Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/tests/test_auth_backends.py

3204 lines
157 KiB
Python
Raw Normal View History

Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# -*- coding: utf-8 -*-
from django.conf import settings
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
from django.core import mail
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
from django.http import HttpResponse
Make LoginEmailValidatorTestCase use ZulipTestCase instead of TestCase.
2017-05-25 02:29:42 +02:00
from django.test import override_settings
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
from django.test.client import RequestFactory
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
from django.utils.timezone import now as timezone_now
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
from typing import Any, Callable, Dict, List, Optional, Set, Tuple
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
from oauth2client.crypt import AppIdentityError
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
from django.core import signing
django-2.0: Shift to resolvers from urlresolvers. The old name is deprecated.
2018-01-30 06:05:25 +01:00
from django.urls import reverse
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
import httpretty
import os
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
import jwt
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import mock
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
import re
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
import time
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
import datetime
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
from zerver.lib.actions import (
do_deactivate_realm,
do_deactivate_user,
do_reactivate_realm,
do_reactivate_user,
do_set_realm_authentication_methods,
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
ensure_stream,
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
validate_email,
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
)
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
from zerver.lib.avatar import avatar_url
ldap: Extract dev_ldap_directory.py. This gets what is fundamentally unit testing code out of backends.py.
2018-12-13 22:46:37 +01:00
from zerver.lib.dev_ldap_directory import generate_dev_ldap_dir
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
from zerver.lib.mobile_auth_otp import otp_decrypt_api_key
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
from zerver.lib.validator import validate_login_email, \
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_bool, check_dict_only, check_string, Validator
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
from zerver.lib.request import JsonableError
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
from zerver.lib.users import get_all_api_keys
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
from zerver.lib.initial_password import initial_password
Rename zerver/lib/session_user.py to sessions.py.
2017-03-08 11:43:35 +01:00
from zerver.lib.sessions import get_session_dict_user
tests: Split out ZulipTestCase and WebhookTestCase to a separate file. Fixes #1671.
2016-11-10 19:30:09 +01:00
from zerver.lib.test_classes import (
ZulipTestCase,
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
)
from zerver.models import \
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
get_realm, email_to_username, CustomProfileField, CustomProfileFieldValue, \
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
UserProfile, PreregistrationUser, Realm, RealmDomain, get_user, MultiuseInvite, \
clear_supported_auth_backends_cache
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
from zerver.signals import JUST_CREATED_THRESHOLD
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
zerver/tests: Remove unused imports. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-02-02 23:53:44 +01:00
from confirmation.models import Confirmation, create_confirmation_link
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
from zproject.backends import ZulipDummyBackend, EmailAuthBackend, \
GoogleMobileOauth2Backend, ZulipRemoteUserBackend, ZulipLDAPAuthBackend, \
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
ZulipLDAPUserPopulator, DevAuthBackend, GitHubAuthBackend, ZulipAuthMixin, \
auth: Add SocialAuthMixinTest.
2016-11-07 01:44:15 +01:00
dev_auth_enabled, password_auth_enabled, github_auth_enabled, \
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
require_email_format_usernames, AUTH_BACKEND_NAME_MAP, \
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
ZulipLDAPConfigurationError, ZulipLDAPExceptionOutsideDomain, \
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
ZulipLDAPException, query_ldap, sync_user_from_ldap, SocialAuthMixin
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
from zerver.views.auth import (maybe_send_to_registration,
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
_subdomain_token_salt)
server-version: Add server version to api endpoints. - Add server version to `fetch_initial_state_data`. - Add server version to register event queue api endpoint. - Add server version to `get_auth_backends` api endpoint. - Change source for server version in `home` endpoint. - Fix tests. Fixes #3663
2017-02-27 08:30:26 +01:00
from version import ZULIP_VERSION
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
from social_core.exceptions import AuthFailed, AuthStateForbidden
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
from social_django.strategy import DjangoStrategy
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
from social_django.storage import BaseDjangoStorage
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
import json
Change urllib import to be Python 3-specific.
2017-11-05 05:30:31 +01:00
import urllib
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
import ujson
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
from zerver.lib.test_helpers import MockLDAP, load_subdomain_token
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
class AuthBackendTest(ZulipTestCase):
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def get_username(self, email_to_username: Optional[Callable[[str], str]]=None) -> str:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = self.example_email('hamlet')
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
if email_to_username is not None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
username = email_to_username(self.example_email('hamlet'))
test_auth_backends.py: Add get_username().
2017-03-28 11:11:29 +02:00
return username
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def verify_backend(self, backend: Any, good_kwargs: Optional[Dict[str, Any]]=None, bad_kwargs: Optional[Dict[str, Any]]=None) -> None:
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
assert good_kwargs is not None
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# If bad_kwargs was specified, verify auth fails in that case
if bad_kwargs is not None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**bad_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated user
do_deactivate_user(user_profile)
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
result = backend.authenticate(**good_kwargs)
if isinstance(backend, SocialAuthMixin):
# Returns a redirect to login page with an error.
self.assertEqual(result.status_code, 302)
auth: Redirect deactivated user to /login when attempting social login. (#12130)
2019-04-17 21:28:57 +02:00
self.assertEqual(result.url, "/login/?is_deactivated=true")
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
else:
# Just takes you back to the login page treating as
# invalid auth; this is correct because the form will
# provide the appropriate validation error for deactivated
# account.
self.assertIsNone(result)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Reactivate the user and verify auth works again
do_reactivate_user(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
# Verify auth fails with a deactivated realm
do_deactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify auth works again after reactivating the realm
do_reactivate_realm(user_profile.realm)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
result = backend.authenticate(**good_kwargs)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertEqual(user_profile, result)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
# ZulipDummyBackend isn't a real backend so the remainder
# doesn't make sense for it
if isinstance(backend, ZulipDummyBackend):
return
# Verify auth fails if the auth backend is disabled on server
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',)):
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
models: Fix performance of supported_auth_backends with caching. See the comment, but this is a significant performance optimization for all of our pages using common_context, because this code path is called more than a dozen times (recursively) by common_context.
2019-03-17 22:19:53 +01:00
clear_supported_auth_backends_cache()
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
# Verify auth fails if the auth backend is disabled for the realm
for backend_name in AUTH_BACKEND_NAME_MAP.keys():
if isinstance(backend, AUTH_BACKEND_NAME_MAP[backend_name]):
break
index = getattr(user_profile.realm.authentication_methods, backend_name).number
user_profile.realm.authentication_methods.set_bit(index, False)
user_profile.realm.save()
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
if 'realm' in good_kwargs:
# Because this test is a little unfaithful to the ordering
# (i.e. we fetched the realm object before this function
# was called, when in fact it should be fetched after we
# changed the allowed authentication methods), we need to
# propagate the changes we just made to the actual realm
# object in good_kwargs.
good_kwargs['realm'] = user_profile.realm
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.assertIsNone(backend.authenticate(**good_kwargs))
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
user_profile.realm.authentication_methods.set_bit(index, True)
user_profile.realm.save()
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dummy_backend(self) -> None:
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm = get_realm("zulip")
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.verify_backend(ZulipDummyBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=True),
bad_kwargs=dict(username=username,
DummyAuthBackend: Require being passed a realm object. We should now always know the realm in our auth code paths.
