Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/tests/test_auth_backends.py

2712 lines
133 KiB
Python
Raw Normal View History

Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# -*- coding: utf-8 -*-
from django.conf import settings
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
from django.core import mail
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
from django.http import HttpResponse
Make LoginEmailValidatorTestCase use ZulipTestCase instead of TestCase.
2017-05-25 02:29:42 +02:00
from django.test import override_settings
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from django_auth_ldap.backend import _LDAPUser
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
from django.contrib.auth import authenticate
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
from django.test.client import RequestFactory
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
from typing import Any, Callable, Dict, List, Optional, Tuple
Add LDAP tests.
2016-10-24 14:41:45 +02:00
from builtins import object
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
from oauth2client.crypt import AppIdentityError
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
from django.core import signing
django-2.0: Shift to resolvers from urlresolvers. The old name is deprecated.
2018-01-30 06:05:25 +01:00
from django.urls import reverse
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
import httpretty
import os
import sys
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
import jwt
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import mock
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
import re
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
import time
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
Refactor views.create_homepage_form into its callers. The indirection is no longer that useful, and obscures Django's conventional style for calling a form.
2016-12-24 04:35:58 +01:00
from zerver.forms import HomepageForm
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
from zerver.lib.actions import (
do_deactivate_realm,
do_deactivate_user,
do_reactivate_realm,
do_reactivate_user,
do_set_realm_authentication_methods,
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
ensure_stream,
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
from zerver.lib.mobile_auth_otp import otp_decrypt_api_key
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
from zerver.lib.validator import validate_login_email, \
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_bool, check_dict_only, check_string, Validator
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
from zerver.lib.request import JsonableError
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
from zerver.lib.initial_password import initial_password
Rename zerver/lib/session_user.py to sessions.py.
2017-03-08 11:43:35 +01:00
from zerver.lib.sessions import get_session_dict_user
tests: Split out ZulipTestCase and WebhookTestCase to a separate file. Fixes #1671.
2016-11-10 19:30:09 +01:00
from zerver.lib.test_classes import (
ZulipTestCase,
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
)
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
from zerver.lib.test_helpers import POSTRequestMock, HostRequestMock
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from zerver.models import \
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
get_realm, email_to_username, UserProfile, \
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
PreregistrationUser, Realm, get_user, MultiuseInvite
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
from confirmation.models import Confirmation, confirmation_url, create_confirmation_link
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from zproject.backends import ZulipDummyBackend, EmailAuthBackend, \
GoogleMobileOauth2Backend, ZulipRemoteUserBackend, ZulipLDAPAuthBackend, \
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
ZulipLDAPUserPopulator, DevAuthBackend, GitHubAuthBackend, ZulipAuthMixin, \
auth: Add SocialAuthMixinTest.
2016-11-07 01:44:15 +01:00
dev_auth_enabled, password_auth_enabled, github_auth_enabled, \
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
require_email_format_usernames, SocialAuthMixin, AUTH_BACKEND_NAME_MAP, \
ZulipLDAPConfigurationError
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
from zerver.views.auth import (maybe_send_to_registration,
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
login_or_register_remote_user,
_subdomain_token_salt)
server-version: Add server version to api endpoints. - Add server version to `fetch_initial_state_data`. - Add server version to register event queue api endpoint. - Add server version to `get_auth_backends` api endpoint. - Change source for server version in `home` endpoint. - Fix tests. Fixes #3663
2017-02-27 08:30:26 +01:00
from version import ZULIP_VERSION
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
from social_core.exceptions import AuthFailed, AuthStateForbidden
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
from social_django.strategy import DjangoStrategy
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
from social_django.storage import BaseDjangoStorage
from social_core.backends.github import GithubOrganizationOAuth2, GithubTeamOAuth2, \
Add tests for GitHub team and organization auth.
2016-08-02 11:07:45 +02:00
GithubOAuth2
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
import json
Change urllib import to be Python 3-specific.
2017-11-05 05:30:31 +01:00
import urllib
refactor: Remove six.moves.https_cookies import.
2017-11-06 03:07:49 +01:00
from http.cookies import SimpleCookie
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import ujson
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
from zerver.lib.test_helpers import MockLDAP, load_subdomain_token
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
class AuthBackendTest(ZulipTestCase):
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def get_username(self, email_to_username: Optional[Callable[[str], str]]=None) -> str:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = self.example_email('hamlet')
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
if email_to_username is not None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = email_to_username(self.example_email('hamlet'))
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
return username
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def verify_backend(self, backend: Any, good_kwargs: Optional[Dict[str, Any]]=None, bad_kwargs: Optional[Dict[str, Any]]=None) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
assert good_kwargs is not None
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# If bad_kwargs was specified, verify auth fails in that case
if bad_kwargs is not None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**bad_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated user
do_deactivate_user(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Reactivate the user and verify auth works again
do_reactivate_user(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated realm
do_deactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works again after reactivating the realm
do_reactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
# ZulipDummyBackend isn't a real backend so the remainder
# doesn't make sense for it
if isinstance(backend, ZulipDummyBackend):
return
# Verify auth fails if the auth backend is disabled on server
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',)):
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
# Verify auth fails if the auth backend is disabled for the realm
for backend_name in AUTH_BACKEND_NAME_MAP.keys():
if isinstance(backend, AUTH_BACKEND_NAME_MAP[backend_name]):
break
index = getattr(user_profile.realm.authentication_methods, backend_name).number
user_profile.realm.authentication_methods.set_bit(index, False)
user_profile.realm.save()
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
if 'realm' in good_kwargs:
# Because this test is a little unfaithful to the ordering
# (i.e. we fetched the realm object before this function
# was called, when in fact it should be fetched after we
# changed the allowed authentication methods), we need to
# propagate the changes we just made to the actual realm
# object in good_kwargs.
good_kwargs['realm'] = user_profile.realm
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
user_profile.realm.authentication_methods.set_bit(index, True)
user_profile.realm.save()
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dummy_backend(self) -> None:
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm = get_realm("zulip")
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.verify_backend(ZulipDummyBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=True),
bad_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=False))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm.save()
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_email_auth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
with mock.patch('zproject.backends.email_auth_enabled',
return_value=False), \
mock.patch('zproject.backends.password_auth_enabled',
return_value=True):
return_data = {} # type: Dict[str, bool]
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user = EmailAuthBackend().authenticate(self.example_email('hamlet'),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm("zulip"),
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
password=password,
return_data=return_data)
self.assertEqual(user, None)
self.assertTrue(return_data['email_auth_disabled'])
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(EmailAuthBackend(),
good_kwargs=dict(password=password,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()),
bad_kwargs=dict(password=password,
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr'),
return_data=dict()))
self.verify_backend(EmailAuthBackend(),
good_kwargs=dict(password=password,
username=username,
realm=get_realm('zulip'),
return_data=dict()),
bad_kwargs=dict(password=password,
username=username,
realm=None,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()))
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
zerver/tests: Use python 3 syntax for typing (part 4).
2017-11-20 03:22:57 +01:00
def test_email_auth_backend_disabled_password_auth(self) -> None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
# Verify if a realm has password auth disabled, correct password is rejected
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
self.assertIsNone(EmailAuthBackend().authenticate(self.example_email('hamlet'),
password,
realm=get_realm("zulip")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_no_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
result = self.client_get('/login/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
result = self.client_get('/register/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_any_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
