to correctly allow non-email addresses as usernames exactly when it makes sense to do so.
2017-09-15 19:13:48 +02:00
('email_auth_enabled', check_bool),
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
('is_incompatible', check_bool),
server_settings: Add email auth related features to data sent to clients. This should make it possible for the mobile app to correctly allow non-email addresses as usernames exactly when it makes sense to do so.
2017-09-15 19:13:48 +02:00
('require_email_format_usernames', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('realm_uri', check_string),
('zulip_version', check_string),
push notifs: Add a diagnostic in API of whether push notifs enabled. When the answer is False, this will allow the mobile app to show a warning that push notifications will not work and the server admin should set them up. Based partly on Kunal's PR #7810. Provides the necessary backend API for zulip/zulip-mobile#1507.
2018-02-12 23:34:59 +01:00
('push_notifications_enabled', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('msg', check_string),
('result', check_string),
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
] + extra_fields)
self.assert_on_error(checker("data", result.json()))
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result)
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
self.assertEqual(result.json()['external_authentication_methods'], get_external_method_dicts())
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="ZulipInvalid")
self.assertTrue(result.json()["is_incompatible"])
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result)
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="zulip", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result, [
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
('realm_name', check_string),
('realm_description', check_string),
('realm_icon', check_string),
])
api: Remove unused /get_auth_backends endpoint. This legacy endpoint was designed for the original native Zulip mobile apps, which were deprecated years ago in favor of the React Native app. It was replaced by /server_settings for active use years ago, so it's safe to remove it now.
2019-11-01 05:12:11 +01:00
# Verify invalid subdomain
result = self.client_get("/api/v1/server_settings",
subdomain="invalid")
self.assert_json_error_contains(result, "Invalid subdomain", 400)
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
api: Remove unused /get_auth_backends endpoint. This legacy endpoint was designed for the original native Zulip mobile apps, which were deprecated years ago in favor of the React Native app. It was replaced by /server_settings for active use years ago, so it's safe to remove it now.
2019-11-01 05:12:11 +01:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=True):
# With ROOT_DOMAIN_LANDING_PAGE, homepage fails
result = self.client_get("/api/v1/server_settings",
subdomain="")
self.assert_json_error_contains(result, "Subdomain required", 400)
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
class TestTwoFactor(ZulipTestCase):
def test_direct_dev_login_with_2fa(self) -> None:
email = self.example_email('hamlet')
user_profile = self.example_user('hamlet')
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
# User logs in but when otp device doesn't exist.
self.assertNotIn('otp_device_id', self.client.session.keys())
self.create_default_device(user_profile)
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
# User logs in when otp device exists.
self.assertIn('otp_device_id', self.client.session.keys())
@mock.patch('two_factor.models.totp')
def test_two_factor_login_with_ldap(self, mock_totp):
# type: (mock.MagicMock) -> None
token = 123456
email = self.example_email('hamlet')
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password = self.ldap_password('hamlet')
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
user_profile = self.example_user('hamlet')
user_profile.set_password(password)
user_profile.save()
self.create_default_device(user_profile)
def totp(*args, **kwargs):
# type: (*Any, **Any) -> int
return token
mock_totp.side_effect = totp
# Setup LDAP
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.init_default_ldap_database()
ldap_user_attr_map = {'full_name': 'cn', 'short_name': 'sn'}
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
TWO_FACTOR_CALL_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_SMS_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_AUTHENTICATION_ENABLED=True,
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
):
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
first_step_data = {"username": email,
"password": password,
"two_factor_login_view-current_step": "auth"}
result = self.client_post("/accounts/login/", first_step_data)
self.assertEqual(result.status_code, 200)
second_step_data = {"token-otp_token": str(token),
"two_factor_login_view-current_step": "token"}
result = self.client_post("/accounts/login/", second_step_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
# Going to login page should redirect to `realm.uri` if user is
# already logged in.
result = self.client_get('/accounts/login/')
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
class TestDevAuthBackend(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
def test_login_success_with_2fa(self) -> None:
user_profile = self.example_user('hamlet')
self.create_default_device(user_profile)
email = user_profile.email
data = {'direct_email': email}
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, 'http://zulip.testserver')
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
self.assertIn('otp_device_id', list(self.client.session.keys()))
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
def test_redirect_to_next_url(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def do_local_login(formaction: str) -> HttpResponse:
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
user_email = self.example_email('hamlet')
data = {'direct_email': user_email}
return self.client_post(formaction, data)
res = do_local_login('/accounts/login/local/')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = do_local_login('/accounts/login/local/?next=/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
# In local Email based authentication we never make browser send the hash
# to the backend. Rather we depend upon the browser's behaviour of persisting
# hash anchors in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = do_local_login('/accounts/login/local/?next=#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_with_subdomain(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
data = {'direct_email': email}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post('/accounts/login/local/', data)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm(self) -> None:
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', subdomain="zulip")
auth: Fix devlogin "All realms" view. This was apparently accidentally broken (making it 500) by the refactoring in 9efda71a4b131fea92527f1c3dbb939b8a212b34.
2019-05-21 23:37:21 +02:00
self.assertEqual(result.status_code, 200)
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
result = self.client_post('/devlogin/', subdomain="")
auth: Fix devlogin "All realms" view. This was apparently accidentally broken (making it 500) by the refactoring in 9efda71a4b131fea92527f1c3dbb939b8a212b34.
2019-05-21 23:37:21 +02:00
self.assertEqual(result.status_code, 200)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["Click on a user to log in!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
auth: Fix devlogin "All realms" view. This was apparently accidentally broken (making it 500) by the refactoring in 9efda71a4b131fea92527f1c3dbb939b8a212b34.
2019-05-21 23:37:21 +02:00
result = self.client_post('/devlogin/', {'new_realm': 'all_realms'},
subdomain="zephyr")
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
data = {'new_realm': 'zephyr'}
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', data, subdomain="zulip")
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "http://zephyr.testserver")
auth: Fix devlogin "All realms" view. This was apparently accidentally broken (making it 500) by the refactoring in 9efda71a4b131fea92527f1c3dbb939b8a212b34.
2019-05-21 23:37:21 +02:00
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_get('/devlogin/', subdomain="zephyr")
auth: Fix devlogin "All realms" view. This was apparently accidentally broken (making it 500) by the refactoring in 9efda71a4b131fea92527f1c3dbb939b8a212b34.