2017-10-03 02:29:20 +02:00
realm=realm,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
use_dummy_backend=False))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
realm.save()
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_email_auth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
with mock.patch('zproject.backends.email_auth_enabled',
return_value=False), \
mock.patch('zproject.backends.password_auth_enabled',
return_value=True):
return_data = {} # type: Dict[str, bool]
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user = EmailAuthBackend().authenticate(self.example_email('hamlet'),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm("zulip"),
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
password=password,
return_data=return_data)
self.assertEqual(user, None)
self.assertTrue(return_data['email_auth_disabled'])
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(EmailAuthBackend(),
good_kwargs=dict(password=password,
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()),
bad_kwargs=dict(password=password,
username=username,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr'),
return_data=dict()))
self.verify_backend(EmailAuthBackend(),
good_kwargs=dict(password=password,
username=username,
realm=get_realm('zulip'),
return_data=dict()),
bad_kwargs=dict(password=password,
username=username,
realm=None,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
return_data=dict()))
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
zerver/tests: Use python 3 syntax for typing (part 4).
2017-11-20 03:22:57 +01:00
def test_email_auth_backend_disabled_password_auth(self) -> None:
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "testpassword"
user_profile.set_password(password)
user_profile.save()
# Verify if a realm has password auth disabled, correct password is rejected
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
self.assertIsNone(EmailAuthBackend().authenticate(self.example_email('hamlet'),
password,
realm=get_realm("zulip")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipDummyBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_no_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
result = self.client_get('/login/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
result = self.client_get('/register/')
self.assert_in_success_response(["No authentication backends are enabled"], result)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_any_backend_enabled(self) -> None:
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
# testing to avoid false error messages.
result = self.client_get('/login/')
AuthBackendTest: Fix typos in error message checks. Previously, these checks did nothing.
2018-06-05 08:39:01 +02:00
self.assert_not_in_success_response(["No authentication backends are enabled"], result)
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
result = self.client_get('/register/')
AuthBackendTest: Fix typos in error message checks. Previously, these checks did nothing.
2018-06-05 08:39:01 +02:00
self.assert_not_in_success_response(["No authentication backends are enabled"], result)
ux: Display error on login/registration if no auth backends are enabled. Also makes a small tweak to CSS to ensure the styling is consistent on the two pages. Fixes #4525.
2017-04-27 06:46:43 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_backend(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
backend = GoogleMobileOauth2Backend()
payload = dict(email_verified=True,
email=email)
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload):
self.verify_backend(backend,
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
good_kwargs=dict(realm=get_realm("zulip")),
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
bad_kwargs=dict(realm=None))
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
# Verify valid_attestation parameter is set correctly
unverified_payload = dict(email_verified=False)
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
with mock.patch('apiclient.sample_tools.client.verify_id_token',
return_value=unverified_payload):
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
ret = dict() # type: Dict[str, str]
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertIsNone(result)
self.assertFalse(ret["valid_attestation"])
nonexistent_user_payload = dict(email_verified=True, email="invalid@zulip.com")
with mock.patch('apiclient.sample_tools.client.verify_id_token',
return_value=nonexistent_user_payload):
ret = dict()
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
self.assertIsNone(result)
self.assertTrue(ret["valid_attestation"])
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
with mock.patch('apiclient.sample_tools.client.verify_id_token',
side_effect=AppIdentityError):
ret = dict()
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
result = backend.authenticate(realm=get_realm("zulip"), return_data=ret)
Add Google OAuth2 backend tests.
2016-10-26 12:35:57 +02:00
self.assertIsNone(result)
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_backend(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
password = "test_password"
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.setup_subdomain(user_profile)
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
backend = ZulipLDAPAuthBackend()
# Test LDAP auth fails when LDAP server rejects password
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn',
side_effect=_LDAPUser.AuthenticationFailed("Failed")), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements')), (
django-auth-ldap: Bump version to 1.3.0. The name of _get_user_attrs was changed to attrs in https://bitbucket.org/illocution/django-auth-ldap/commits/152d40a2a02f6cd5a18360af877f8ef98018eb4a Fixes #8380
2018-02-22 08:32:21 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser.attrs',
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
return_value=dict(full_name=['Hamlet']))):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
self.assertIsNone(backend.authenticate(email, password, realm=get_realm("zulip")))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser._check_requirements')), (
django-auth-ldap: Bump version to 1.3.0. The name of _get_user_attrs was changed to attrs in https://bitbucket.org/illocution/django-auth-ldap/commits/152d40a2a02f6cd5a18360af877f8ef98018eb4a Fixes #8380
2018-02-22 08:32:21 +01:00
mock.patch('django_auth_ldap.backend._LDAPUser.attrs',
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
return_value=dict(full_name=['Hamlet']))):
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.verify_backend(backend,
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(username=username,
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zephyr')),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(username=username,
password=password,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip')))
self.verify_backend(backend,
bad_kwargs=dict(username=username,
password=password,
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
realm=None),
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
good_kwargs=dict(username=username,
password=password,
realm=get_realm('zulip')))
testing: Bring zproject.backends coverage to 100%.
2017-03-23 07:49:42 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_devauth_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
self.verify_backend(DevAuthBackend(),
auth: Convert DevAuthBackend to accept a realm object.
2017-11-21 21:19:20 +01:00
good_kwargs=dict(dev_auth_username=self.get_username(),
realm=get_realm("zulip")),
bad_kwargs=dict(dev_auth_username=self.get_username(),
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
realm=None))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username()
auth_backends: Add backend tests for subdomains logic. Fixes: #1870
2016-10-07 13:38:01 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zulip')),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
mypy: Use Python 3 type syntax in tests/test_auth_backends.py.
2017-12-09 06:57:59 +01:00
def test_remote_user_backend_invalid_realm(self) -> None:
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
username = self.get_username()
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
realm=get_realm('zulip')),
bad_kwargs=dict(remote_user=username,
realm=None))
Add tests for authentication backends.
2016-04-21 18:34:54 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
@override_settings(SSO_APPEND_DOMAIN='zulip.com')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_remote_user_backend_sso_append_domain(self) -> None:
backends: Test authenticate() with kwargs. Django uses arguments to differentiate between different authenticate function so it is important to pass arguments in a predictable manner. Keyword args will test the name of the argument as well.
2017-03-28 11:16:36 +02:00
username = self.get_username(email_to_username)
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
self.verify_backend(ZulipRemoteUserBackend(),
good_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm("zulip")),
subdomains: Update AuthBackendTest for subdomains always on. This is separate from the main subdomains commit mainly for readability of the history.
2017-09-15 21:51:45 +02:00
bad_kwargs=dict(remote_user=username,
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
realm=get_realm('zephyr')))
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',))
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
def test_social_auth_backends(self) -> None:
test: Use example_user() in more places. This commit replaces calls to get_user_profile_by_email() with calls to self.example_user() by introducing a local variable.