# testing to avoid false error messages.
result = self.client_get('/login/')
self.assert_not_in_success_response(["No Authentication Backend is enabled."], result)
result = self.client_get('/register/')
self.assert_not_in_success_response(["No Authentication Backend is enabled."], result)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_backend(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
backend = GoogleMobileOauth2Backend()
payload = dict(email_verified=True,
email=email)
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload):
self.verify_backend(backend,
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
good_kwargs=dict(realm=get_realm("zulip")),
bad_kwargs=dict(realm=get_realm('invalid')))
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify valid_attestation parameter is set correctly
unverified_payload = dict(email_verified=False)
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
with mock.patch('apiclient.sample_tools.client.verify_id_token',
return_value=unverified_payload):
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
ret = dict() # type: Dict[str, str]
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertIsNone(result)
self.assertFalse(ret["valid_attestation"])
nonexistent_user_payload = dict(email_verified=True, email="invalid@zulip.com")
with mock.patch('apiclient.sample_tools.client.verify_id_token',
return_value=nonexistent_user_payload):
ret = dict()
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertIsNone(result)
self.assertTrue(ret["valid_attestation"])
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
with mock.patch('apiclient.sample_tools.client.verify_id_token',
side_effect=AppIdentityError):
ret = dict()
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
self.assertIsNone(result)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_backend(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "test_password"
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.setup_subdomain(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
backend = ZulipLDAPAuthBackend()
# Test LDAP auth fails when LDAP server rejects password
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn',
side_effect=_LDAPUser.AuthenticationFailed("Failed")), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements')), (
django-auth-ldap: Bump version to 1.3.0. The name of _get_user_attrs was changed to attrs in https://bitbucket.org/illocution/django-auth-ldap/commits/152d40a2a02f6cd5a18360af877f8ef98018eb4a Fixes #8380
2018-02-22 08:32:21 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser.attrs',
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
return_value=dict(full_name=['Hamlet']))):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
self.assertIsNone(backend.authenticate(email, password, realm=get_realm("zulip")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements')), (
django-auth-ldap: Bump version to 1.3.0. The name of _get_user_attrs was changed to attrs in https://bitbucket.org/illocution/django-auth-ldap/commits/152d40a2a02f6cd5a18360af877f8ef98018eb4a Fixes #8380
2018-02-22 08:32:21 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser.attrs',
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
return_value=dict(full_name=['Hamlet']))):
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.verify_backend(backend,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(username=username,
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr')),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(username=username,
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip')))
self.verify_backend(backend,
bad_kwargs=dict(username=username,
password=password,
realm=get_realm('acme')),
good_kwargs=dict(username=username,
password=password,
realm=get_realm('zulip')))
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_devauth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.verify_backend(DevAuthBackend(),
auth: Convert DevAuthBackend to accept a realm object.
2017-11-21 21:19:20 +01:00
good_kwargs=dict(dev_auth_username=self.get_username(),
realm=get_realm("zulip")),
bad_kwargs=dict(dev_auth_username=self.get_username(),
realm=get_realm("invalid")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zulip')),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
mypy: Use Python 3 type syntax in tests/test_auth_backends.py.
2017-12-09 06:57:59 +01:00
def test_remote_user_backend_invalid_realm(self) -> None:
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
username = self.get_username()
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
realm=get_realm('zulip')),
bad_kwargs=dict(remote_user=username,
realm=None))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
@override_settings(SSO_APPEND_DOMAIN='zulip.com')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend_sso_append_domain(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username(email_to_username)
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm("zulip")),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend(self) -> None:
test: Use example_user() in more places. This commit replaces calls to get_user_profile_by_email() with calls to self.example_user() by introducing a local variable.
2017-05-08 16:23:43 +02:00
user = self.example_user('hamlet')
email = user.email
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
good_kwargs = dict(response=dict(email=email), return_data=dict(),
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
realm=get_realm('zulip'))
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs = dict(response=dict(email=email), return_data=dict(),
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
realm=None)
self.verify_backend(GitHubAuthBackend(),
good_kwargs=good_kwargs,
bad_kwargs=bad_kwargs)
bad_kwargs['realm'] = get_realm("zephyr")
Rename GitHubBackend to GitHubAuthBackend for consistency.
2016-07-29 21:47:14 +02:00
self.verify_backend(GitHubAuthBackend(),
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
good_kwargs=good_kwargs,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=bad_kwargs)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
test_auth_backends: Move ResponseMock earlier in the file. We're going to be using this in the GitHub auth backend as well.
2018-05-21 06:50:27 +02:00
class ResponseMock:
def __init__(self, status_code: int, data: Any) -> None:
self.status_code = status_code
self.data = data
def json(self) -> str:
return self.data
@property
def text(self) -> str:
return "Response text"
auth: Add SocialAuthMixinTest.
2016-11-07 01:44:15 +01:00
class SocialAuthMixinTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_social_auth_mixing(self) -> None:
auth: Add SocialAuthMixinTest.
2016-11-07 01:44:15 +01:00
mixin = SocialAuthMixin()
with self.assertRaises(NotImplementedError):
mixin.get_email_address()
with self.assertRaises(NotImplementedError):
mixin.get_full_name()
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class GitHubAuthBackendTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.name = 'Hamlet'
Rename GitHubBackend to GitHubAuthBackend for consistency.
2016-07-29 21:47:14 +02:00
self.backend = GitHubAuthBackend()
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
self.backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.user_profile.backend = self.backend
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
request.get_host = lambda: 'zulip.testserver'
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
request.user = self.user_profile
self.backend.strategy.request = request
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
def github_oauth2_test(self, token_data_dict: Dict[str, str], account_data_dict: Dict[str, str],
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
is_signup: Optional[str]=None,
next: str='') -> HttpResponse:
url = "/accounts/login/social/github"
params = {}
headers = {}
if subdomain is not None:
headers['HTTP_HOST'] = subdomain + ".testserver"
if mobile_flow_otp is not None:
params['mobile_flow_otp'] = mobile_flow_otp
headers['HTTP_USER_AGENT'] = "ZulipAndroid"
if is_signup is not None:
url = "/accounts/register/social/github"
params['next'] = next
if len(params) > 0:
url += "?%s" % (urllib.parse.urlencode(params))
result = self.client_get(url, **headers)
if result.status_code != 302 or 'http://testserver/login/github/' not in result.url:
return result
result = self.client_get(result.url, **headers)
self.assertEqual(result.status_code, 302)
assert 'https://github.com/login/oauth/authorize' in result.url
self.client.cookies = result.cookies
# Next, the browser requests result["Location"], and gets
# redirected back to /complete/github.
# We register callbacks for the key URLs on github.com that
# /complete/github will call
httpretty.enable()
httpretty.register_uri(
httpretty.POST,
"https://github.com/login/oauth/access_token",
match_querystring=False,
status=200,
body=json.dumps(token_data_dict))
httpretty.register_uri(
httpretty.GET,
"https://api.github.com/user",
status=200,
body=json.dumps(account_data_dict)
)
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
result = self.client_get("/complete/github/",
dict(state=csrf_state), **headers)
httpretty.disable()
return result
@override_settings(SOCIAL_AUTH_GITHUB_KEY=None)
def test_github_oauth2_no_key(self) -> None:
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=self.email, name=self.name)
result = self.github_oauth2_test(token_data_dict, account_data_dict,
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/config-error/github")
def test_github_oauth2_success(self) -> None:
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=self.email, name=self.name)
result = self.github_oauth2_test(token_data_dict, account_data_dict,
subdomain='zulip', next='/user_uploads/image')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Hamlet')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
def test_user_cannot_log_into_nonexisting_realm(self) -> None:
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=self.email, name=self.name)
result = self.github_oauth2_test(token_data_dict, account_data_dict,
subdomain='nonexistent')
self.assert_in_success_response(["There is no Zulip organization hosted at this subdomain."],
result)
def test_user_cannot_log_into_wrong_subdomain(self) -> None:
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=self.email, name=self.name)
result = self.github_oauth2_test(token_data_dict, account_data_dict,
subdomain='zephyr')
self.assertTrue(result.url.startswith("http://zephyr.testserver/accounts/login/subdomain/"))
result = self.client_get(result.url.replace('http://zephyr.testserver', ''),
subdomain="zephyr")
self.assert_in_success_response(['Your email address, hamlet@zulip.com, is not in one of the domains ',
'that are allowed to register for accounts in this organization.'], result)
def test_github_oauth2_mobile_success(self) -> None:
mobile_flow_otp = '1234abcd' * 8
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=self.email, name='Full Name')
self.assertEqual(len(mail.outbox), 0)
with self.settings(SEND_LOGIN_EMAILS=True):
# Verify that the right thing happens with an invalid-format OTP
result = self.github_oauth2_test(token_data_dict, account_data_dict, subdomain='zulip',
mobile_flow_otp="1234")
self.assert_json_error(result, "Invalid OTP")
result = self.github_oauth2_test(token_data_dict, account_data_dict, subdomain='zulip',
mobile_flow_otp="invalido" * 8)
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
result = self.github_oauth2_test(token_data_dict, account_data_dict, subdomain='zulip',
mobile_flow_otp=mobile_flow_otp)
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
self.assertEqual(self.example_user('hamlet').api_key,
otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp))
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
def test_github_oauth2_registration(self) -> None:
"""If the user doesn't exist yet, GitHub auth can be used to register an account"""
email = "newuser@zulip.com"
name = 'Full Name'
realm = get_realm("zulip")
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
account_data_dict = dict(email=email, name=name)
result = self.github_oauth2_test(token_data_dict, account_data_dict,
subdomain='zulip', is_signup='1')
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
test_auth_backends: Move github_auth_enabled test to new suite. This is step 1 of a migration to eventually delete the legacy test suite.