2019-05-21 23:37:21 +02:00
self.assertEqual(result.status_code, 200)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm_with_subdomains_enabled(self) -> None:
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.is_subdomain_root_or_alias', return_value=False):
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zulip')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zulip.testserver/devlogin/")
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_not_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zephyr')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post("http://zulip.testserver/devlogin/", {'new_realm': 'zephyr'})
self.assertEqual(result["Location"], "http://zephyr.testserver")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zephyr.testserver/devlogin/")
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
test_auth_backends: Remove logger mocking that will fail on Django 2.2. On Django 2.2 there is no longer a logger object in that module, so it's best to remove this mocking as it's not essential to the tests.
2020-02-04 15:29:34 +01:00
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
auth: Move `ConfigErrorTest` from `test_docs` to `test_auth_backends`. There was some duplicated code to test config error pages for different auths which could be handled with less duplicated code by adding those functions to `SocialAuthBase`. Also moving the other tests makes it easier to access tests related to a backend auth when they are in the same file.
2020-02-15 19:16:16 +01:00
def test_dev_direct_production_config_error(self) -> None:
result = self.client_get("/config-error/dev")
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(["DevAuthBackend"], result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
email = 'nonexisting@zulip.com'
data = {'direct_email': email}
test_auth_backends: Remove logger mocking that will fail on Django 2.2. On Django 2.2 there is no longer a logger object in that module, so it's best to remove this mocking as it's not essential to the tests.
2020-02-04 15:29:34 +01:00
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
class TestZulipRemoteUserBackend(DesktopFlowTestingLib, ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_sso_append_domain(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
username = 'hamlet'
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',),
SSO_APPEND_DOMAIN='zulip.com'):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=username)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
auth: Use config_error instead of JsonableError in remote_user_sso.
2019-12-11 23:13:21 +01:00
self.assertEqual(result.status_code, 302)
result = self.client_get(result["Location"])
self.assert_in_response("Authentication via the REMOTE_USER header is", result)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexisting_user(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
email = 'nonexisting@zulip.com'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.assertEqual(result.status_code, 200)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
frontend: Edit confirm_continue_registration.html to be clearer. Fixes #5707.
2017-07-17 17:31:05 +02:00
self.assert_in_response("No account found for", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_invalid_email(self) -> None:
remote_user_sso: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_missing_field(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/')
auth: Use config_error instead of JsonableError in remote_user_sso.
2019-12-11 23:13:21 +01:00
self.assertEqual(result.status_code, 302)
result = self.client_get(result["Location"])
self.assert_in_response("The REMOTE_USER header is not set.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
def test_login_mobile_flow_otp_success_email(self) -> None:
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
user_profile = self.example_user('hamlet')
email = user_profile.email
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
mobile_flow_otp = '1234abcd' * 8
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
# Verify that the right thing happens with an invalid-format OTP
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="1234"),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="invalido" * 8),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp=mobile_flow_otp),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(SSO_APPEND_DOMAIN="zulip.com")
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
def test_login_mobile_flow_otp_success_username(self) -> None:
user_profile = self.example_user('hamlet')
email = user_profile.email
remote_user = email_to_username(email)
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
mobile_flow_otp = '1234abcd' * 8
# Verify that the right thing happens with an invalid-format OTP
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="1234"),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="invalido" * 8),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp=mobile_flow_otp),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
auth: Support desktop_flow_otp with remote_user_sso.
2020-02-01 17:00:56 +01:00
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',
'zproject.backends.ZulipDummyBackend'))
def test_login_desktop_flow_otp_success_email(self) -> None:
user_profile = self.example_user('hamlet')
email = user_profile.email
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
desktop_flow_otp = '1234abcd' * 8
# Verify that the right thing happens with an invalid-format OTP
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp="1234"),
REMOTE_USER=email)
self.assert_logged_in_user_id(None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp="invalido" * 8),
REMOTE_USER=email)
self.assert_logged_in_user_id(None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp=desktop_flow_otp),
REMOTE_USER=email)
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
self.verify_desktop_flow_end_page(result, email, desktop_flow_otp)
auth: Support desktop_flow_otp with remote_user_sso.
2020-02-01 17:00:56 +01:00
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(SSO_APPEND_DOMAIN="zulip.com")
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',
'zproject.backends.ZulipDummyBackend'))
def test_login_desktop_flow_otp_success_username(self) -> None:
user_profile = self.example_user('hamlet')
email = user_profile.email
remote_user = email_to_username(email)
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
desktop_flow_otp = '1234abcd' * 8
# Verify that the right thing happens with an invalid-format OTP
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp="1234"),
REMOTE_USER=remote_user)
self.assert_logged_in_user_id(None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp="invalido" * 8),
REMOTE_USER=remote_user)
self.assert_logged_in_user_id(None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(desktop_flow_otp=desktop_flow_otp),
REMOTE_USER=remote_user)
auth: Create a new page hop for desktop auth. Create a new page for desktop auth flow, in which users can select one from going to the app or continue the flow in the browser. Co-authored-by: Mateusz Mandera <mateusz.mandera@protonmail.com>
2020-02-17 16:18:09 +01:00
self.verify_desktop_flow_end_page(result, email, desktop_flow_otp)
auth: Support desktop_flow_otp with remote_user_sso.
2020-02-01 17:00:56 +01:00
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
def test_redirect_to(self) -> None:
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
"""This test verifies the behavior of the redirect_to logic in
login_or_register_remote_user."""
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_with_redirect_to_param_set_as_next(next: str='') -> HttpResponse:
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
user_profile = self.example_user('hamlet')
email = user_profile.email
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/?next=' + next, REMOTE_USER=email)
return result
res = test_with_redirect_to_param_set_as_next()
self.assertEqual('http://zulip.testserver', res.url)
res = test_with_redirect_to_param_set_as_next('/user_uploads/image_path')
self.assertEqual('http://zulip.testserver/user_uploads/image_path', res.url)
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
# Third-party domains are rejected and just send you to root domain
res = test_with_redirect_to_param_set_as_next('https://rogue.zulip-like.server/login')
self.assertEqual('http://zulip.testserver', res.url)
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
# In SSO based auth we never make browser send the hash to the backend.
# Rather we depend upon the browser's behaviour of persisting hash anchors
# in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = test_with_redirect_to_param_set_as_next('#narrow/stream/7-test-here')
self.assertEqual('http://zulip.testserver', res.url)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
class TestJWTLogin(ZulipTestCase):
"""
JWT uses ZulipDummyBackend.
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
realm = get_realm('zulip')
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = get_user(email, realm)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "No user specified in JSON web token claims", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_realm_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
i18n: Fix a last few strings mentioning realms.