2017-05-08 16:23:43 +02:00
user = self.example_user('hamlet')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
github_email_data = [
dict(email=user.email,
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
verified=True,
primary=True),
dict(email="nonprimary@example.com",
verified=True),
dict(email="ignored@example.com",
verified=False),
]
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
backends_to_test = {
'github': {
'urls': [
{
'url': "https://github.com/login/oauth/access_token",
'method': httpretty.POST,
'status': 200,
'body': json.dumps(token_data_dict),
},
{
'url': "https://api.github.com/user",
'method': httpretty.GET,
'status': 200,
'body': json.dumps(dict(email=user.email, name=user.full_name)),
},
{
'url': "https://api.github.com/user/emails",
'method': httpretty.GET,
'status': 200,
'body': json.dumps(github_email_data),
},
],
'backend': GitHubAuthBackend,
}
} # type: Dict[str, Any]
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def patched_authenticate(*args: Any, **kwargs: Any) -> Any:
if 'subdomain' in kwargs:
backend.strategy.session_set("subdomain", kwargs["subdomain"])
del kwargs['subdomain']
result = orig_authenticate(backend, *args, **kwargs)
return result
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
for backend_name in backends_to_test:
test_auth_backends: Disable Internet for httpretty. This makes debugging issues when using httpretty a lot more convenient.
2019-03-04 21:13:49 +01:00
httpretty.enable(allow_net_connect=False)
test_auth_backends: Refactor some GitHub tests to be generic social. This is preparation to being able to run these tests automatically for the Google auth backend as well.
2019-03-04 21:11:23 +01:00
urls = backends_to_test[backend_name]['urls'] # type: List[Dict[str, Any]]
for details in urls:
httpretty.register_uri(
details['method'],
details['url'],
status=details['status'],
body=details['body'])
backend_class = backends_to_test[backend_name]['backend']
backend = backend_class()
backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
orig_authenticate = backend_class.authenticate
backend.authenticate = patched_authenticate
good_kwargs = dict(backend=backend, strategy=backend.strategy,
storage=backend.strategy.storage,
response=token_data_dict,
subdomain='zulip')
bad_kwargs = dict(subdomain='acme')
with mock.patch('zerver.views.auth.redirect_and_log_into_subdomain',
return_value=user):
self.verify_backend(backend,
good_kwargs=good_kwargs,
bad_kwargs=bad_kwargs)
bad_kwargs['subdomain'] = "zephyr"
self.verify_backend(backend,
good_kwargs=good_kwargs,
bad_kwargs=bad_kwargs)
backend.authenticate = orig_authenticate
httpretty.disable()
httpretty.reset()
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
test_auth_backends: Move ResponseMock earlier in the file. We're going to be using this in the GitHub auth backend as well.
2018-05-21 06:50:27 +02:00
class ResponseMock:
def __init__(self, status_code: int, data: Any) -> None:
self.status_code = status_code
self.data = data
def json(self) -> str:
return self.data
@property
def text(self) -> str:
return "Response text"
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
class SocialAuthBase(ZulipTestCase):
"""This is a base class for testing social-auth backends. Following
methods can be overrided by subclasses as per the backend:
registerExtraEndpoints() - If the backend being tested calls some extra
endpoints then they can be added here.
get_account_data_dict() - Return the data returned by the user info endpoint
according to the respective backend.
"""
# Don't run base class tests, make sure to set it to False
# in subclass otherwise its tests will not run.
__unittest_skip__ = True
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.name = 'Hamlet'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.backend = self.BACKEND_CLASS
Revert "github: Call the appropriate authenticate." This reverts commit ab260731a98b8edd4884826cedbb042981e1dfff. The overridden authenticate method was buggy.
2017-04-19 19:05:04 +02:00
self.backend.strategy = DjangoStrategy(storage=BaseDjangoStorage())
Add tests to verify GitHub backend.
2016-07-25 11:24:36 +02:00
self.user_profile.backend = self.backend
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
# This is a workaround for the fact that Python social auth
# caches the set of authentication backends that are enabled
# the first time that `social_django.utils` is imported. See
# https://github.com/python-social-auth/social-app-django/pull/162
# for details.
from social_core.backends.utils import load_backends
load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True)
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def social_auth_test(self, account_data_dict: Dict[str, str],
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
is_signup: Optional[str]=None,
next: str='',
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
multiuse_object_key: str='',
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
**extra_data: Any) -> HttpResponse:
url = self.LOGIN_URL
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
params = {}
headers = {}
if subdomain is not None:
headers['HTTP_HOST'] = subdomain + ".testserver"
if mobile_flow_otp is not None:
params['mobile_flow_otp'] = mobile_flow_otp
headers['HTTP_USER_AGENT'] = "ZulipAndroid"
if is_signup is not None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
url = self.SIGNUP_URL
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
params['next'] = next
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
params['multiuse_object_key'] = multiuse_object_key
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
if len(params) > 0:
lint: Fix code that evaded our lint checks for string % non-tuple. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-04-20 01:00:46 +02:00
url += "?%s" % (urllib.parse.urlencode(params),)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
result = self.client_get(url, **headers)
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
expected_result_url_prefix = 'http://testserver/login/%s/' % (self.backend.name,)
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
if settings.SOCIAL_AUTH_SUBDOMAIN is not None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
expected_result_url_prefix = ('http://%s.testserver/login/%s/' %
(settings.SOCIAL_AUTH_SUBDOMAIN, self.backend.name,))
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
if result.status_code != 302 or not result.url.startswith(expected_result_url_prefix):
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
return result
result = self.client_get(result.url, **headers)
self.assertEqual(result.status_code, 302)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
assert self.AUTHORIZATION_URL in result.url
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.client.cookies = result.cookies
# Next, the browser requests result["Location"], and gets
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
# redirected back to the registered redirect uri.
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
GitHubAuthBackendTest: Remove token_data_dict argument. This was always the same, and there's not much reason to customize it.
2018-06-07 00:22:20 +02:00
token_data_dict = {
'access_token': 'foobar',
'token_type': 'bearer'
}
auth: Add email_data option to github_oauth2_test. Removes email_not_verified option. That option was used to assign email_data a different set of emails for a test. Instead of that, this refactor allows to specify the email_data itself in the function which calls github_oauth2_test. Flags like email_not_verified are generally used in one test. This is a preparatory refactor for choose email screen which may have introduced multiple flags otherwise.
2018-07-19 00:12:07 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
# We register callbacks for the key URLs on Identity Provider that
# auth completion url will call
test_auth_backends: Disable Internet for httpretty. This makes debugging issues when using httpretty a lot more convenient.
2019-03-04 21:13:49 +01:00
httpretty.enable(allow_net_connect=False)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
httpretty.register_uri(
httpretty.POST,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.ACCESS_TOKEN_URL,
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
match_querystring=False,
status=200,
body=json.dumps(token_data_dict))
httpretty.register_uri(
httpretty.GET,
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.USER_INFO_URL,
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
status=200,
body=json.dumps(account_data_dict)
)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
self.registerExtraEndpoints(account_data_dict, **extra_data)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.client_get(self.AUTH_FINISH_URL,
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
dict(state=csrf_state), **headers)
httpretty.disable()
return result
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_no_key(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with self.settings(**{self.CLIENT_KEY_SETTING: None}):
result = self.social_auth_test(account_data_dict,
subdomain='zulip', next='/user_uploads/image')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, self.CONFIG_ERROR_URL)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip', next='/user_uploads/image')
auth: Fix bug with subdomains and GitHub auth causing apparent logouts. This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which domain should be used for GitHub auth and other python-social-auth backends. If one is running a single-realm Zulip server like chat.zulip.org, one doesn't need to use this setting, but for multi-realm servers using social auth, this fixes an annoying bug where the session cookie that python-social-auth sets early in the auth process on the root domain ends up masking the session cookie that would have been used to determine a user is logged in. The end result was that logging in with GitHub on one domain on a multi-realm server like zulipchat.com would appear to log you out from all the others! We fix this by moving python-social-auth to a separate subdomain. Fixes: #9847.