2018-05-31 02:29:27 +02:00
def test_github_auth_enabled(self) -> None:
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',)):
self.assertTrue(github_auth_enabled())
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
class GitHubAuthBackendLegacyTest(ZulipTestCase):
def setUp(self) -> None:
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
self.name = 'Hamlet'
self.backend = GitHubAuthBackend()
self.backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
self.user_profile.backend = self.backend
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.get_host = lambda: 'zulip.testserver'
request.user = self.user_profile
self.backend.strategy.request = request
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def do_auth(self, *args: Any, **kwargs: Any) -> UserProfile:
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',)):
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
return authenticate(**kwargs)
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_full_name_with_missing_key(self) -> None:
Add tests for GitHubAuthBackend.
2016-10-26 13:57:17 +02:00
self.assertEqual(self.backend.get_full_name(), '')
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
self.assertEqual(self.backend.get_full_name(response={'name': None}), '')
Add tests for GitHubAuthBackend.
2016-10-26 13:57:17 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_full_name_with_none(self) -> None:
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
self.assertEqual(self.backend.get_full_name(response={'email': None}), '')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_with_non_existing_subdomain(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
side_effect=self.do_auth):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
self.backend.strategy.session_set('subdomain', 'test')
response = dict(email=self.email, name=self.name)
result = self.backend.do_auth(response=response)
assert(result is not None)
self.assertIn('subdomain=1', result.url)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_with_subdomains(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
side_effect=self.do_auth):
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
self.backend.strategy.session_set('subdomain', 'zulip')
response = dict(email=self.email, name=self.name)
result = self.backend.do_auth(response=response)
assert(result is not None)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
test_auth_backends: Add a test for GitHub auth mobile_flow_otp.
2018-04-23 04:53:48 +02:00
@override_settings(SEND_LOGIN_EMAILS=True)
def test_github_backend_do_auth_mobile_otp_flow(self) -> None:
self.backend.strategy.request.META['HTTP_USER_AGENT'] = "ZulipAndroid"
mobile_flow_otp = '1234abcd' * 8
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=self.do_auth):
self.backend.strategy.session_set('subdomain', 'zulip')
self.backend.strategy.session_set('mobile_flow_otp', mobile_flow_otp)
response = dict(email=self.email, name=self.name)
result = self.backend.do_auth(response=response)
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
self.assertEqual(self.example_user('hamlet').api_key,
otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp))
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_default(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
side_effect=self.do_auth), \
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
auth: Set the subdomain in more GitHub auth tests. This should have been set in basically all of these tests to set them up properly, and this issue will matter after upcoming changes.
2017-11-22 00:46:34 +01:00
self.backend.strategy.session_set('subdomain', 'zulip')
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add tests for GitHub team and organization auth.
2016-08-02 11:07:45 +02:00
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
'response': response,
auth: Set valid_attestation more unconditionally in social auth.
2017-11-22 00:41:18 +01:00
'return_data': {'valid_attestation': True}}
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
result.assert_called_with(self.user_profile, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_default_auth_failed(self) -> None:
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info'), \
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
auth: Set the subdomain in more GitHub auth tests. This should have been set in basically all of these tests to set them up properly, and this issue will matter after upcoming changes.
2017-11-22 00:46:34 +01:00
self.backend.strategy.session_set('subdomain', 'zulip')
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
response = dict(email=self.email, name=self.name)
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
'response': response,
'return_data': {}}
result.assert_called_with(None, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_team(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubTeamOAuth2.do_auth',
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
side_effect=self.do_auth), \
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
self.backend.strategy.session_set('subdomain', 'zulip')
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add tests for GitHub team and organization auth.
2016-08-02 11:07:45 +02:00
with self.settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp'):
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
'response': response,
auth: Set valid_attestation more unconditionally in social auth.
2017-11-22 00:41:18 +01:00
'return_data': {'valid_attestation': True}}
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
result.assert_called_with(self.user_profile, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_team_auth_failed(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubTeamOAuth2.do_auth',
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info'), \
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
self.backend.strategy.session_set('subdomain', 'zulip')
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
with self.settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp'):
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
'response': response,
'return_data': {}}
result.assert_called_with(None, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_org(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOrganizationOAuth2.do_auth',
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
side_effect=self.do_auth), \
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
self.backend.strategy.session_set('subdomain', 'zulip')
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add tests for GitHub team and organization auth.
2016-08-02 11:07:45 +02:00
with self.settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip'):
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
'response': response,
auth: Set valid_attestation more unconditionally in social auth.
2017-11-22 00:41:18 +01:00
'return_data': {'valid_attestation': True}}
Increase test quality for GitHubAuthBackendTest.
2016-10-11 15:14:50 +02:00
result.assert_called_with(self.user_profile, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_do_auth_for_org_auth_failed(self) -> None:
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOrganizationOAuth2.do_auth',
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info'), \
mock.patch('zproject.backends.SocialAuthMixin.process_do_auth') as result:
backends: convert GitHub auth tests to consistently use zulip subdomain.
2017-09-15 21:39:21 +02:00
self.backend.strategy.session_set('subdomain', 'zulip')
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
with self.settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip'):
self.backend.do_auth('fake-access-token', response=response)
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
kwargs = {'realm': get_realm('zulip'),
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
'response': response,
'return_data': {}}
result.assert_called_with(None, 'fake-access-token', **kwargs)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_authenticate_nonexisting_user(self) -> None:
auth: Fix GitHub test for invalid user account.
2017-11-22 00:45:17 +01:00
self.backend.strategy.session_set('subdomain', 'zulip')
response = dict(email="invalid@zulip.com", name=self.name)
return_data = dict() # type: Dict[str, Any]
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
user = self.backend.authenticate(return_data=return_data, response=response,
realm=get_realm("zulip"))
auth: Fix GitHub test for invalid user account.
2017-11-22 00:45:17 +01:00
self.assertIs(user, None)
self.assertTrue(return_data['valid_attestation'])
Add negative tests for Social auth backend. Fixes: #1948
2016-10-11 14:35:06 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_authenticate_invalid_email(self) -> None:
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
response = dict(email=None, name=self.name)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
return_data = dict() # type: Dict[str, Any]
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
user = self.backend.authenticate(return_data=return_data, response=response,
realm=get_realm("zulip"))
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
self.assertIs(user, None)
self.assertTrue(return_data['invalid_email'])
auth: Improve logic for invalid GitHub emails. This deletes the old mock-covered test for this, which was mostly useless. We have a much less messy test, which we extend to provide the same test coverage the old one did. While the result was the same before, this makes it more obvious.
2017-11-22 01:14:55 +01:00
result = self.backend.process_do_auth(user, return_data=return_data, response=response)
self.assertIs(result, None)
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def test_github_backend_inactive_user(self) -> None:
def do_auth_inactive(*args: Any, **kwargs: Any) -> UserProfile:
Don't pass `return_data` to mock functions. GitHubAuthBackend already passes the `return_data` keyword argument to the `do_auth` function.
2016-08-02 11:22:55 +02:00
return_data = kwargs['return_data']
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
return_data['inactive_user'] = True
return self.user_profile
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.login_or_register_remote_user') as result, \
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
side_effect=do_auth_inactive):
pep8: Fix E225 pep8 violations.
2016-11-28 23:29:01 +01:00
response = dict(email=self.email, name=self.name)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
user = self.backend.do_auth(response=response)
result.assert_not_called()
self.assertIs(user, None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_new_user_wrong_domain(self) -> None:
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
session_data = {'subdomain': 'zulip', 'is_signup': '1'}
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.backend.strategy.session_get = lambda k: session_data.get(k)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def do_auth(*args: Any, **kwargs: Any) -> None:
Don't pass `return_data` to mock functions. GitHubAuthBackend already passes the `return_data` keyword argument to the `do_auth` function.
2016-08-02 11:22:55 +02:00
return_data = kwargs['return_data']
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
return_data['valid_attestation'] = True
return None
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
side_effect=do_auth):
forms.py: Include email in the error messages.