2018-03-08 02:05:50 +01:00
self.assert_json_error_contains(result, "No organization specified in JSON web token claims", 400)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': 'not relevant'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Auth key for this subdomain not found.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_is_missing(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_bad_token_is_passed(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
data = {'json_web_token': 'bad token'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Bad JSON web token", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'nonexisting', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'acme': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['acme']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(None)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
auth_key = settings.JWT_AUTH_KEYS['zulip']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
tests: Extract and use assert_logged_in_user_id test helper. This cleans up the pattern for how we check which user is logged in during Zulip's backend unit tests to be much more readable (replacing the arcane session code that does this check).
2019-05-26 22:12:46 +02:00
self.assert_logged_in_user_id(user_profile.id)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
ldap tests: Move test_ldap into test_auth_backends. These tests belong more in test_auth_backends rather than deserving their own separate file.
2019-11-01 23:26:49 +01:00
class DjangoToLDAPUsernameTests(ZulipTestCase):
def setUp(self) -> None:
self.init_default_ldap_database()
self.backend = ZulipLDAPAuthBackend()
def test_django_to_ldap_username_with_append_domain(self) -> None:
with self.settings(LDAP_APPEND_DOMAIN="zulip.com"):
self.assertEqual(self.backend.django_to_ldap_username("hamlet"), "hamlet")
self.assertEqual(self.backend.django_to_ldap_username("hamlet@zulip.com"), "hamlet")
with self.assertRaisesRegex(ZulipLDAPExceptionOutsideDomain,
'Email hamlet@example.com does not match LDAP domain zulip.com.'):
self.backend.django_to_ldap_username("hamlet@example.com")
self.mock_ldap.directory['uid="hamlet@test",ou=users,dc=zulip,dc=com'] = {
"cn": ["King Hamlet"],
"uid": ['"hamlet@test"'],
}
username = self.backend.django_to_ldap_username('"hamlet@test"@zulip.com')
self.assertEqual(username, '"hamlet@test"')
self.mock_ldap.directory['uid="hamlet@test"@zulip,ou=users,dc=zulip,dc=com'] = {
"cn": ["King Hamlet"],
"uid": ['"hamlet@test"@zulip'],
}
username = self.backend.django_to_ldap_username('"hamlet@test"@zulip')
self.assertEqual(username, '"hamlet@test"@zulip')
def test_django_to_ldap_username_with_email_search(self) -> None:
self.assertEqual(self.backend.django_to_ldap_username("hamlet"),
self.ldap_username("hamlet"))
self.assertEqual(self.backend.django_to_ldap_username("hamlet@zulip.com"),
self.ldap_username("hamlet"))
# If there are no matches through the email search, raise exception:
with self.assertRaises(ZulipLDAPExceptionNoMatchingLDAPUser):
self.backend.django_to_ldap_username("no_such_email@example.com")
self.assertEqual(self.backend.django_to_ldap_username("aaron@zulip.com"),
self.ldap_username("aaron"))
with mock.patch("zproject.backends.logging.warning") as mock_warn:
with self.assertRaises(ZulipLDAPExceptionNoMatchingLDAPUser):
self.backend.django_to_ldap_username("shared_email@zulip.com")
mock_warn.assert_called_with("Multiple users with email shared_email@zulip.com found in LDAP.")
# Test on a weird case of a user whose uid is an email and his actual "mail"
# attribute is a different email address:
self.mock_ldap.directory['uid=some_user@organization_a.com,ou=users,dc=zulip,dc=com'] = {
"cn": ["Some User"],
"uid": ['some_user@organization_a.com'],
"mail": ["some_user@contactaddress.com"]
}
self.assertEqual(self.backend.django_to_ldap_username("some_user@contactaddress.com"),
"some_user@organization_a.com")
self.assertEqual(self.backend.django_to_ldap_username("some_user@organization_a.com"),
"some_user@organization_a.com")
# Configure email search for emails in the uid attribute:
with self.settings(AUTH_LDAP_REVERSE_EMAIL_SEARCH=LDAPSearch("ou=users,dc=zulip,dc=com",
ldap.SCOPE_ONELEVEL,
"(uid=%(email)s)")):
self.assertEqual(self.backend.django_to_ldap_username("newuser_email_as_uid@zulip.com"),
"newuser_email_as_uid@zulip.com")
self.mock_ldap.directory['uid="hamlet@test"@zulip.com",ou=users,dc=zulip,dc=com'] = {
"cn": ["King Hamlet"],
"uid": ['"hamlet@test"@zulip.com'],
}
username = self.backend.django_to_ldap_username('"hamlet@test"@zulip.com')
self.assertEqual(username, '"hamlet@test"@zulip.com')
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend',))
def test_authenticate_to_ldap_via_email(self) -> None:
"""
With AUTH_LDAP_REVERSE_EMAIL_SEARCH configured, django_to_ldap_username
should be able to translate an email to ldap username,
and thus it should be possible to authenticate through user_profile.email.
"""
realm = get_realm("zulip")
user_profile = self.example_user("hamlet")
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
with self.settings(LDAP_EMAIL_ATTR='mail'):
self.assertEqual(
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
authenticate(request=mock.MagicMock(), username=user_profile.email,
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'), realm=realm),
ldap tests: Move test_ldap into test_auth_backends. These tests belong more in test_auth_backends rather than deserving their own separate file.
2019-11-01 23:26:49 +01:00
user_profile)
@override_settings(LDAP_EMAIL_ATTR='mail', LDAP_DEACTIVATE_NON_MATCHING_USERS=True)
def test_sync_user_from_ldap_with_email_attr(self) -> None:
"""In LDAP configurations with LDAP_EMAIL_ATTR configured and
LDAP_DEACTIVATE_NON_MATCHING_USERS set, a possible failure
mode if django_to_ldap_username isn't configured correctly is
all LDAP users having their accounts deactivated. Before the
introduction of AUTH_LDAP_REVERSE_EMAIL_SEARCH, this would happen
even in valid LDAP configurations using LDAP_EMAIL_ATTR.
This test confirms that such a failure mode doesn't happen with
a valid LDAP configuration.
"""
user_profile = self.example_user("hamlet")
with self.settings():
sync_user_from_ldap(user_profile, mock.Mock())
# Syncing didn't deactivate the user:
self.assertTrue(user_profile.is_active)
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class ZulipLDAPTestCase(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
super().setUp()
self.init_default_ldap_database()
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.setup_subdomain(user_profile)
self.backend = ZulipLDAPAuthBackend()
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
# Internally `_realm` and `_prereg_user` attributes are automatically set
# by the `authenticate()` method. But for testing the `get_or_build_user()`
# method separately, we need to set them manually.
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.backend._realm = get_realm('zulip')
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
self.backend._prereg_user = None
Add LDAP tests.