2018-07-10 08:07:23 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Hamlet')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
@override_settings(SOCIAL_AUTH_SUBDOMAIN=None)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_when_social_auth_subdomain_is_not_set(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
next='/user_uploads/image')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Hamlet')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['next'], '/user_uploads/image')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_deactivated_user(self) -> None:
test_auth_backends: Move GitHub deactivated test to new suite.
2018-05-31 02:20:01 +02:00
user_profile = self.example_user("hamlet")
do_deactivate_user(user_profile)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
auth: Redirect deactivated user to /login when attempting social login. (#12130)
2019-04-17 21:28:57 +02:00
self.assertEqual(result.url, "/login/?is_deactivated=true")
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
# TODO: verify whether we provide a clear error message
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_invalid_realm(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
with mock.patch('zerver.middleware.get_realm', return_value=get_realm("zulip")):
# This mock.patch case somewhat hackishly arranges it so
# that we switch realms halfway through the test
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict,
subdomain='invalid', next='/user_uploads/image')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/accounts/login/?subdomain=1")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_invalid_email(self) -> None:
account_data_dict = self.get_account_data_dict(email="invalid", name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip', next='/user_uploads/image')
test_auth_backends: Move GitHub deactivated test to new suite.
2018-05-31 02:20:01 +02:00
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/?next=/user_uploads/image")
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
def test_user_cannot_log_into_nonexisting_realm(self) -> None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='nonexistent')
auth: Use HTTP status 404 for invalid realms. Apparently, our invalid realm error page had HTTP status 200, which could be confusing and in particular broken our mobile app's error handling for this case.
2019-03-12 01:56:52 +01:00
self.assert_in_response("There is no Zulip organization hosted at this subdomain.",
result)
self.assertEqual(result.status_code, 404)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
def test_user_cannot_log_into_wrong_subdomain(self) -> None:
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
result = self.social_auth_test(account_data_dict,
subdomain='zephyr')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertTrue(result.url.startswith("http://zephyr.testserver/accounts/login/subdomain/"))
result = self.client_get(result.url.replace('http://zephyr.testserver', ''),
subdomain="zephyr")
self.assert_in_success_response(['Your email address, hamlet@zulip.com, is not in one of the domains ',
'that are allowed to register for accounts in this organization.'], result)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_mobile_success(self) -> None:
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
mobile_flow_otp = '1234abcd' * 8
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=self.email, name='Full Name')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(len(mail.outbox), 0)
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
self.user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=JUST_CREATED_THRESHOLD + 1)
self.user_profile.save()
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
with self.settings(SEND_LOGIN_EMAILS=True):
# Verify that the right thing happens with an invalid-format OTP
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
mobile_flow_otp="1234")
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assert_json_error(result, "Invalid OTP")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
mobile_flow_otp="invalido" * 8)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.social_auth_test(account_data_dict, subdomain='zulip',
mobile_flow_otp=mobile_flow_otp)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_existing_account(self) -> None:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""If the user already exists, signup flow just logs them in"""
email = "hamlet@zulip.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip', is_signup='1')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Full Name')
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
hamlet = self.example_user("hamlet")
# Name wasn't changed at all
self.assertEqual(hamlet.full_name, "King Hamlet")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration(self) -> None:
"""If the user doesn't exist yet, social auth can be used to register an account"""
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
email = "newuser@zulip.com"
name = 'Full Name'
realm = get_realm("zulip")
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip', is_signup='1')
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
def test_social_auth_registration_using_multiuse_invite(self) -> None:
"""If the user doesn't exist yet, social auth can be used to register an account"""
email = "newuser@zulip.com"
name = 'Full Name'
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
stream = ensure_stream(realm, stream_name)
streams.append(stream)
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
multiuse_obj.streams.set(streams)
create_confirmation_link(multiuse_obj, realm.host, Confirmation.MULTIUSE_INVITE)
multiuse_confirmation = Confirmation.objects.all().last()
multiuse_object_key = multiuse_confirmation.confirmation_key
account_data_dict = self.get_account_data_dict(email=email, name=name)
# First, try to signup for closed realm without using an invitation
result = self.social_auth_test(account_data_dict,
subdomain='zulip', is_signup='1')
result = self.client_get(result.url)
# Verify that we're unable to signup, since this is a closed realm
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(["Sign up"], result)
result = self.social_auth_test(account_data_dict, subdomain='zulip', is_signup='1',
multiuse_object_key=multiuse_object_key)
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['multiuse_object_key'], multiuse_object_key)
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().last()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("We just need you to do one last thing", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_without_is_signup(self) -> None:
"""If `is_signup` is not set then a new account isn't created"""
test_auth_backends: Move GitHub signup tests to new suite. This eliminates a lot of duplicated, mocking-heavy code.
2018-05-31 02:27:43 +02:00
email = "newuser@zulip.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
test_auth_backends: Move GitHub signup tests to new suite. This eliminates a lot of duplicated, mocking-heavy code.
2018-05-31 02:27:43 +02:00
self.assertEqual(result.status_code, 302)
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 200)
self.assert_in_response("No account found for newuser@zulip.com.", result)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_registration_without_is_signup_closed_realm(self) -> None:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""If the user doesn't exist yet in closed realm, give an error"""
email = "nonexisting@phantom.com"
name = 'Full Name'
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertEqual(result.status_code, 302)
data = load_subdomain_token(result)
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
result = self.client_get(result.url)
self.assertEqual(result.status_code, 200)
self.assert_in_response('action="/register/"', result)
self.assert_in_response('Your email address, {}, is not '
'in one of the domains that are allowed to register '
'for accounts in this organization.'.format(email), result)
github: Add a complete end-to-end GitHub OAuth2 test. This revised GitHub auth backend test is inspired by the end-to-end flow model of the Google auth backend test. My hope is that we will be able to migrate the rest of the important cases in the GitHub auth backend tests to this model and then delete what is now GitHubAuthBackendLegacyTest. The next step after that will be to merge the GitHub and Google auth tests (since actually, the actual test functions are basically identical between the two).
2018-05-18 03:27:47 +02:00
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_complete(self) -> None:
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
side_effect=AuthFailed('Not found')):
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.client_get(reverse('social:complete', args=[self.backend.name]))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
def test_social_auth_complete_when_base_exc_is_raised(self) -> None:
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
with mock.patch('social_core.backends.oauth.BaseOAuth2.auth_complete',
side_effect=AuthStateForbidden('State forbidden')), \
mock.patch('zproject.backends.logging.warning'):
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
result = self.client_get(reverse('social:complete', args=[self.backend.name]))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
self.assertEqual(result.status_code, 302)
self.assertIn('login', result.url)
tests: Extract `SocialAuthBase` class. Extracts out common tests so that future social-auth backends can be tested without duplicating tests. I have been careful to not change any testing logic.