2017-04-14 11:01:24 +02:00
email = 'nonexisting@phantom.com'
response = dict(email=email, name='Ghost')
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
result = self.backend.do_auth(response=response)
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
self.assertEqual(result.status_code, 302)
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.assert_in_response('action="/register/"', result)
subdomains: Hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-02 08:32:09 +02:00
self.assert_in_response('Your email address, {}, is not '
'in one of the domains that are allowed to register '
'for accounts in this organization.'.format(email), result)
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_new_user(self) -> None:
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
rf = RequestFactory()
registration: Require an explicit realm on PreregistrationUser. This completes the last commit's work to fix CVE-2017-0910, applying to any invite links already created before the fix was deployed. With this change, all new-user registrations must match an explicit realm in the PreregistrationUser row, except when creating a new realm. [greg: rewrote commit message]
2017-11-08 23:02:50 +01:00
request = rf.get('/complete', HTTP_HOST=self.user_profile.realm.host)
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
session_data = {'subdomain': 'zulip', 'is_signup': '1'}
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
self.backend.strategy.session_get = lambda k: session_data.get(k)
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def do_auth(*args: Any, **kwargs: Any) -> None:
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
return_data = kwargs['return_data']
return_data['valid_attestation'] = True
return None
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=do_auth):
email = self.nonreg_email('newuser')
name = "Ghost"
response = dict(email=email, name=name)
result = self.backend.do_auth(response=response)
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
self.assertEqual(result.status_code, 302)
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("You're almost there", result)
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
registration: Add test for password less remote reg.
2017-08-08 11:21:31 +02:00
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
user_profile = self.nonreg_user('newuser')
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_existing_user(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
session_data = {'subdomain': 'zulip', 'is_signup': '1'}
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.backend.strategy.session_get = lambda k: session_data.get(k)
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def do_auth(*args: Any, **kwargs: Any) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
return_data = kwargs['return_data']
return_data['valid_attestation'] = True
return None
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=do_auth):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
response = dict(email=email, name='Hamlet')
result = self.backend.do_auth(response=response)
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
self.assertEqual(result.status_code, 302)
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.assert_in_response('action="/register/"', result)
forms: Replace is_inactive with more comprehensive check. While we're at it, we clean up the old confusing error messages.
2017-08-25 07:12:26 +02:00
self.assert_in_response('hamlet@zulip.com already has an account',
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
result)
validate_email_for_realm: Clarify errors for deactivated users. If a user's account has been deactivated, we want to provide a special error message that makes clear what's going on. Future work is to provide some administrative controls on whether a user should be able to re-activate their account.
2018-05-21 04:23:56 +02:00
def test_github_backend_existing_deactivated_user(self) -> None:
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
session_data = {'subdomain': 'zulip', 'is_signup': '1'}
self.backend.strategy.session_get = lambda k: session_data.get(k)
def do_auth(*args: Any, **kwargs: Any) -> None:
return_data = kwargs['return_data']
return_data['valid_attestation'] = True
return None
do_deactivate_user(self.example_user("hamlet"))
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=do_auth):
email = self.example_email("hamlet")
response = dict(email=email, name='Hamlet')
result = self.backend.do_auth(response=response)
self.assertEqual(result.status_code, 302)
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assert_in_response('action="/register/"', result)
self.assert_in_response('The account for hamlet@zulip.com has been deactivated',
result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_backend_new_user_when_is_signup_is_false(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
session_data = {'subdomain': 'zulip', 'is_signup': '0'}
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.backend.strategy.session_get = lambda k: session_data.get(k)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
name = 'New User Name'
def do_auth(*args: Any, **kwargs: Any) -> None:
return_data = kwargs['return_data']
return_data['valid_attestation'] = True
return None
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=do_auth):
email = 'new-user@zulip.com'
response = dict(email=email, name=name)
result = self.backend.do_auth(response=response)
self.assertEqual(result.status_code, 302)
result = self.client_get(result.url)
self.assert_in_response('No account found for', result)
portico: Update text on confirm_continue_registration. A common path is a new user goes to realm_uri, which redirects to realm_uri/login, and clicks the google auth button thinking it is a registration button. This commit just changes the wording on the page they land on to be friendlier for that use case.
2018-04-25 02:59:20 +02:00
self.assert_in_response('new-user@zulip.com.', result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response('action="http://zulip.testserver/accounts/do_confirm/', result)
url = re.findall('action="(http://zulip.testserver/accounts/do_confirm[^"]*)"', result.content.decode('utf-8'))[0]
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, url)
result = self.client_get(url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
def test_github_backend_realm_invalid_user_when_is_signup_is_false(self) -> None:
rf = RequestFactory()
request = rf.get('/complete')
request.session = {}
request.user = self.user_profile
self.backend.strategy.request = request
session_data = {'subdomain': 'zulip', 'is_signup': '0'}
self.backend.strategy.session_get = lambda k: session_data.get(k)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def do_auth(*args: Any, **kwargs: Any) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
return_data = kwargs['return_data']
return_data['valid_attestation'] = True
return None
with mock.patch('social_core.backends.github.GithubOAuth2.do_auth',
side_effect=do_auth):
email = 'nonexisting@phantom.com'
response = dict(email=email, name='Ghost')
result = self.backend.do_auth(response=response)
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
self.assertEqual(result.status_code, 302)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
self.assertTrue(result.url.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_response('Your email address, nonexisting@phantom.com, is not in one of the domains '
'that are allowed to register for accounts in this organization.',
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_url(self) -> None:
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
result = self.client_get('/accounts/login/social/github')
self.assertIn(reverse('social:begin', args=['github']), result.url)
github: Add sign up button on registration page.
2017-04-18 11:50:44 +02:00
self.assertIn('is_signup=0', result.url)
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
def test_login_url_with_next_param(self) -> None:
result = self.client_get('/accounts/login/social/github',
{'next': "/image_path"})
self.assertIn(reverse('social:begin', args=['github']), result.url)
self.assertIn('is_signup=0', result.url)
self.assertIn('image_path', result.url)
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
result = self.client_get('/accounts/login/social/github',
{'next': '/#narrow/stream/7-test-here'})
self.assertIn(reverse('social:begin', args=['github']), result.url)
self.assertIn('is_signup=0', result.url)
self.assertIn('narrow', result.url)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_signup_url(self) -> None:
github: Add sign up button on registration page.
2017-04-18 11:50:44 +02:00
result = self.client_get('/accounts/register/social/github')
self.assertIn(reverse('social:begin', args=['github']), result.url)
self.assertIn('is_signup=1', result.url)
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_complete(self) -> None:
backend: Handle GitHub authentication failure. In case of AuthFailed exception return None.
2017-02-28 11:58:03 +01:00
from social_django import utils
utils.BACKENDS = ('zproject.backends.GitHubAuthBackend',)
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
side_effect=AuthFailed('Not found')):
result = self.client_get(reverse('social:complete', args=['github']))
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
utils.BACKENDS = settings.AUTHENTICATION_BACKENDS
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_github_complete_when_base_exc_is_raised(self) -> None:
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
from social_django import utils
utils.BACKENDS = ('zproject.backends.GitHubAuthBackend',)
with mock.patch('social_core.backends.oauth.BaseOAuth2.auth_complete',
side_effect=AuthStateForbidden('State forbidden')), \
ldap: Change logging level to warning. Fixes #6960.
2017-10-13 08:26:50 +02:00
mock.patch('zproject.backends.logging.warning'):
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
result = self.client_get(reverse('social:complete', args=['github']))
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
utils.BACKENDS = settings.AUTHENTICATION_BACKENDS
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleOAuthTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (part 4).
2017-11-20 03:22:57 +01:00
def google_oauth2_test(self, token_response: ResponseMock, account_response: ResponseMock,
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
is_signup: Optional[str]=None,
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
next: str='') -> HttpResponse:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
url = "/accounts/login/google/"
GoogleOAuthTest: Refactor parameter encoding.
2017-04-28 00:22:58 +02:00
params = {}
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
headers = {}
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
if subdomain is not None:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
headers['HTTP_HOST'] = subdomain + ".testserver"
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
if mobile_flow_otp is not None:
params['mobile_flow_otp'] = mobile_flow_otp
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
headers['HTTP_USER_AGENT'] = "ZulipAndroid"
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
if is_signup is not None:
params['is_signup'] = is_signup
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
params['next'] = next
GoogleOAuthTest: Refactor parameter encoding.
2017-04-28 00:22:58 +02:00
if len(params) > 0:
url += "?%s" % (urllib.parse.urlencode(params))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
result = self.client_get(url, **headers)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
if result.status_code != 302 or '/accounts/login/google/send/' not in result.url:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
return result
# Now do the /google/send/ request
google_oauth2_test: Pass headers in all requests. Currently we only pass headers in the first client_get call but sometimes the effective request which reaches the view is through a later call to the client_get in this function. Due to which headers are not passed.
2017-06-16 06:49:25 +02:00
result = self.client_get(result.url, **headers)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
if 'google' not in result.url:
return result
Django 1.10: Sign google oauth requests using csrf token. In Django 1.10, the get_token function returns a salted version of csrf token which changes whenever get_token is called. This gives us wrong result when we compare the state after returning from Google authentication servers. The solution is to unsalt the token and use that token to find the HMAC so that we get the same value as long as t he token is same.