2016-10-24 14:41:45 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm.save()
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class TestLDAP(ZulipLDAPTestCase):
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
def test_generate_dev_ldap_dir(self) -> None:
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('A', 10)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 10)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+(\,ou\=users\,dc\=zulip\,dc\=com)')
dev_ldap: Add custom profile data.
2019-01-29 14:49:53 +01:00
common_attrs = ['cn', 'userPassword', 'phoneNumber', 'birthDate']
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
ldap: Fix development environment configuration. The state of the FAKELDAP setup for the dev env has fallen behind the backend changes and updates to fakeldap (which implemented SCOPE_ONELEVEL searches), as well as having some other minor issues. This commit restore it to a working state and now all three config modes work properly.
2019-11-07 06:57:09 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['uid', 'thumbnailPhoto', 'userAccountControl'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('b', 9)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 9)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+(\,ou\=users\,dc\=zulip\,dc\=com)')
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
ldap: Fix development environment configuration. The state of the FAKELDAP setup for the dev env has fallen behind the backend changes and updates to fakeldap (which implemented SCOPE_ONELEVEL searches), as well as having some other minor issues. This commit restore it to a working state and now all three config modes work properly.
2019-11-07 06:57:09 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['uid', 'jpegPhoto'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('c', 8)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 8)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+(\,ou\=users\,dc\=zulip\,dc\=com)')
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
ldap: Fix development environment configuration. The state of the FAKELDAP setup for the dev env has fallen behind the backend changes and updates to fakeldap (which implemented SCOPE_ONELEVEL searches), as well as having some other minor issues. This commit restore it to a working state and now all three config modes work properly.
2019-11-07 06:57:09 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['uid', 'email'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Fix development environment configuration. The state of the FAKELDAP setup for the dev env has fallen behind the backend changes and updates to fakeldap (which implemented SCOPE_ONELEVEL searches), as well as having some other minor issues. This commit restore it to a working state and now all three config modes work properly.
2019-11-07 06:57:09 +01:00
def test_dev_ldap_fail_login(self) -> None:
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
# Tests that login with a substring of password fails. We had a bug in
# dev LDAP environment that allowed login via password substrings.
self.mock_ldap.directory = generate_dev_ldap_dir('B', 8)
with self.settings(
ldap: Fix development environment configuration. The state of the FAKELDAP setup for the dev env has fallen behind the backend changes and updates to fakeldap (which implemented SCOPE_ONELEVEL searches), as well as having some other minor issues. This commit restore it to a working state and now all three config modes work properly.
2019-11-07 06:57:09 +01:00
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com",
ldap.SCOPE_ONELEVEL, "(uid=%(user)s)"),
AUTH_LDAP_REVERSE_EMAIL_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com",
ldap.SCOPE_ONELEVEL, "(email=%(email)s)"),
LDAP_APPEND_DOMAIN='zulip.com'
):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username='ldapuser1', password='dapu',
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
realm=get_realm('zulip'))
assert(user_profile is None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email("hamlet"),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_login_success_with_username(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username="hamlet", password=self.ldap_password('hamlet'),
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
realm=get_realm('zulip'))
assert(user_profile is not None)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.assertEqual(user_profile, self.example_user("hamlet"))
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_email_attr(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_EMAIL_ATTR='mail'):
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username = self.ldap_username("aaron")
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username=username,
password=self.ldap_password(username),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
assert (user_profile is not None)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.assertEqual(user_profile, self.example_user("aaron"))
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend',))
def test_email_and_ldap_backends_together(self) -> None:
with self.settings(
LDAP_EMAIL_ATTR='mail',
AUTH_LDAP_REVERSE_EMAIL_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com",
ldap.SCOPE_ONELEVEL,
"(mail=%(email)s)"),
AUTH_LDAP_USERNAME_ATTR = "uid"
):
realm = get_realm('zulip')
self.assertEqual(email_belongs_to_ldap(realm, self.example_email("aaron")), True)
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username = self.ldap_username("aaron")
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = ZulipLDAPAuthBackend().authenticate(request=mock.MagicMock(),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username=username,
password=self.ldap_password(username),
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
realm=realm)
self.assertEqual(user_profile, self.example_user("aaron"))
othello = self.example_user('othello')
password = "testpassword"
othello.set_password(password)
othello.save()
self.assertEqual(email_belongs_to_ldap(realm, othello.email), False)
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = EmailAuthBackend().authenticate(request=mock.MagicMock(),
username=othello.email, password=password,
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
realm=realm)
self.assertEqual(user_profile, othello)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_password(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email("hamlet"), password='wrong',
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zulip'))
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user = self.backend.authenticate(request=mock.MagicMock(),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
username='nonexistent@zulip.com',
password="doesnt_matter",
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zulip'))
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_permissions(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
self.assertFalse(backend.has_perm(None, None))
self.assertFalse(backend.has_module_perms(None, None))
self.assertTrue(backend.get_all_permissions(None, None) == set())
self.assertTrue(backend.get_group_permissions(None, None) == set())
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
def test_user_email_from_ldapuser_with_append_domain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
username = backend.user_email_from_ldapuser('this_argument_is_ignored',
_LDAPUser(self.backend, username='"hamlet@test"'))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertEqual(username, '"hamlet@test"@zulip.com')
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_exists(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
backend = self.backend
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(str(email), _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertFalse(created)
self.assertEqual(user_profile.email, email)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_does_not_exist(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
email = 'newuser@zulip.com'
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertTrue(created)
self.assertEqual(user_profile.email, email)
self.assertEqual(user_profile.full_name, 'Full Name')
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_has_invalid_name(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
attrs = {'fn': ['<invalid name>'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, "Invalid characters in name!"):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_realm_is_deactivated(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
do_deactivate_realm(backend._realm)
tests: s/assertRaisesRegexp/assertRaisesRegex/ due to deprecation.