2019-02-03 09:18:01 +01:00
class GitHubAuthBackendTest(SocialAuthBase):
__unittest_skip__ = False
BACKEND_CLASS = GitHubAuthBackend
CLIENT_KEY_SETTING = "SOCIAL_AUTH_GITHUB_KEY"
LOGIN_URL = "/accounts/login/social/github"
SIGNUP_URL = "/accounts/register/social/github"
AUTHORIZATION_URL = "https://github.com/login/oauth/authorize"
ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token"
USER_INFO_URL = "https://api.github.com/user"
AUTH_FINISH_URL = "/complete/github/"
CONFIG_ERROR_URL = "/config-error/github"
def registerExtraEndpoints(self,
account_data_dict: Dict[str, str],
**extra_data: Any) -> None:
# Keeping a verified email before the primary email makes sure
# get_verified_emails puts the primary email at the start of the
# email list returned as social_associate_user_helper assumes the
# first email as the primary email.
email_data = [
dict(email="notprimary@example.com",
verified=True),
dict(email=account_data_dict["email"],
verified=True,
primary=True),
dict(email="ignored@example.com",
verified=False),
]
email_data = extra_data.get("email_data", email_data)
httpretty.register_uri(
httpretty.GET,
"https://api.github.com/user/emails",
status=200,
body=json.dumps(email_data)
)
def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
return dict(email=email, name=name)
def test_social_auth_email_not_verified(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
email_data = [
dict(email=account_data_dict["email"],
verified=False,
primary=True),
]
with mock.patch('logging.warning') as mock_warning:
result = self.social_auth_test(account_data_dict,
subdomain='zulip',
email_data=email_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_warning.assert_called_once_with("Social auth (GitHub) failed "
"because user has no verified emails")
@override_settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp')
def test_social_auth_github_team_not_member_failed(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with mock.patch('social_core.backends.github.GithubTeamOAuth2.user_data',
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info') as mock_info:
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_info.assert_called_once_with("GitHub user is not member of required team")
@override_settings(SOCIAL_AUTH_GITHUB_TEAM_ID='zulip-webapp')
def test_social_auth_github_team_member_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with mock.patch('social_core.backends.github.GithubTeamOAuth2.user_data',
return_value=account_data_dict):
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Hamlet')
self.assertEqual(data['subdomain'], 'zulip')
@override_settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip')
def test_social_auth_github_organization_not_member_failed(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with mock.patch('social_core.backends.github.GithubOrganizationOAuth2.user_data',
side_effect=AuthFailed('Not found')), \
mock.patch('logging.info') as mock_info:
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "/login/")
mock_info.assert_called_once_with("GitHub user is not member of required organization")
@override_settings(SOCIAL_AUTH_GITHUB_ORG_NAME='Zulip')
def test_social_auth_github_organization_member_success(self) -> None:
account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
with mock.patch('social_core.backends.github.GithubOrganizationOAuth2.user_data',
return_value=account_data_dict):
result = self.social_auth_test(account_data_dict,
subdomain='zulip')
data = load_subdomain_token(result)
self.assertEqual(data['email'], self.example_email("hamlet"))
self.assertEqual(data['name'], 'Hamlet')
self.assertEqual(data['subdomain'], 'zulip')
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def test_github_auth_enabled(self) -> None:
Refactor GitHub authentication backend tests.
2016-11-01 23:50:35 +01:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.GitHubAuthBackend',)):
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
self.assertTrue(github_auth_enabled())
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleOAuthTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (part 4).
2017-11-20 03:22:57 +01:00
def google_oauth2_test(self, token_response: ResponseMock, account_response: ResponseMock,
*, subdomain: Optional[str]=None,
mobile_flow_otp: Optional[str]=None,
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
is_signup: Optional[str]=None,
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
next: str='',
multiuse_object_key: str='') -> HttpResponse:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
url = "/accounts/login/google/"
GoogleOAuthTest: Refactor parameter encoding.
2017-04-28 00:22:58 +02:00
params = {}
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
headers = {}
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
if subdomain is not None:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
headers['HTTP_HOST'] = subdomain + ".testserver"
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
if mobile_flow_otp is not None:
params['mobile_flow_otp'] = mobile_flow_otp
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
headers['HTTP_USER_AGENT'] = "ZulipAndroid"
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
if is_signup is not None:
params['is_signup'] = is_signup
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
params['next'] = next
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
params['multiuse_object_key'] = multiuse_object_key
GoogleOAuthTest: Refactor parameter encoding.
2017-04-28 00:22:58 +02:00
if len(params) > 0:
lint: Fix code that evaded our lint checks for string % non-tuple. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-04-20 01:00:46 +02:00
url += "?%s" % (urllib.parse.urlencode(params),)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
result = self.client_get(url, **headers)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
if result.status_code != 302 or '/accounts/login/google/send/' not in result.url:
GoogleOAuthTest: Include the /accounts/login/google/ step in tests. This makes our Google auth tests a bit more faithful, in that they now follow the full Oauth flow, rather than skipping the first step.
2017-04-28 01:18:57 +02:00
return result
# Now do the /google/send/ request
google_oauth2_test: Pass headers in all requests. Currently we only pass headers in the first client_get call but sometimes the effective request which reaches the view is through a later call to the client_get in this function. Due to which headers are not passed.
2017-06-16 06:49:25 +02:00
result = self.client_get(result.url, **headers)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
if 'google' not in result.url:
return result
Django 1.10: Sign google oauth requests using csrf token. In Django 1.10, the get_token function returns a salted version of csrf token which changes whenever get_token is called. This gives us wrong result when we compare the state after returning from Google authentication servers. The solution is to unsalt the token and use that token to find the HMAC so that we get the same value as long as t he token is same.
2016-11-07 11:16:40 +01:00
self.client.cookies = result.cookies
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
# Now extract the CSRF token from the redirect URL
Fix nondeterministic parsing failures in GoogleLoginTest. Apparently, in urllib.parse, one need to extract the query string from the rest of the URL before parsing the query string, otherwise the very first query parameter will have rest of the URL in its name. This results in a nondeterministic failure that happens 1/N of the time, where N is the number of fields marshalled from a dictionary into the query string.
2016-09-14 03:12:39 +02:00
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
lint: Fix E127 pep8 violations. Fix pep8: E127 continuation line over-indented for visual indent style issue.
2016-11-30 14:17:35 +01:00
with mock.patch("requests.post", return_value=token_response), (
lint: Clean up E126 PEP-8 rule.
2017-01-24 07:06:13 +01:00
mock.patch("requests.get", return_value=account_response)):
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
result = self.client_get("/accounts/login/google/done/",
google_oauth2_test: Pass headers in all requests. Currently we only pass headers in the first client_get call but sometimes the effective request which reaches the view is through a later call to the client_get in this function. Due to which headers are not passed.