2016-11-07 11:16:40 +01:00
self.client.cookies = result.cookies
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
# Now extract the CSRF token from the redirect URL
Fix nondeterministic parsing failures in GoogleLoginTest. Apparently, in urllib.parse, one need to extract the query string from the rest of the URL before parsing the query string, otherwise the very first query parameter will have rest of the URL in its name. This results in a nondeterministic failure that happens 1/N of the time, where N is the number of fields marshalled from a dictionary into the query string.
2016-09-14 03:12:39 +02:00
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch("requests.post", return_value=token_response), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch("requests.get", return_value=account_response)):
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
result = self.client_get("/accounts/login/google/done/",
google_oauth2_test: Pass headers in all requests. Currently we only pass headers in the first client_get call but sometimes the effective request which reaches the view is through a later call to the client_get in this function. Due to which headers are not passed.
2017-06-16 06:49:25 +02:00
dict(state=csrf_state), **headers)
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
return result
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleSubdomainLoginTest(GoogleOAuthTest):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_start(self) -> None:
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
result = self.client_get('/accounts/login/google/', subdomain="zulip")
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
subdomain = urllib.parse.parse_qs(parsed_url.query)['subdomain']
self.assertEqual(subdomain, ['zulip'])
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_success(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
value=self.example_email("hamlet"))])
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
account_response = ResponseMock(200, account_data)
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
result = self.google_oauth2_test(token_response, account_response,
subdomain='zulip', next='/user_uploads/image')
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = load_subdomain_token(result)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(data['email'], self.example_email("hamlet"))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
self.assertEqual(data['name'], 'Full Name')
self.assertEqual(data['subdomain'], 'zulip')
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
self.assertEqual(data['next'], '/user_uploads/image')
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_no_fullname(self) -> None:
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(givenName="Test", familyName="User"),
emails=[dict(type="account",
value=self.example_email("hamlet"))])
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip')
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = load_subdomain_token(result)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Test User')
self.assertEqual(data['subdomain'], 'zulip')
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
self.assertEqual(data['next'], '')
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_mobile_success(self) -> None:
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp = '1234abcd' * 8
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
value=self.example_email("hamlet"))])
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
account_response = ResponseMock(200, account_data)
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
self.assertEqual(len(mail.outbox), 0)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
with self.settings(SEND_LOGIN_EMAILS=True):
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
# Verify that the right thing happens with an invalid-format OTP
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp="1234")
self.assert_json_error(result, "Invalid OTP")
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp="invalido" * 8)
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp=mobile_flow_otp)
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
tests: Added ZulipTestCase.example_user() function. The example_user() function is specifically designed for AARON, hamlet, cordelia, and friends, and it allows a concise way of using their built-in user profiles. Eventually, the widespread use of example_user() should help us with refactorings such as moving the tests users out of the "zulip.com" realm and deprecating get_user_profile_by_email.
2017-05-07 17:21:26 +02:00
self.assertEqual(self.example_user('hamlet').api_key,
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp))
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def get_log_into_subdomain(self, data: Dict[str, Any], *, key: Optional[str]=None, subdomain: str='zulip') -> HttpResponse:
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
token = signing.dumps(data, salt=_subdomain_token_salt, key=key)
url_path = reverse('zerver.views.auth.log_into_subdomain', args=[token])
return self.client_get(url_path, subdomain=subdomain)
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
def test_redirect_to_next_url_for_log_into_subdomain(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_redirect_to_next_url(next: str='') -> HttpResponse:
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
data = {'name': 'Hamlet',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
'is_signup': False,
'next': next}
user_profile = self.example_user('hamlet')
with mock.patch(
'zerver.views.auth.authenticate_remote_user',
return_value=(user_profile, {'invalid_subdomain': False})):
with mock.patch('zerver.views.auth.do_login'):
result = self.get_log_into_subdomain(data)
return result
res = test_redirect_to_next_url()
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = test_redirect_to_next_url('/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
res = test_redirect_to_next_url('/#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/#narrow/stream/7-test-here')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_signature_is_bad(self) -> None:
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.get_log_into_subdomain(data, key='nonsense')
mock_warning.assert_called_with("Subdomain cookie: Bad signature.")
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertEqual(result.status_code, 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_signature_is_expired(self) -> None:
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
with mock.patch('django.core.signing.time.time', return_value=time.time() - 45):
token = signing.dumps(data, salt=_subdomain_token_salt)
url_path = reverse('zerver.views.auth.log_into_subdomain', args=[token])
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.client_get(url_path, subdomain='zulip')
mock_warning.assert_called_once()
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
self.assertEqual(result.status_code, 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_is_signup_is_true(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_response('hamlet@zulip.com already has an account', result)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_true_and_new_user(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_false_and_new_user(self) -> None:
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
'is_signup': False,
'next': ''}
result = self.get_log_into_subdomain(data)
self.assertEqual(result.status_code, 200)
self.assert_in_response('No account found for', result)
portico: Update text on confirm_continue_registration. A common path is a new user goes to realm_uri, which redirects to realm_uri/login, and clicks the google auth button thinking it is a registration button. This commit just changes the wording on the page they land on to be friendlier for that use case.
2018-04-25 02:59:20 +02:00
self.assert_in_response('new@zulip.com.', result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response('action="http://zulip.testserver/accounts/do_confirm/', result)
url = re.findall('action="(http://zulip.testserver/accounts/do_confirm[^"]*)"', result.content.decode('utf-8'))[0]
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, url)
result = self.client_get(url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_using_invite_link(self) -> None:
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
stream = ensure_stream(realm, stream_name)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
streams.append(stream)
# Without the invite link, we can't create an account due to invite_required
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(['Sign up for Zulip'], result)
# Now confirm an invitation link works
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
django-2.0: Don't assign directly to Many-to-Many field. The old pattern of setting the value and then using .save() here has been deprecated. set() also saves the record.
2018-01-31 08:22:07 +01:00
multiuse_obj.streams.set(streams)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
invite_link = create_confirmation_link(multiuse_obj, realm.host,
Confirmation.MULTIUSE_INVITE)
result = self.client_get(invite_link, subdomain="zulip")
self.assert_in_success_response(['Sign up for Zulip'], result)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().last()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data2 = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data2, subdomain="zulip")
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': 'New User Name',
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
self.assertEqual(sorted(self.get_streams('new@zulip.com', realm)), stream_names)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_email_is_none(self) -> None:
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
data = {'name': None,
'email': None,
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
with mock.patch('logging.warning'):
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_success_response(["You need an invitation to join this organization."], result)
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_nonexisting_realm(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
value=self.example_email("hamlet"))])
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
account_response = ResponseMock(200, account_data)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
result = self.google_oauth2_test(token_response, account_response,
subdomain='nonexistent')
self.assert_in_success_response(["There is no Zulip organization hosted at this subdomain."],
result)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_wrong_subdomain(self) -> None:
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
value=self.example_email("hamlet"))])
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response,
subdomain='zephyr')
self.assertEqual(result.status_code, 302)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(result.url.startswith("http://zephyr.testserver/accounts/login/subdomain/"))
result = self.client_get(result.url.replace('http://zephyr.testserver', ''),
subdomain="zephyr")
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_success_response(['Your email address, hamlet@zulip.com, is not in one of the domains ',
'that are allowed to register for accounts in this organization.'], result)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_wrong_subdomain_with_cookie(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
'subdomain': 'zephyr'}
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.get_log_into_subdomain(data)
mock_warning.assert_called_with("Login attempt on invalid subdomain")
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 400)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_registration(self) -> None:
subdomain: Test user registration through Google OAuth.
2016-11-01 08:03:10 +01:00
"""If the user doesn't exist yet, Google auth can be used to register an account"""
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
email = "newuser@zulip.com"
realm = get_realm("zulip")
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
value=email)])
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
is_signup='1')
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = load_subdomain_token(result)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
name = 'Full Name'
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("You're almost there", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
subdomain: Test user registration through Google OAuth.