2016-12-16 02:11:42 +01:00
with self.assertRaisesRegex(Exception, 'Realm has been deactivated'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_ldap_has_no_email_attr(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
nonexisting_attr = 'email'
with self.settings(LDAP_EMAIL_ATTR=nonexisting_attr):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, 'LDAP user doesn\'t have the needed email attribute'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_get_or_build_user_email(self) -> None:
class _LDAPUser:
attrs = {'fn': ['Test User']}
ldap_user_attr_map = {'full_name': 'fn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
realm = self.backend._realm
realm.emails_restricted_to_domains = False
realm.disallow_disposable_email_addresses = True
realm.save()
email = 'spam@mailnator.com'
with self.assertRaisesRegex(ZulipLDAPException, 'Email validation failed.'):
self.backend.get_or_build_user(email, _LDAPUser())
realm.emails_restricted_to_domains = True
realm.save(update_fields=['emails_restricted_to_domains'])
email = 'spam+spam@mailnator.com'
with self.assertRaisesRegex(ZulipLDAPException, 'Email validation failed.'):
self.backend.get_or_build_user(email, _LDAPUser())
email = 'spam@acme.com'
with self.assertRaisesRegex(ZulipLDAPException, "This email domain isn't allowed in this organization."):
self.backend.get_or_build_user(email, _LDAPUser())
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_get_or_build_user_when_ldap_has_no_full_name_mapping(self) -> None:
class _LDAPUser:
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={}):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, "Missing required mapping for user's full name"):
backend.get_or_build_user(email, _LDAPUser())
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_domain_does_not_match(self) -> None:
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email("hamlet"),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'),
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zulip'))
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
def test_login_success_with_different_subdomain(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
ldap_user_attr_map = {'full_name': 'cn', 'short_name': 'sn'}
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
Realm.objects.create(string_id='acme')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email('hamlet'),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'),
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
realm=get_realm('acme'))
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
self.assertEqual(user_profile.email, self.example_email('hamlet'))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_valid_subdomain(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email("hamlet"),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_deactivated_user(self) -> None:
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
user_profile = self.example_user("hamlet")
do_deactivate_user(user_profile)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username=self.example_email("hamlet"),
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password('hamlet'),
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
realm=get_realm('zulip'))
self.assertIs(user_profile, None)
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
@override_settings(AUTH_LDAP_USER_ATTR_MAP={
"full_name": "cn",
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
"avatar": "jpegPhoto",
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
})
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
def test_login_success_when_user_does_not_exist_with_valid_subdomain(self) -> None:
RealmDomain.objects.create(realm=self.backend._realm, domain='acme.com')
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username='newuser@acme.com',
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password("newuser"),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.assertEqual(user_profile.email, 'newuser@acme.com')
self.assertEqual(user_profile.full_name, 'New LDAP fullname')
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.assertEqual(user_profile.realm.string_id, 'zulip')
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
# Verify avatar gets created
self.assertEqual(user_profile.avatar_source, UserProfile.AVATAR_FROM_USER)
result = self.client_get(avatar_url(user_profile))
self.assertEqual(result.status_code, 200)
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_login_success_when_user_does_not_exist_with_split_full_name_mapping(self) -> None:
with self.settings(
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
LDAP_APPEND_DOMAIN='zulip.com',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
AUTH_LDAP_USER_ATTR_MAP={'first_name': 'sn', 'last_name': 'cn'}):
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
user_profile = self.backend.authenticate(request=mock.MagicMock(),
username='newuser_splitname@zulip.com',
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
password=self.ldap_password("newuser_splitname"),
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
realm=get_realm('zulip'))
assert(user_profile is not None)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.assertEqual(user_profile.email, 'newuser_splitname@zulip.com')
self.assertEqual(user_profile.full_name, 'First Last')
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
self.assertEqual(user_profile.realm.string_id, 'zulip')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class TestZulipLDAPUserPopulator(ZulipLDAPTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_authenticate(self) -> None:
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
backend = ZulipLDAPUserPopulator()
tests: For ldap tests, give each ldap user a unique password. To avoid some hidden bugs in tests caused by every ldap user having the same password, we give each user a different password, generated based on their uids (to avoid some ugly hard-coding in a bunch of places).
2020-02-19 19:40:49 +01:00
result = backend.authenticate(username=self.example_email("hamlet"),
password=self.ldap_password("hamlet"),
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm=get_realm('zulip'))
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
self.assertIs(result, None)
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def perform_ldap_sync(self, user_profile: UserProfile) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
result = sync_user_from_ldap(user_profile, mock.Mock())
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
self.assertTrue(result)
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
@mock.patch("zproject.backends.do_deactivate_user")
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
def test_ldaperror_doesnt_deactivate_user(self, mock_deactivate: mock.MagicMock) -> None:
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
"""
This is a test for a bug where failure to connect to LDAP in sync_user_from_ldap
(e.g. due to invalid credentials) would cause the user to be deactivated if
LDAP_DEACTIVATE_NON_MATCHING_USERS was True.
Details: https://github.com/zulip/zulip/issues/13130
"""
with self.settings(
LDAP_DEACTIVATE_NON_MATCHING_USERS=True,
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='wrongpass'):
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
with self.assertRaises(ldap.INVALID_CREDENTIALS):
sync_user_from_ldap(self.example_user('hamlet'), mock.Mock())
mock_deactivate.assert_not_called()
# Make sure other types of LDAPError won't cause deactivation either:
with mock.patch.object(_LDAPUser, '_get_or_create_user', side_effect=ldap.LDAPError):
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
with self.assertRaises(PopulateUserLDAPError):
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
sync_user_from_ldap(self.example_user('hamlet'), mock.Mock())
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
mock_deactivate.assert_not_called()
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
@override_settings(LDAP_EMAIL_ATTR="mail")
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
def test_populate_user_returns_none(self) -> None:
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
with mock.patch.object(ZulipLDAPUser, 'populate_user', return_value=None):
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
with self.assertRaises(PopulateUserLDAPError):
sync_user_from_ldap(self.example_user('hamlet'), mock.Mock())
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def test_update_full_name(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'cn', 'New Name')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.full_name, 'New Name')
ldap: Fix bad interaction between EMAIL_ADDRESS_VISIBILITY and LDAP sync. A block of LDAP integration code related to data synchronization did not correctly handle EMAIL_ADDRESS_VISIBILITY_ADMINS, as it was accessing .email, not .delivery_email, both for logging and doing the mapping between email addresses and LDAP users. Fixes #13539.