2017-06-16 06:49:25 +02:00
dict(state=csrf_state), **headers)
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
return result
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleSubdomainLoginTest(GoogleOAuthTest):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_start(self) -> None:
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
result = self.client_get('/accounts/login/google/', subdomain="zulip")
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
subdomain = urllib.parse.parse_qs(parsed_url.query)['subdomain']
self.assertEqual(subdomain, ['zulip'])
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_success(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=True,
email=self.example_email("hamlet"))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
account_response = ResponseMock(200, account_data)
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
result = self.google_oauth2_test(token_response, account_response,
subdomain='zulip', next='/user_uploads/image')
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = load_subdomain_token(result)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(data['email'], self.example_email("hamlet"))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
self.assertEqual(data['name'], 'Full Name')
self.assertEqual(data['subdomain'], 'zulip')
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
self.assertEqual(data['next'], '/user_uploads/image')
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
def test_user_cannot_log_without_verified_email(self) -> None:
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=False,
email=self.example_email("hamlet"))
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
account_response = ResponseMock(200, account_data)
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
result = self.google_oauth2_test(token_response, account_response,
subdomain='zulip')
self.assertEqual(result.status_code, 400)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_mobile_success(self) -> None:
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
self.user_profile = self.example_user('hamlet')
self.user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=JUST_CREATED_THRESHOLD + 1)
self.user_profile.save()
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp = '1234abcd' * 8
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=True,
email=self.user_profile.email)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
account_response = ResponseMock(200, account_data)
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
self.assertEqual(len(mail.outbox), 0)
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
with self.settings(SEND_LOGIN_EMAILS=True):
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
# Verify that the right thing happens with an invalid-format OTP
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp="1234")
self.assert_json_error(result, "Invalid OTP")
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp="invalido" * 8)
self.assert_json_error(result, "Invalid OTP")
# Now do it correctly
auth: Clean up google_oauth2_test arguments.
2017-08-24 05:44:51 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
mobile_flow_otp=mobile_flow_otp)
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
self.assertEqual(query_params["email"], [self.user_profile.email])
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
hamlet_api_keys = get_all_api_keys(self.user_profile)
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
login_or_register_remote_user: Send login emails for mobile. Fixes #5389
2017-06-16 06:50:48 +02:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
Add mobile auth redirect to custom URI scheme (zulip://). This makes it possible for the Zulip mobile apps to use the normal web authentication/Oauth flows, so that they can support GitHub, Google, and other authentication methods we support on the backend, without needing to write significant custom mobile-app-side code for each authentication backend. This PR only provides support for Google auth; a bit more refactoring would be needed to support this for the GitHub/Social backends. Modified by tabbott to use the mobile_auth_otp library to protect the API key.
2017-03-19 20:01:01 +01:00
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def get_log_into_subdomain(self, data: Dict[str, Any], *, key: Optional[str]=None, subdomain: str='zulip') -> HttpResponse:
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
token = signing.dumps(data, salt=_subdomain_token_salt, key=key)
url_path = reverse('zerver.views.auth.log_into_subdomain', args=[token])
return self.client_get(url_path, subdomain=subdomain)
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
def test_redirect_to_next_url_for_log_into_subdomain(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_redirect_to_next_url(next: str='') -> HttpResponse:
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
data = {'name': 'Hamlet',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
'is_signup': False,
'next': next}
user_profile = self.example_user('hamlet')
with mock.patch(
'zerver.views.auth.authenticate_remote_user',
return_value=(user_profile, {'invalid_subdomain': False})):
with mock.patch('zerver.views.auth.do_login'):
result = self.get_log_into_subdomain(data)
return result
res = test_redirect_to_next_url()
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = test_redirect_to_next_url('/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
res = test_redirect_to_next_url('/#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/#narrow/stream/7-test-here')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_signature_is_bad(self) -> None:
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.get_log_into_subdomain(data, key='nonsense')
mock_warning.assert_called_with("Subdomain cookie: Bad signature.")
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertEqual(result.status_code, 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_signature_is_expired(self) -> None:
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = {'name': 'Full Name',
'email': self.example_email("hamlet"),
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
with mock.patch('django.core.signing.time.time', return_value=time.time() - 45):
token = signing.dumps(data, salt=_subdomain_token_salt)
url_path = reverse('zerver.views.auth.log_into_subdomain', args=[token])
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.client_get(url_path, subdomain='zulip')
mock_warning.assert_called_once()
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
self.assertEqual(result.status_code, 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_is_signup_is_true(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_response('hamlet@zulip.com already has an account', result)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_true_and_new_user(self) -> None:
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
def test_log_into_subdomain_when_is_signup_is_false_and_new_user(self) -> None:
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
'is_signup': False,
'next': ''}
result = self.get_log_into_subdomain(data)
self.assertEqual(result.status_code, 200)
self.assert_in_response('No account found for', result)
portico: Update text on confirm_continue_registration. A common path is a new user goes to realm_uri, which redirects to realm_uri/login, and clicks the google auth button thinking it is a registration button. This commit just changes the wording on the page they land on to be friendlier for that use case.
2018-04-25 02:59:20 +02:00
self.assert_in_response('new@zulip.com.', result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response('action="http://zulip.testserver/accounts/do_confirm/', result)
url = re.findall('action="(http://zulip.testserver/accounts/do_confirm[^"]*)"', result.content.decode('utf-8'))[0]
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, url)
result = self.client_get(url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_using_invite_link(self) -> None:
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
data = {'name': 'New User Name',
'email': 'new@zulip.com',
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': True,
'next': ''}
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
refactoring: Replaced occurences of create_stream_if_needed. Issue #2088 asked for a wrapper to be created for `create_stream_if_needed` (called `ensure_stream`) for the 25 times that `create_stream_if_needed` is called and ignores whether the stream was created. This commit replaces relevant occurences of `create_stream_if_needed` with `ensure_stream`, including imports. The changes weren't significant enough to add any tests or do any additional manual testing. The refactoring intended to make the API easier to use in most cases. The majority of uses of `create_stream_if_needed` ignored the second parameter. Fixes: #2088.
2018-03-21 22:05:21 +01:00
stream = ensure_stream(realm, stream_name)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
streams.append(stream)
# Without the invite link, we can't create an account due to invite_required
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(['Sign up for Zulip'], result)
# Now confirm an invitation link works
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
django-2.0: Don't assign directly to Many-to-Many field. The old pattern of setting the value and then using .save() here has been deprecated. set() also saves the record.
2018-01-31 08:22:07 +01:00
multiuse_obj.streams.set(streams)
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
create_confirmation_link(multiuse_obj, realm.host, Confirmation.MULTIUSE_INVITE)
multiuse_confirmation = Confirmation.objects.all().last()
multiuse_object_key = multiuse_confirmation.confirmation_key
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
data["multiuse_object_key"] = multiuse_object_key
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
result = self.get_log_into_subdomain(data)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().last()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data2 = {"from_confirmation": "1",
"full_name": data['name'],
"key": confirmation_key}
result = self.client_post('/accounts/register/', data2, subdomain="zulip")
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
auth: Make multiuse invite link work with oAuth2. This works by attaching to the user's session the multi-use invitation key, allowing that to be used in the Google/GitHub auth flows.
2017-09-27 03:34:58 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': 'New User Name',
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
self.assertEqual(sorted(self.get_streams('new@zulip.com', realm)), stream_names)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_log_into_subdomain_when_email_is_none(self) -> None:
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
data = {'name': None,
'email': None,
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
'subdomain': 'zulip',
test_auth_backends: Add next='' in data dicts for subdomain login tests.