2016-11-01 08:03:10 +01:00
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleLoginTest(GoogleOAuthTest):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
@override_settings(ROOT_DOMAIN_LANDING_PAGE=True)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_subdomains_homepage(self) -> None:
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
value=self.example_email("hamlet"))])
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
account_response = ResponseMock(200, account_data)
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain="")
self.assertEqual(result.status_code, 302)
self.assertIn('subdomain=1', result.url)
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_400_token_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(400, {})
with mock.patch("logging.warning") as m:
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
result = self.google_oauth2_test(token_response, ResponseMock(500, {}))
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"User error converting Google oauth2 login to token: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_500_token_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(500, {})
with mock.patch("logging.error") as m:
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
result = self.google_oauth2_test(token_response, ResponseMock(500, {}))
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Could not convert google oauth2 code to access_token: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_400_account_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_response = ResponseMock(400, {})
with mock.patch("logging.warning") as m:
result = self.google_oauth2_test(token_response, account_response)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Google login failed making info API call: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_500_account_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_response = ResponseMock(500, {})
with mock.patch("logging.error") as m:
result = self.google_oauth2_test(token_response, account_response)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Google login failed making API call: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_account_response_no_email(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[])
account_response = ResponseMock(200, account_data)
with mock.patch("logging.error") as m:
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
result = self.google_oauth2_test(token_response, account_response,
subdomain="zulip")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
Fix nondeterministic failures in GoogleLoginTest.
2016-09-14 02:26:32 +02:00
self.assertIn("Google oauth2 account email not found:", m.call_args_list[0][0][0])
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_error_access_denied(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
result = self.client_get("/accounts/login/google/done/?error=access_denied")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
Django 1.10: URLs in response contain just the path. The response object of the Django test client only contains the path of the url.
2016-11-07 11:57:45 +01:00
path = urllib.parse.urlparse(result.url).path
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(path, "/")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_error_other(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/?error=some_other_error")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Error from google oauth2 login: some_other_error")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_missing_csrf(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Missing Google oauth2 CSRF state')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_csrf_malformed(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/?state=badstate")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Missing Google oauth2 CSRF state')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_csrf_badstate(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
result = self.client_get("/accounts/login/google/done/?state=badstate:otherbadstate:more:::")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Google oauth2 CSRF error')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
class JSONFetchAPIKeyTest(ZulipTestCase):
def setUp(self) -> None:
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
def test_success(self) -> None:
self.login(self.email)
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password=initial_password(self.email)))
self.assert_json_success(result)
def test_not_loggedin(self) -> None:
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password=initial_password(self.email)))
self.assert_json_error(result,
"Not logged in: API authentication or user session required", 401)
def test_wrong_password(self) -> None:
self.login(self.email)
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 400)
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_success(result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect." The only backend which can accept a non-email username is LDAP. So we check if it is enabled before showing the custom message.
2017-04-07 08:21:29 +02:00
result = self.client_post("/api/v1/fetch_api_key",
dict(username='hamlet',
password=initial_password(self.email)))
self.assert_json_error(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_wrong_password(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 403)
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',),
SEND_LOGIN_EMAILS=True)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_success(self) -> None:
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
self.assertEqual(len(mail.outbox), 0)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
with mock.patch(
'apiclient.sample_tools.client.verify_id_token',
return_value={
"email_verified": True,
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
"email": self.example_email("hamlet"),
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
}):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_success(result)
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
self.assertEqual(len(mail.outbox), 1)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_failure(self) -> None:
Make test_google_oauth2_token_failure() work without internet.
2017-07-03 13:39:52 +02:00
payload = dict(email_verified=False)
with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_error(result, "Your username or password is incorrect.", 403)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_unregistered(self) -> None:
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
with mock.patch(
'apiclient.sample_tools.client.verify_id_token',
return_value={
"email_verified": True,
"email": "nobody@zulip.com",
}):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_error(
result,
"This user is not registered; do so from a browser.",
403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_disabled(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Password auth is disabled", 403)
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_auth_email_auth_disabled_success(self) -> None:
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
self.mock_initialize = ldap_patcher.start()
self.mock_ldap = MockLDAP()
self.mock_initialize.return_value = self.mock_ldap
self.backend = ZulipLDAPAuthBackend()
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
result = self.client_post("/api/v1/fetch_api_key",
dict(username=self.email,
password="testing"))
self.assert_json_success(result)
self.mock_ldap.reset()
self.mock_initialize.stop()
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevFetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
self.assertEqual(data["email"], self.email)
self.assertEqual(data['api_key'], self.user_profile.api_key)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_dev_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_unregistered_user(self) -> None:
api: Handle unregistered users in dev_fetch_api_key. Fixes #4851.
2017-05-22 01:34:21 +02:00
email = 'foo@zulip.com'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "This user is not registered.", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevGetEmailsTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_success(result)
zerver/tests: Use unicode strings. * Use unicode strings for strings containing non-ASCII characters. * Decode response content when text output is expected.
2016-07-12 15:41:45 +02:00
self.assert_in_response("direct_admins", result)
self.assert_in_response("direct_users", result)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAuthBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def assert_on_error(self, error: Optional[str]) -> None:
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
if error:
raise AssertionError(error)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_server_settings(self) -> None:
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
def check_result(result: HttpResponse, extra_fields: List[Tuple[str, Validator]]=[]) -> None:
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
self.assert_json_success(result)
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
checker = check_dict_only([
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('authentication_methods', check_dict_only([
('google', check_bool),
('github', check_bool),
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
('email', check_bool),
('ldap', check_bool),
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
('dev', check_bool),
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
('remoteuser', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('password', check_bool),
])),
server_settings: Add email auth related features to data sent to clients. This should make it possible for the mobile app to correctly allow non-email addresses as usernames exactly when it makes sense to do so.
2017-09-15 19:13:48 +02:00
('email_auth_enabled', check_bool),
('require_email_format_usernames', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('realm_uri', check_string),
('zulip_version', check_string),
push notifs: Add a diagnostic in API of whether push notifs enabled. When the answer is False, this will allow the mobile app to show a warning that push notifications will not work and the server admin should set them up. Based partly on Kunal's PR #7810. Provides the necessary backend API for zulip/zulip-mobile#1507.
2018-02-12 23:34:59 +01:00
('push_notifications_enabled', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('msg', check_string),
('result', check_string),
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
] + extra_fields)
self.assert_on_error(checker("data", result.json()))
result = self.client_get("/api/v1/server_settings", subdomain="")
check_result(result)
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="")
check_result(result)
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
result = self.client_get("/api/v1/server_settings", subdomain="zulip")
check_result(result, [
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
('realm_name', check_string),
('realm_description', check_string),
('realm_icon', check_string),
])
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_fetch_auth_backend_format(self) -> None:
Add client_get() test helper.
2016-07-28 00:38:45 +02:00
result = self.client_get("/api/v1/get_auth_backends")
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assertEqual(set(data.keys()),
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
{'msg', 'password', 'github', 'google', 'email', 'ldap',
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
'dev', 'result', 'remoteuser', 'zulip_version'})
server-version: Add server version to api endpoints. - Add server version to `fetch_initial_state_data`. - Add server version to register event queue api endpoint. - Add server version to `get_auth_backends` api endpoint. - Change source for server version in `home` endpoint. - Fix tests. Fixes #3663
2017-02-27 08:30:26 +01:00
for backend in set(data.keys()) - {'msg', 'result', 'zulip_version'}:
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assertTrue(isinstance(data[backend], bool))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_fetch_auth_backend(self) -> None:
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
backends = [GoogleMobileOauth2Backend(), DevAuthBackend()]
with mock.patch('django.contrib.auth.get_backends', return_value=backends):
Add client_get() test helper.
2016-07-28 00:38:45 +02:00
result = self.client_get("/api/v1/get_auth_backends")
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assertEqual(data, {
'msg': '',
'password': False,
auth: Add GitHub to list of reported backends.
2017-04-27 23:34:44 +02:00
'github': False,
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
'google': True,
'dev': True,
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
'email': False,
'ldap': False,
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
'remoteuser': False,
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
'result': 'success',
server-version: Add server version to api endpoints. - Add server version to `fetch_initial_state_data`. - Add server version to register event queue api endpoint. - Add server version to `get_auth_backends` api endpoint. - Change source for server version in `home` endpoint. - Fix tests. Fixes #3663
2017-02-27 08:30:26 +01:00
'zulip_version': ZULIP_VERSION,
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
})
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
# Test subdomains cases
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends")
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assertEqual(data, {
'msg': '',
'password': False,
auth: Add GitHub to list of reported backends.
2017-04-27 23:34:44 +02:00
'github': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'google': True,
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
'email': False,
'ldap': False,
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
'remoteuser': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'dev': True,
'result': 'success',
'zulip_version': ZULIP_VERSION,
})
# Verify invalid subdomain
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="invalid")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_error_contains(result, "Invalid subdomain", 400)
# Verify correct behavior with a valid subdomain with
# some backends disabled for the realm
realm = get_realm("zulip")
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
do_set_realm_authentication_methods(realm, dict(Google=False, Email=False, Dev=True))
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="zulip")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assertEqual(data, {
'msg': '',
'password': False,
auth: Add GitHub to list of reported backends.