2019-12-15 20:10:09 +01:00
def test_update_with_hidden_emails(self) -> None:
hamlet = self.example_user('hamlet')
realm = get_realm("zulip")
do_set_realm_property(realm, 'email_address_visibility', Realm.EMAIL_ADDRESS_VISIBILITY_ADMINS)
hamlet.refresh_from_db()
self.change_ldap_user_attr('hamlet', 'cn', 'New Name')
self.perform_ldap_sync(hamlet)
hamlet.refresh_from_db()
self.assertEqual(hamlet.full_name, 'New Name')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def test_update_split_full_name(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'cn', 'Name')
self.change_ldap_user_attr('hamlet', 'sn', 'Full')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'first_name': 'sn',
'last_name': 'cn'}):
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.full_name, 'Full Name')
def test_same_full_name(self) -> None:
with mock.patch('zerver.lib.actions.do_change_full_name') as fn:
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_not_called()
def test_too_short_name(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'cn', 'a')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
with self.assertRaises(ZulipLDAPException):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_deactivate_user(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'userAccountControl', '2')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'userAccountControl': 'userAccountControl'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertFalse(hamlet.is_active)
ldap: Fix attempting to sync data for deactivated users. The order of operations for our LDAP synchronization code wasn't correct: We would run the code to sync avatars (etc.) even for deactivated users. Thanks to niels for the report. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-23 22:02:30 +02:00
@mock.patch("zproject.backends.ZulipLDAPAuthBackendBase.sync_full_name_from_ldap")
def test_dont_sync_disabled_ldap_user(self, fake_sync: mock.MagicMock) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'userAccountControl', '2')
ldap: Fix attempting to sync data for deactivated users. The order of operations for our LDAP synchronization code wasn't correct: We would run the code to sync avatars (etc.) even for deactivated users. Thanks to niels for the report. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-23 22:02:30 +02:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'userAccountControl': 'userAccountControl'}):
self.perform_ldap_sync(self.example_user('hamlet'))
fake_sync.assert_not_called()
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def test_reactivate_user(self) -> None:
do_deactivate_user(self.example_user('hamlet'))
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'userAccountControl': 'userAccountControl'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertTrue(hamlet.is_active)
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
def test_user_in_multiple_realms(self) -> None:
test_realm = do_create_realm('test', 'test', False)
hamlet = self.example_user('hamlet')
hamlet2 = do_create_user(hamlet.email, None, test_realm, hamlet.full_name, hamlet.short_name)
self.change_ldap_user_attr('hamlet', 'cn', 'Second Hamlet')
expected_call_args = [hamlet2, 'Second Hamlet', None]
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn'}):
with mock.patch('zerver.lib.actions.do_change_full_name') as f:
self.perform_ldap_sync(hamlet2)
f.assert_called_once_with(*expected_call_args)
# Get the updated model and make sure the full name is changed correctly:
hamlet2 = get_user(hamlet.email, test_realm)
self.assertEqual(hamlet2.full_name, "Second Hamlet")
# Now get the original hamlet and make he still has his name unchanged:
hamlet = get_user(hamlet.email, get_realm("zulip"))
self.assertEqual(hamlet.full_name, "King Hamlet")
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
def test_user_not_found_in_ldap(self) -> None:
with self.settings(
LDAP_DEACTIVATE_NON_MATCHING_USERS=False,
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
LDAP_APPEND_DOMAIN='zulip.com'):
othello = self.example_user("othello") # othello isn't in our test directory
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
mock_logger = mock.MagicMock()
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
result = sync_user_from_ldap(othello, mock_logger)
mock_logger.warning.assert_called_once_with("Did not find %s in LDAP." % (othello.email,))
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
self.assertFalse(result)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
do_deactivate_user(othello)
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
mock_logger = mock.MagicMock()
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
result = sync_user_from_ldap(othello, mock_logger)
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
self.assertEqual(mock_logger.method_calls, []) # In this case the logger shouldn't be used.
self.assertFalse(result)
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def test_update_user_avatar(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
# Hamlet has jpegPhoto set in our test directory by default.
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
with mock.patch('zerver.lib.upload.upload_avatar_image') as fn, \
self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'avatar': 'jpegPhoto'}):
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_called_once()
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.avatar_source, UserProfile.AVATAR_FROM_USER)
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
# Verify that the next time we do an LDAP sync, we don't
# end up updating this user's avatar again if the LDAP
# data hasn't changed.
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_called_once()
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
# Now verify that if we do change the jpegPhoto image, we
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
# will upload a new avatar.
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'jpegPhoto', static_path("images/logo/zulip-icon-512x512.png"),
binary=True)
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
with mock.patch('zerver.lib.upload.upload_avatar_image') as fn, \
self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'avatar': 'jpegPhoto'}):
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_called_once()
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.avatar_source, UserProfile.AVATAR_FROM_USER)
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
@use_s3_backend
def test_update_user_avatar_for_s3(self) -> None:
bucket = create_s3_buckets(settings.S3_AVATAR_BUCKET)[0]
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
test_image_file = get_test_image_file('img.png').name
with open(test_image_file, 'rb') as f:
python: Migrate open statements to use with. This is low priority, but it's nice to be consistently using the best practice pattern. Fixes: #12419.
2019-07-14 21:37:08 +02:00
test_image_data = f.read()
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'jpegPhoto', test_image_data)
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'avatar': 'jpegPhoto'}):
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
path_id = user_avatar_path(hamlet)
original_image_path_id = path_id + ".original"
medium_path_id = path_id + "-medium.png"
original_image_key = bucket.get_key(original_image_path_id)
medium_image_key = bucket.get_key(medium_path_id)
image_data = original_image_key.get_contents_as_string()
self.assertEqual(image_data, test_image_data)
test_medium_image_data = resize_avatar(test_image_data, MEDIUM_AVATAR_SIZE)
medium_image_data = medium_image_key.get_contents_as_string()
self.assertEqual(medium_image_data, test_medium_image_data)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
# Try to use invalid data as the image:
self.change_ldap_user_attr('hamlet', 'jpegPhoto', b'00' + test_image_data)
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'avatar': 'jpegPhoto'}):
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
with mock.patch('logging.warning') as mock_warning:
self.perform_ldap_sync(self.example_user('hamlet'))
mock_warning.assert_called_once_with(
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'Could not parse jpegPhoto field for user %s' % (hamlet.id,))
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
ldap: Add a setting to automatically deactivate non_matching users. Fixes: #11151.
2019-01-13 13:53:52 +01:00
def test_deactivate_non_matching_users(self) -> None:
with self.settings(LDAP_APPEND_DOMAIN='zulip.com',
LDAP_DEACTIVATE_NON_MATCHING_USERS=True):
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
# othello isn't in our test directory
result = sync_user_from_ldap(self.example_user('othello'), mock.Mock())
ldap: Add a setting to automatically deactivate non_matching users. Fixes: #11151.
2019-01-13 13:53:52 +01:00
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
self.assertTrue(result)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
othello = self.example_user('othello')
self.assertFalse(othello.is_active)
ldap: Add a setting to automatically deactivate non_matching users. Fixes: #11151.