2018-03-10 14:13:30 +01:00
'is_signup': False,
'next': ''}
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
with mock.patch('logging.warning'):
oauth login: Refactor tests to dedupe a bit of recurring logic. This makes the tests a little cleaner in itself, and also prepares them to adjust with less churn when we change how redirect_and_log_into_subdomain passes the signed token.
2017-10-27 02:41:54 +02:00
result = self.get_log_into_subdomain(data)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_success_response(["You need an invitation to join this organization."], result)
authenticate_remote_user: Properly handle None email.
2017-04-18 08:34:29 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_nonexisting_realm(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=True,
email=self.example_email("hamlet"))
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
account_response = ResponseMock(200, account_data)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
result = self.google_oauth2_test(token_response, account_response,
subdomain='nonexistent')
auth: Use HTTP status 404 for invalid realms. Apparently, our invalid realm error page had HTTP status 200, which could be confusing and in particular broken our mobile app's error handling for this case.
2019-03-12 01:56:52 +01:00
self.assert_in_response("There is no Zulip organization hosted at this subdomain.",
result)
self.assertEqual(result.status_code, 404)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_wrong_subdomain(self) -> None:
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=True,
email=self.example_email("hamlet"))
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response,
subdomain='zephyr')
self.assertEqual(result.status_code, 302)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(result.url.startswith("http://zephyr.testserver/accounts/login/subdomain/"))
result = self.client_get(result.url.replace('http://zephyr.testserver', ''),
subdomain="zephyr")
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_success_response(['Your email address, hamlet@zulip.com, is not in one of the domains ',
'that are allowed to register for accounts in this organization.'], result)
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_user_cannot_log_into_wrong_subdomain_with_cookie(self) -> None:
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
data = {'name': 'Full Name',
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
'email': self.example_email("hamlet"),
Migrate several Google auth tests to subdomains test class. The plan is to have everything expect subdomains, so it makes sense to move these tests to the subdomains-only test class and style. Most of the remaining GoogleLoginTest tests are now either duplicates or basic API-level tests where subdomains are irrelevant.
2017-09-16 19:34:59 +02:00
'subdomain': 'zephyr'}
GoogleSubdomainLoginTest: Suppress unnecessary logging output. This helps make our test output nice and clean.
2017-10-28 00:54:46 +02:00
with mock.patch('logging.warning') as mock_warning:
result = self.get_log_into_subdomain(data)
mock_warning.assert_called_with("Login attempt on invalid subdomain")
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 400)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_registration(self) -> None:
subdomain: Test user registration through Google OAuth.
2016-11-01 08:03:10 +01:00
"""If the user doesn't exist yet, Google auth can be used to register an account"""
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
email = "newuser@zulip.com"
realm = get_realm("zulip")
token_response = ResponseMock(200, {'access_token': "unique_token"})
auth: Migrate Google authentication off deprecated name API. As part of Google+ being removed, they've eliminated support for the /plus/v1/people/me endpoint. Replace it with the very similar /oauth2/v3/userinfo endpoint.
2019-01-29 21:04:53 +01:00
account_data = dict(name="Full Name",
email_verified=True,
email=email)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
is_signup='1')
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
data = load_subdomain_token(result)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
name = 'Full Name'
self.assertEqual(data['email'], email)
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
auth: Use URL rather than cookie to pass signed data cross-domain. The cookie mechanism only works when passing the login token to a subdomain. URLs work across domains, which is why they're the standard transport for SSO on the web. Switch to URLs. Tweaked by tabbott to add a test for an expired token.
2017-10-27 02:45:38 +02:00
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
register: Don't display field to enter password unless needed. This should significantly improve the user experience for new users signing up with GitHub/Google auth. It comes complete with tests for the various cases. Further work may be needed for LDAP to not prompt for a password, however. Fixes #886.
2017-08-09 22:09:38 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
register: Style avatar that shows when importing settings. This styles the avatar and username that show when the registering user is importing their settings from an existing Zulip account. Tweaked by tabbott to fix the test/linter failures, a bit of styling, and tag strings for translation.
2018-06-26 00:33:05 +02:00
self.assert_in_response("We just need you to do one last thing", result)
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
google: Respect is_signup argument. This allows us to go to Registration form directly. This behaviour is similar to what we follow in GitHub oAuth. Before this, in registration flow if an account was not found, user was asked if they wanted to go to registration flow. This confirmation behavior is followed for login oauth path.
2017-08-04 09:19:32 +02:00
test_auth_backends: Clean up Google auth subdomains handling. This makes GoogleSubdomainLoginTest consistently access subdomains the standard way, replacing the original hacky approach it had that predated the library.
2017-09-27 07:01:41 +02:00
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
subdomain: Test user registration through Google OAuth.
2016-11-01 08:03:10 +01:00
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
def test_google_oauth2_registration_using_multiuse_invite(self) -> None:
"""If the user doesn't exist yet, Google auth can be used to register an account"""
email = "newuser@zulip.com"
realm = get_realm("zulip")
realm.invite_required = True
realm.save()
stream_names = ["new_stream_1", "new_stream_2"]
streams = []
for stream_name in set(stream_names):
stream = ensure_stream(realm, stream_name)
streams.append(stream)
referrer = self.example_user("hamlet")
multiuse_obj = MultiuseInvite.objects.create(realm=realm, referred_by=referrer)
multiuse_obj.streams.set(streams)
link = create_confirmation_link(multiuse_obj, realm.host, Confirmation.MULTIUSE_INVITE)
multiuse_confirmation = Confirmation.objects.all().last()
multiuse_object_key = multiuse_confirmation.confirmation_key
input_element = "name=\'multiuse_object_key\' value=\'{}\' /".format(multiuse_object_key)
response = self.client_get(link)
self.assert_in_success_response([input_element], response)
# First, try to signup for closed realm without using an invitation
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name="Full Name",
email_verified=True,
email=email)
account_response = ResponseMock(200, account_data)
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
is_signup='1', multiuse_object_key="")
result = self.client_get(result.url)
# Verify that we're unable to signup, since this is a closed realm
self.assertEqual(result.status_code, 200)
self.assert_in_success_response(["Sign up"], result)
result = self.google_oauth2_test(token_response, account_response, subdomain='zulip',
is_signup='1', multiuse_object_key=multiuse_object_key)
data = load_subdomain_token(result)
name = 'Full Name'
self.assertEqual(data['name'], name)
self.assertEqual(data['subdomain'], 'zulip')
self.assertEqual(data['multiuse_object_key'], multiuse_object_key)
self.assertEqual(result.status_code, 302)
parsed_url = urllib.parse.urlparse(result.url)
uri = "{}://{}{}".format(parsed_url.scheme, parsed_url.netloc,
parsed_url.path)
self.assertTrue(uri.startswith('http://zulip.testserver/accounts/login/subdomain/'))
result = self.client_get(result.url)
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().last()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
data = {"from_confirmation": "1",
"full_name": name,
"key": confirmation_key}
result = self.client_post('/accounts/register/', data)
self.assert_in_response("We just need you to do one last thing", result)
# Verify that the user is asked for name but not password
self.assert_not_in_success_response(['id_password'], result)
self.assert_in_success_response(['id_full_name'], result)
# Click confirm registration button.
result = self.client_post(
'/accounts/register/',
{'full_name': name,
'key': confirmation_key,
'terms': True})
self.assertEqual(result.status_code, 302)
user_profile = get_user(email, realm)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
self.assertEqual(sorted(self.get_streams(email, realm)), stream_names)
subdomains: Add tests for single domain OAuth2.