2017-04-27 23:34:44 +02:00
'github': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'google': False,
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
'email': False,
'ldap': False,
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
'remoteuser': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'dev': True,
'result': 'success',
'zulip_version': ZULIP_VERSION,
})
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=True):
settings: Rename SUBDOMAINS_HOMEPAGE to ROOT_DOMAIN_LANDING_PAGE. This new setting name is a lot more readable.
2017-08-25 04:32:16 +02:00
# With ROOT_DOMAIN_LANDING_PAGE, homepage fails
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_error_contains(result, "Subdomain required", 400)
settings: Rename SUBDOMAINS_HOMEPAGE to ROOT_DOMAIN_LANDING_PAGE. This new setting name is a lot more readable.
2017-08-25 04:32:16 +02:00
# With ROOT_DOMAIN_LANDING_PAGE, subdomain pages succeed
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="zulip")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assertEqual(data, {
'msg': '',
'password': False,
auth: Add GitHub to list of reported backends.
2017-04-27 23:34:44 +02:00
'github': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'google': False,
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
'email': False,
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
'remoteuser': False,
auth: Don't offer password reset links when useless. If an organization doesn't have the EmailAuthBackend (which allows password auth) enabled, then our password reset form doesn't do anything, so we should hide it in the UI.
2017-10-24 20:59:11 +02:00
'ldap': False,
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
'dev': True,
'result': 'success',
'zulip_version': ZULIP_VERSION,
})
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
class TestTwoFactor(ZulipTestCase):
def test_direct_dev_login_with_2fa(self) -> None:
email = self.example_email('hamlet')
user_profile = self.example_user('hamlet')
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
# User logs in but when otp device doesn't exist.
self.assertNotIn('otp_device_id', self.client.session.keys())
self.create_default_device(user_profile)
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
# User logs in when otp device exists.
self.assertIn('otp_device_id', self.client.session.keys())
@mock.patch('two_factor.models.totp')
def test_two_factor_login_with_ldap(self, mock_totp):
# type: (mock.MagicMock) -> None
token = 123456
email = self.example_email('hamlet')
password = 'testing'
user_profile = self.example_user('hamlet')
user_profile.set_password(password)
user_profile.save()
self.create_default_device(user_profile)
def totp(*args, **kwargs):
# type: (*Any, **Any) -> int
return token
mock_totp.side_effect = totp
# Setup LDAP
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
mock_initialize = ldap_patcher.start()
mock_ldap = MockLDAP()
mock_initialize.return_value = mock_ldap
full_name = 'New LDAP fullname'
mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing',
'fn': [full_name],
'sn': ['shortname'],
}
}
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
TWO_FACTOR_CALL_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_SMS_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_AUTHENTICATION_ENABLED=True,
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
first_step_data = {"username": email,
"password": password,
"two_factor_login_view-current_step": "auth"}
result = self.client_post("/accounts/login/", first_step_data)
self.assertEqual(result.status_code, 200)
second_step_data = {"token-otp_token": str(token),
"two_factor_login_view-current_step": "token"}
result = self.client_post("/accounts/login/", second_step_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
# Going to login page should redirect to `realm.uri` if user is
# already logged in.
result = self.client_get('/accounts/login/')
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
class TestDevAuthBackend(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
def test_login_success_with_2fa(self) -> None:
user_profile = self.example_user('hamlet')
self.create_default_device(user_profile)
email = user_profile.email
data = {'direct_email': email}
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, 'http://zulip.testserver')
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
self.assertIn('otp_device_id', list(self.client.session.keys()))
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
def test_redirect_to_next_url(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def do_local_login(formaction: str) -> HttpResponse:
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
user_email = self.example_email('hamlet')
data = {'direct_email': user_email}
return self.client_post(formaction, data)
res = do_local_login('/accounts/login/local/')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = do_local_login('/accounts/login/local/?next=/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
# In local Email based authentication we never make browser send the hash
# to the backend. Rather we depend upon the browser's behaviour of persisting
# hash anchors in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = do_local_login('/accounts/login/local/?next=#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_with_subdomain(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
data = {'direct_email': email}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post('/accounts/login/local/', data)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm(self) -> None:
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', subdomain="zulip")
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
result = self.client_post('/devlogin/', subdomain="")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["Click on a user to log in!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
data = {'new_realm': 'zephyr'}
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', data, subdomain="zulip")
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "http://zephyr.testserver")
result = self.client_get('/devlogin/', subdomain="zephyr")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm_with_subdomains_enabled(self) -> None:
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.is_subdomain_root_or_alias', return_value=False):
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zulip')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zulip.testserver/devlogin/")
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_not_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zephyr')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post("http://zulip.testserver/devlogin/", {'new_realm': 'zephyr'})
self.assertEqual(result["Location"], "http://zephyr.testserver")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zephyr.testserver/devlogin/")
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
auth: Redirect to an error page instead of 500. Previously, we used to raise an exception if the direct dev login code path was attempted when: * we were running under production environment. * dev. login was not enabled. Now we redirect to an error page and give an explanatory message to the user. Fixes #8249.
2018-02-21 06:31:53 +01:00
with mock.patch('django.core.handlers.exception.logger'):
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
email = 'nonexisting@zulip.com'
data = {'direct_email': email}
auth: Redirect to an error page instead of 500. Previously, we used to raise an exception if the direct dev login code path was attempted when: * we were running under production environment. * dev. login was not enabled. Now we redirect to an error page and give an explanatory message to the user. Fixes #8249.
2018-02-21 06:31:53 +01:00
with mock.patch('django.core.handlers.exception.logger'):
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
class TestZulipRemoteUserBackend(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_sso_append_domain(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
username = 'hamlet'
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',),
SSO_APPEND_DOMAIN='zulip.com'):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=username)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexisting_user(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
email = 'nonexisting@zulip.com'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.assertEqual(result.status_code, 200)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
frontend: Edit confirm_continue_registration.html to be clearer. Fixes #5707.
2017-07-17 17:31:05 +02:00
self.assert_in_response("No account found for", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_invalid_email(self) -> None:
remote_user_sso: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_missing_field(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/')
self.assert_json_error_contains(result, "No REMOTE_USER set.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
self.assertIs(get_session_dict_user(self.client.session), None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
self.assertIs(get_session_dict_user(self.client.session), None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
self.assertIs(get_session_dict_user(self.client.session), user_profile.id)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
def test_login_mobile_flow_otp_success(self) -> None:
user_profile = self.example_user('hamlet')
email = user_profile.email
mobile_flow_otp = '1234abcd' * 8
# Verify that the right thing happens with an invalid-format OTP
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="1234"),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="invalido" * 8),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp=mobile_flow_otp),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
self.assertEqual(self.example_user('hamlet').api_key,
otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp))
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
def test_redirect_to(self) -> None:
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
"""This test verifies the behavior of the redirect_to logic in
login_or_register_remote_user."""
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_with_redirect_to_param_set_as_next(next: str='') -> HttpResponse:
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
user_profile = self.example_user('hamlet')
email = user_profile.email
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/?next=' + next, REMOTE_USER=email)
return result
res = test_with_redirect_to_param_set_as_next()
self.assertEqual('http://zulip.testserver', res.url)
res = test_with_redirect_to_param_set_as_next('/user_uploads/image_path')
self.assertEqual('http://zulip.testserver/user_uploads/image_path', res.url)
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
# Third-party domains are rejected and just send you to root domain
res = test_with_redirect_to_param_set_as_next('https://rogue.zulip-like.server/login')
self.assertEqual('http://zulip.testserver', res.url)
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
# In SSO based auth we never make browser send the hash to the backend.
# Rather we depend upon the browser's behaviour of persisting hash anchors
# in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = test_with_redirect_to_param_set_as_next('#narrow/stream/7-test-here')
self.assertEqual('http://zulip.testserver', res.url)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
class TestJWTLogin(ZulipTestCase):
"""
JWT uses ZulipDummyBackend.
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
realm = get_realm('zulip')
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = get_user(email, realm)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "No user specified in JSON web token claims", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_realm_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
i18n: Fix a last few strings mentioning realms.