2019-01-13 13:53:52 +01:00
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
def test_update_custom_profile_field(self) -> None:
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'custom_profile_field__phone_number': 'homePhone',
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
'custom_profile_field__birthday': 'birthDate'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
test_data = [
{
'field_name': 'Phone number',
'expected_value': '123456789',
},
{
'field_name': 'Birthday',
'expected_value': '1900-09-08',
},
]
for test_case in test_data:
field = CustomProfileField.objects.get(realm=hamlet.realm, name=test_case['field_name'])
field_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=field).value
self.assertEqual(field_value, test_case['expected_value'])
def test_update_non_existent_profile_field(self) -> None:
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'custom_profile_field__non_existent': 'homePhone'}):
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
with self.assertRaisesRegex(ZulipLDAPException, 'Custom profile field with name non_existent not found'):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_update_custom_profile_field_invalid_data(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.change_ldap_user_attr('hamlet', 'birthDate', '9999')
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate'}):
with self.assertRaisesRegex(ZulipLDAPException, 'Invalid data for birthday field'):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_update_custom_profile_field_no_mapping(self) -> None:
hamlet = self.example_user('hamlet')
no_op_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Phone number')
expected_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate'}):
self.perform_ldap_sync(self.example_user('hamlet'))
actual_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
self.assertEqual(actual_value, expected_value)
def test_update_custom_profile_field_no_update(self) -> None:
hamlet = self.example_user('hamlet')
phone_number_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Phone number')
birthday_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Birthday')
phone_number_field_value = CustomProfileFieldValue.objects.get(user_profile=hamlet,
field=phone_number_field)
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
phone_number_field_value.value = '123456789'
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
phone_number_field_value.save(update_fields=['value'])
expected_call_args = [hamlet, [
{
'id': birthday_field.id,
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'value': '1900-09-08',
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
},
]]
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'custom_profile_field__phone_number': 'homePhone'}):
do_update_user_custom_profile_data: Rename to ..._if_changed. This adds clarity to the fact that the function no longer does anything if the field values haven't changed.
2019-10-01 04:22:50 +02:00
with mock.patch('zproject.backends.do_update_user_custom_profile_data_if_changed') as f:
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
self.perform_ldap_sync(self.example_user('hamlet'))
f.assert_called_once_with(*expected_call_args)
ldap: Continue syncing other fields even if a field is missing. Earlier the behavior was to raise an exception thereby stopping the whole sync. Now we log an error message and skip the field. Also fixes the `query_ldap` command to report missing fields without error. Fixes: #11780.
2019-03-05 09:40:40 +01:00
def test_update_custom_profile_field_not_present_in_ldap(self) -> None:
hamlet = self.example_user('hamlet')
no_op_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Birthday')
expected_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
'custom_profile_field__birthday': 'nonExistantAttr'}):
ldap: Continue syncing other fields even if a field is missing. Earlier the behavior was to raise an exception thereby stopping the whole sync. Now we log an error message and skip the field. Also fixes the `query_ldap` command to report missing fields without error. Fixes: #11780.
2019-03-05 09:40:40 +01:00
self.perform_ldap_sync(self.example_user('hamlet'))
actual_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
self.assertEqual(actual_value, expected_value)
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
class TestQueryLDAP(ZulipLDAPTestCase):
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',))
def test_ldap_not_configured(self) -> None:
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(values, ['LDAP backend not configured on this server.'])
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_user_not_present(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
# othello doesn't have an entry in our test directory
values = query_ldap(self.example_email('othello'))
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
self.assert_length(values, 1)
self.assertIn('No such user found', values[0])
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_normal_query(self) -> None:
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'short_name': 'sn',
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
'avatar': 'jpegPhoto',
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
'custom_profile_field__birthday': 'birthDate',
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
'custom_profile_field__phone_number': 'nonExistentAttr'
}):
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
values = query_ldap(self.example_email('hamlet'))
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
self.assertEqual(len(values), 5)
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
self.assertIn('full_name: King Hamlet', values)
self.assertIn('short_name: Hamlet', values)
self.assertIn('avatar: (An avatar image file)', values)
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
self.assertIn('custom_profile_field__birthday: 1900-09-08', values)
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
self.assertIn('custom_profile_field__phone_number: LDAP field not present', values)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_query_email_attr(self) -> None:
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'short_name': 'sn'},
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
LDAP_EMAIL_ATTR='mail'):
# This will look up the user by email in our test dictionary,
# should successfully find hamlet's ldap entry.
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(len(values), 3)
self.assertIn('full_name: King Hamlet', values)
self.assertIn('short_name: Hamlet', values)
ldap tests: Change TestQueryLDAP tests to use the test ldap directory. Instead of mocking the _LDAPUser class, these tests can now take advantage of the test directory that other ldap are using. After these changes, test_query_email_attr also verifies that query_ldap can successfully be used to query by user email, if email search is configured.
2019-10-23 00:15:29 +02:00
self.assertIn('email: hamlet@zulip.com', values)
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
class TestZulipAuthMixin(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_user(self) -> None:
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
backend = ZulipAuthMixin()
result = backend.get_user(11111)
self.assertIs(result, None)
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
class TestPasswordAuthEnabled(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_enabled_for_ldap(self) -> None:
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',)):
Remove unnecessary uses of Realm.domain in zerver/tests.
2017-01-08 20:24:05 +01:00
realm = Realm.objects.get(string_id='zulip')
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
self.assertTrue(password_auth_enabled(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
class TestRequireEmailFormatUsernames(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_append_domain(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_only(self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
realm = Realm.objects.get(string_id='zulip')
self.assertTrue(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_append_email(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
class TestMaybeSendToRegistration(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_does_not_exist(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
auth: Eliminate if/else block for PreregUser handling with/without SSO. Both branches did very similar things, and the code is better having common handling in all cases.
2019-12-10 18:45:36 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
self.assertEqual(PreregistrationUser.objects.all().count(), 0)
result = maybe_send_to_registration(request, self.example_email("hamlet"), is_signup=True)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
tests: Improve test coverage of templates. Addresses part of #1677.
2016-12-01 08:54:21 +01:00
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
self.assert_in_response('value="{0}" name="key"'.format(confirmation_key), result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_exists(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
user = PreregistrationUser(email=email)
user.save()
auth: Eliminate if/else block for PreregUser handling with/without SSO. Both branches did very similar things, and the code is better having common handling in all cases.
2019-12-10 18:45:36 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
result = maybe_send_to_registration(request, email, is_signup=True)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
class TestAdminSetBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_change_enabled_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
self.login('iago')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True})})
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_disable_all_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
self.login('iago')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': False})})
admin: Make an error about auth settings not mimic auth errors. This error isn't saying that any kind of authentication or authorization failed -- it's just a validation error like any other validation error in the values the user is asking to set. The thought of authentication comes into it only because the setting happens to be *about* authentication. Fix the error to look like the other validation errors around it, rather than give a 403 HTTP status code and a "reason" field that mimics the "reason" fields in `api_fetch_api_key`.
2017-07-25 02:28:33 +02:00
self.assert_json_error(result, 'At least one authentication method must be enabled.')
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertTrue(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_supported_backends_only_updated(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
tests: Limit email-based logins. We now have this API... If you really just need to log in and not do anything with the actual user: self.login('hamlet') If you're gonna use the user in the rest of the test: hamlet = self.example_user('hamlet') self.login_user(hamlet) If you are specifically testing email/password logins (used only in 4 places): self.login_by_email(email, password) And for failures uses this (used twice): self.assert_login_failure(email)
2020-03-06 18:40:46 +01:00
self.login('iago')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Set some supported and unsupported backends
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True, u'GitHub': False})})
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Check that unsupported backend is not enabled
self.assertFalse(github_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
class EmailValidatorTestCase(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_valid_email(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
validate_login_email(self.example_email("hamlet"))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
with self.assertRaises(JsonableError):
validate_login_email(u'hamlet')
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
def test_validate_email(self) -> None:
inviter = self.example_user('hamlet')
cordelia = self.example_user('cordelia')
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
realm = inviter.realm
populate_db: Don't restrict email domains by default in tests and dev. The email domain restriction to @zulip.com is annoying in development environment when trying to test sign up. For consistency, it's best to have tests use the same default, and the tests that require domain restriction can be adjusted to set that configuration up for themselves explicitly.
2020-03-06 16:22:23 +01:00
do_set_realm_property(realm, 'emails_restricted_to_domains', True)
inviter.realm.refresh_from_db()
refactor: Extract validate_email_is_valid(). This has two goals: - sets up a future commit to bulk-validate emails - the extracted function is more simple, since it just has errors, and no codes or deactivated flags This commit leaves us in a somewhat funny intermediate state where we have `action.validate_email` being a glorified two-line function with strange parameters, but subsequent commits will clean this up: - we will eliminate validate_email - we will move most of the guts of its other callee to lib/email_validation.py To be clear, the code is correct here, just kinda in an ugly, temporarily-disorganized intermediate state.
2020-03-02 22:26:24 +01:00
error = validate_email_is_valid(
'fred+5555@zulip.com',
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
get_realm_email_validator(realm),
refactor: Extract validate_email_is_valid(). This has two goals: - sets up a future commit to bulk-validate emails - the extracted function is more simple, since it just has errors, and no codes or deactivated flags This commit leaves us in a somewhat funny intermediate state where we have `action.validate_email` being a glorified two-line function with strange parameters, but subsequent commits will clean this up: - we will eliminate validate_email - we will move most of the guts of its other callee to lib/email_validation.py To be clear, the code is correct here, just kinda in an ugly, temporarily-disorganized intermediate state.
2020-03-02 22:26:24 +01:00
)
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
self.assertIn('containing + are not allowed', error)
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
errors = get_existing_user_errors(realm, {cordelia.email})
refactor: Avoid hacky use of ValidationError.code. We were using `code` to pass around messages. The `code` field is designed to be a code, not a human-readable message. It's possible that we don't actually need two flavors of messages for these type of validations, but I didn't want to change that yet. We **definitely** don't need to put two types of message in the exception, so I fix that. Instead, I just have the caller ask what level of detail it needs. I added a non-verbose message for the case of system bots. I removed the non-translated version of the message for deactivated accounts, which didn't have test coverage and is slightly more prone to leaking email info that we don't want to leak.
2020-03-05 17:24:47 +01:00
error, is_deactivated = errors[cordelia.email]
invitations: Improve experience around reactivating users. Previously, if you tried to invite a user whose account had been deactivated, we didn't provide a clear path forward for reactivating the users, which was confusing. We fix this by plumbing through to the frontend the information that there is an existing user account with that email address in this organization, but that it's deactivated. For administrators, we provide a link for how to reactivate the user. Fixes #8144.
2019-11-14 11:21:08 +01:00
self.assertEqual(False, is_deactivated)
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
self.assertEqual(error, 'Already has an account.')
cordelia.is_active = False
cordelia.save()
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
errors = get_existing_user_errors(realm, {cordelia.email})
refactor: Avoid hacky use of ValidationError.code. We were using `code` to pass around messages. The `code` field is designed to be a code, not a human-readable message. It's possible that we don't actually need two flavors of messages for these type of validations, but I didn't want to change that yet. We **definitely** don't need to put two types of message in the exception, so I fix that. Instead, I just have the caller ask what level of detail it needs. I added a non-verbose message for the case of system bots. I removed the non-translated version of the message for deactivated accounts, which didn't have test coverage and is slightly more prone to leaking email info that we don't want to leak.
2020-03-05 17:24:47 +01:00
error, is_deactivated = errors[cordelia.email]
invitations: Improve experience around reactivating users. Previously, if you tried to invite a user whose account had been deactivated, we didn't provide a clear path forward for reactivating the users, which was confusing. We fix this by plumbing through to the frontend the information that there is an existing user account with that email address in this organization, but that it's deactivated. For administrators, we provide a link for how to reactivate the user. Fixes #8144.
2019-11-14 11:21:08 +01:00
self.assertEqual(True, is_deactivated)
invitations: Fix email validation errors for deactivated accounts. This provides a much clearer error message when trying to invite a user who has a deactivated account. Fixes part of #8144.
2019-02-14 13:59:23 +01:00
self.assertEqual(error, 'Account has been deactivated.')
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
tests: Avoid calling actions.validate_email(). We are trying to kill off `validate_email`, so we no longer call it from these tests. These tests are already kind of low-level in nature, so testing the more specific helpers here should be fine. Note that we also make the third parameter to `validate_email` non-optional in this commit, to preserve 100% coverage. This is really just refactoring noise--we will soon eliminate the entire function, but I didn't want to do everything in a huge commit.
2020-03-06 12:47:33 +01:00
errors = get_existing_user_errors(realm, {'fred-is-fine@zulip.com'})
self.assertEqual(errors, {})
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
class LDAPBackendTest(ZulipTestCase):
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_non_existing_realm(self) -> None:
test_auth_backends: Migrate ldap tests to the new format.
2019-10-16 18:10:40 +02:00
self.init_default_ldap_database()
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
email = self.example_email('hamlet')
data = {'username': email, 'password': initial_password(email)}
error_type = ZulipLDAPAuthBackend.REALM_IS_NONE_ERROR
error = ZulipLDAPConfigurationError('Realm is None', error_type)
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
with mock.patch('zproject.backends.ZulipLDAPAuthBackend.get_or_build_user',
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
side_effect=error), \
mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'):
response = self.client_post('/login/', data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, reverse('ldap_error_realm_is_none'))
response = self.client_get(response.url)
self.assert_in_response('You are trying to login using LDAP '
'without creating an',
response)