2018-03-08 02:05:50 +01:00
self.assert_json_error_contains(result, "No organization specified in JSON web token claims", 400)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': 'not relevant'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Auth key for this subdomain not found.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_is_missing(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_bad_token_is_passed(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
data = {'json_web_token': 'bad token'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Bad JSON web token", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'nonexisting', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
# The /accounts/login/jwt/ endpoint should also handle the case
# where the authentication attempt throws UserProfile.DoesNotExist.
with mock.patch(
'zerver.views.auth.authenticate',
side_effect=UserProfile.DoesNotExist("Do not exist")):
result = self.client_post('/accounts/login/jwt/', data)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
self.assertIs(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'acme': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['acme']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
self.assertEqual(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
self.assertEqual(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
auth_key = settings.JWT_AUTH_KEYS['zulip']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
class TestLDAP(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.setup_subdomain(user_profile)
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
self.mock_initialize = ldap_patcher.start()
self.mock_ldap = MockLDAP()
self.mock_initialize.return_value = self.mock_ldap
self.backend = ZulipLDAPAuthBackend()
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
# Internally `_realm` attribute is automatically set by the
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
# `authenticate()` method. But for testing the `get_or_build_user()`
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
# method separately, we need to set it manually.
self.backend._realm = get_realm('zulip')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def tearDown(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.reset()
self.mock_initialize.stop()
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm.save()
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_email_attr(self) -> None:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
self.mock_ldap.directory = {
'uid=letham,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing',
'email': ['hamlet@zulip.com'],
}
}
with self.settings(LDAP_EMAIL_ATTR='email',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
user_profile = self.backend.authenticate("letham", 'testing',
realm=get_realm('zulip'))
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
assert (user_profile is not None)
self.assertEqual(user_profile.email, self.example_email("hamlet"))
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_password(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
user = self.backend.authenticate(self.example_email("hamlet"), 'wrong')
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
user = self.backend.authenticate('nonexistent@zulip.com', 'testing')
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_permissions(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
self.assertFalse(backend.has_perm(None, None))
self.assertFalse(backend.has_module_perms(None, None))
self.assertTrue(backend.get_all_permissions(None, None) == set())
self.assertTrue(backend.get_group_permissions(None, None) == set())
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_django_to_ldap_username(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
username = backend.django_to_ldap_username('"hamlet@test"@zulip.com')
self.assertEqual(username, '"hamlet@test"')
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_to_django_username(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
username = backend.ldap_to_django_username('"hamlet@test"')
self.assertEqual(username, '"hamlet@test"@zulip.com')
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_exists(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
backend = self.backend
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(str(email), _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertFalse(created)
self.assertEqual(user_profile.email, email)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_does_not_exist(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertTrue(created)
self.assertEqual(user_profile.email, email)
self.assertEqual(user_profile.full_name, 'Full Name')
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_has_invalid_name(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
attrs = {'fn': ['<invalid name>'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, "Invalid characters in name!"):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_realm_is_deactivated(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
do_deactivate_realm(backend._realm)
tests: s/assertRaisesRegexp/assertRaisesRegex/ due to deprecation.
2016-12-16 02:11:42 +01:00
with self.assertRaisesRegex(Exception, 'Realm has been deactivated'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_ldap_has_no_email_attr(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
nonexisting_attr = 'email'
with self.settings(LDAP_EMAIL_ATTR=nonexisting_attr):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, 'LDAP user doesn\'t have the needed email attribute'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_django_to_ldap_username_when_domain_does_not_match(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
tests: s/assertRaisesRegexp/assertRaisesRegex/ due to deprecation.
2016-12-16 02:11:42 +01:00
with self.assertRaisesRegex(Exception, 'Username does not match LDAP domain.'):
Add LDAP tests.
2016-10-24 14:41:45 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
backend.django_to_ldap_username(email)
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_domain_does_not_match(self) -> None:
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'pass')
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr'))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_invalid_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_valid_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_deactivated_user(self) -> None:
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'userPassword': 'testing'
}
}
user_profile = self.example_user("hamlet")
do_deactivate_user(user_profile)
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
realm=get_realm('zulip'))
self.assertIs(user_profile, None)
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_when_user_does_not_exist_with_valid_subdomain(
self) -> None:
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.mock_ldap.directory = {
'uid=nonexisting,ou=users,dc=acme,dc=com': {
'cn': ['NonExisting', ],
'userPassword': 'testing'
}
}
with self.settings(
LDAP_APPEND_DOMAIN='acme.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=acme,dc=com'):
user_profile = self.backend.authenticate('nonexisting@acme.com', 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.assertEqual(user_profile.email, 'nonexisting@acme.com')
self.assertEqual(user_profile.full_name, 'NonExisting')
self.assertEqual(user_profile.realm.string_id, 'zulip')
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
class TestZulipLDAPUserPopulator(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_authenticate(self) -> None:
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
backend = ZulipLDAPUserPopulator()
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
result = backend.authenticate(self.example_email("hamlet"), 'testing') # type: ignore # complains that the function does not return any value!
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
self.assertIs(result, None)
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
class TestZulipAuthMixin(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_user(self) -> None:
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
backend = ZulipAuthMixin()
result = backend.get_user(11111)
self.assertIs(result, None)
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
class TestPasswordAuthEnabled(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_enabled_for_ldap(self) -> None:
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',)):
Remove unnecessary uses of Realm.domain in zerver/tests.
2017-01-08 20:24:05 +01:00
realm = Realm.objects.get(string_id='zulip')
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
self.assertTrue(password_auth_enabled(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
class TestRequireEmailFormatUsernames(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_append_domain(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_only(self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
realm = Realm.objects.get(string_id='zulip')
self.assertTrue(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_append_email(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
class TestMaybeSendToRegistration(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_does_not_exist(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
with self.settings(ONLY_SSO=True):
Refactor views.create_homepage_form into its callers. The indirection is no longer that useful, and obscures Django's conventional style for calling a form.
2016-12-24 04:35:58 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(PreregistrationUser.objects.all().count(), 0)
auth: Refactor login_or_register_remote_user interface. By moving all of the logic related to the is_signup flag into maybe_send_to_registration, we make the login_or_register_remote_user function quite clean and readable. The next step is to make maybe_send_to_registration less of a disaster.
2018-04-22 23:58:37 +02:00
result = maybe_send_to_registration(request, self.example_email("hamlet"), is_signup=True)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
tests: Improve test coverage of templates. Addresses part of #1677.
2016-12-01 08:54:21 +01:00
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
self.assert_in_response('value="{0}" name="key"'.format(confirmation_key), result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_exists(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
user = PreregistrationUser(email=email)
user.save()
with self.settings(ONLY_SSO=True):
Refactor views.create_homepage_form into its callers. The indirection is no longer that useful, and obscures Django's conventional style for calling a form.
2016-12-24 04:35:58 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
auth: Refactor login_or_register_remote_user interface. By moving all of the logic related to the is_signup flag into maybe_send_to_registration, we make the login_or_register_remote_user function quite clean and readable. The next step is to make maybe_send_to_registration less of a disaster.
2018-04-22 23:58:37 +02:00
result = maybe_send_to_registration(request, email, is_signup=True)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
class TestAdminSetBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_change_enabled_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True})})
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_disable_all_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': False})})
admin: Make an error about auth settings not mimic auth errors. This error isn't saying that any kind of authentication or authorization failed -- it's just a validation error like any other validation error in the values the user is asking to set. The thought of authentication comes into it only because the setting happens to be *about* authentication. Fix the error to look like the other validation errors around it, rather than give a 403 HTTP status code and a "reason" field that mimics the "reason" fields in `api_fetch_api_key`.
2017-07-25 02:28:33 +02:00
self.assert_json_error(result, 'At least one authentication method must be enabled.')
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertTrue(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_supported_backends_only_updated(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Set some supported and unsupported backends
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True, u'GitHub': False})})
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Check that unsupported backend is not enabled
self.assertFalse(github_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
Make LoginEmailValidatorTestCase use ZulipTestCase instead of TestCase.
2017-05-25 02:29:42 +02:00
class LoginEmailValidatorTestCase(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_valid_email(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
validate_login_email(self.example_email("hamlet"))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
with self.assertRaises(JsonableError):
validate_login_email(u'hamlet')
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
class LDAPBackendTest(ZulipTestCase):
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_non_existing_realm(self) -> None:
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
email = self.example_email('hamlet')
data = {'username': email, 'password': initial_password(email)}
error_type = ZulipLDAPAuthBackend.REALM_IS_NONE_ERROR
error = ZulipLDAPConfigurationError('Realm is None', error_type)
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
with mock.patch('zproject.backends.ZulipLDAPAuthBackend.get_or_build_user',
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
side_effect=error), \
mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'):
response = self.client_post('/login/', data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, reverse('ldap_error_realm_is_none'))
response = self.client_get(response.url)
self.assert_in_response('You are trying to login using LDAP '
'without creating an',
response)