2016-10-17 14:28:23 +02:00
class GoogleLoginTest(GoogleOAuthTest):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
@override_settings(ROOT_DOMAIN_LANDING_PAGE=True)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_subdomains_homepage(self) -> None:
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_data = dict(name=dict(formatted="Full Name"),
emails=[dict(type="account",
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
value=self.example_email("hamlet"))])
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
account_response = ResponseMock(200, account_data)
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.google_oauth2_test(token_response, account_response, subdomain="")
self.assertEqual(result.status_code, 302)
self.assertIn('subdomain=1', result.url)
Google: Show error on login page for wrong subdomain. Takes care of Google OAuth. Fixes: #1871
2016-10-07 11:16:49 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_400_token_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(400, {})
with mock.patch("logging.warning") as m:
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
result = self.google_oauth2_test(token_response, ResponseMock(500, {}))
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"User error converting Google oauth2 login to token: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_500_token_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(500, {})
with mock.patch("logging.error") as m:
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
result = self.google_oauth2_test(token_response, ResponseMock(500, {}))
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Could not convert google oauth2 code to access_token: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_400_account_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_response = ResponseMock(400, {})
with mock.patch("logging.warning") as m:
result = self.google_oauth2_test(token_response, account_response)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Google login failed making info API call: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_500_account_response(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
token_response = ResponseMock(200, {'access_token': "unique_token"})
account_response = ResponseMock(500, {})
with mock.patch("logging.error") as m:
result = self.google_oauth2_test(token_response, account_response)
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Google login failed making API call: Response text")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_error_access_denied(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
result = self.client_get("/accounts/login/google/done/?error=access_denied")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 302)
Django 1.10: URLs in response contain just the path. The response object of the Django test client only contains the path of the url.
2016-11-07 11:57:45 +01:00
path = urllib.parse.urlparse(result.url).path
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(path, "/")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_error_other(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/?error=some_other_error")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
"Error from google oauth2 login: some_other_error")
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_missing_csrf(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Missing Google oauth2 CSRF state')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_csrf_malformed(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
result = self.client_get("/accounts/login/google/done/?state=badstate")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Missing Google oauth2 CSRF state')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_csrf_badstate(self) -> None:
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
with mock.patch("logging.warning") as m:
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
result = self.client_get("/accounts/login/google/done/?state=badstate:otherbadstate:more::::")
tests: s/assertEquals/assertEqual/ due to deprecation. Fixes #2730.
2016-12-16 02:01:34 +01:00
self.assertEqual(result.status_code, 400)
self.assertEqual(m.call_args_list[0][0][0],
lint: Fix E127 vilations due to recent assertEquals migration.
2016-12-16 05:51:27 +01:00
'Google oauth2 CSRF error')
tests: Add a Google web authentication test suite.
2016-09-13 21:30:18 +02:00
test auth.py: Add tests for json_fetch_api_key function.
2018-01-11 23:08:53 +01:00
class JSONFetchAPIKeyTest(ZulipTestCase):
def setUp(self) -> None:
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
def test_success(self) -> None:
self.login(self.email)
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password=initial_password(self.email)))
self.assert_json_success(result)
def test_not_loggedin(self) -> None:
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password=initial_password(self.email)))
self.assert_json_error(result,
"Not logged in: API authentication or user session required", 401)
def test_wrong_password(self) -> None:
self.login(self.email)
result = self.client_post("/json/fetch_api_key",
dict(user_profile=self.user_profile,
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 400)
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_success(result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect." The only backend which can accept a non-email username is LDAP. So we check if it is enabled before showing the custom message.
2017-04-07 08:21:29 +02:00
result = self.client_post("/api/v1/fetch_api_key",
dict(username='hamlet',
password=initial_password(self.email)))
self.assert_json_error(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_wrong_password(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password="wrong"))
self.assert_json_error(result, "Your username or password is incorrect.", 403)
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',),
SEND_LOGIN_EMAILS=True)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_success(self) -> None:
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
self.assertEqual(len(mail.outbox), 0)
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
self.user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=JUST_CREATED_THRESHOLD + 1)
self.user_profile.save()
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
with mock.patch(
'apiclient.sample_tools.client.verify_id_token',
return_value={
"email_verified": True,
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
"email": self.example_email("hamlet"),
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
}):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_success(result)
api_fetch_api_key: Send new login emails for mobile.
2017-06-15 07:15:57 +02:00
self.assertEqual(len(mail.outbox), 1)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_failure(self) -> None:
Make test_google_oauth2_token_failure() work without internet.
2017-07-03 13:39:52 +02:00
payload = dict(email_verified=False)
with mock.patch('apiclient.sample_tools.client.verify_id_token', return_value=payload):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_error(result, "Your username or password is incorrect.", 403)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.GoogleMobileOauth2Backend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_google_oauth2_token_unregistered(self) -> None:
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
with mock.patch(
'apiclient.sample_tools.client.verify_id_token',
return_value={
"email_verified": True,
"email": "nobody@zulip.com",
}):
result = self.client_post("/api/v1/fetch_api_key",
dict(username="google-oauth2-token",
password="token"))
self.assert_json_error(
result,
"This user is not registered; do so from a browser.",
403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_disabled(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
with mock.patch('zproject.backends.password_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Password auth is disabled", 403)
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_auth_email_auth_disabled_success(self) -> None:
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
self.mock_initialize = ldap_patcher.start()
self.mock_ldap = MockLDAP()
self.mock_initialize.return_value = self.mock_ldap
self.backend = ZulipLDAPAuthBackend()
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
test_auth_backend: Add missing LDAP tests in FetchAPIKeyTest.
2016-11-07 01:41:29 +01:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
result = self.client_post("/api/v1/fetch_api_key",
dict(username=self.email,
password="testing"))
self.assert_json_success(result)
self.mock_ldap.reset()
self.mock_initialize.stop()
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/fetch_api_key",
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
dict(username=self.email,
password=initial_password(self.email)))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevFetchAPIKeyTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
tests: Use example_user() in more places.
2017-05-07 21:25:59 +02:00
self.user_profile = self.example_user('hamlet')
self.email = self.user_profile.email
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
self.assertEqual(data["email"], self.email)
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
user_api_keys = get_all_api_keys(self.user_profile)
self.assertIn(data['api_key'], user_api_keys)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
api_dev_fetch_api_key: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_unregistered_user(self) -> None:
api: Handle unregistered users in dev_fetch_api_key. Fixes #4851.
2017-05-22 01:34:21 +02:00
email = 'foo@zulip.com'
result = self.client_post("/api/v1/dev_fetch_api_key",
dict(username=email))
self.assert_json_error_contains(result, "This user is not registered.", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_inactive_user(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_user(self.user_profile)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Your account has been disabled", 403)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_deactivated_realm(self) -> None:
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
do_deactivate_realm(self.user_profile.realm)
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
i18n: Fix use of realm to refer to an organization.
2018-03-08 01:30:34 +01:00
self.assert_json_error_contains(result, "This organization has been deactivated", 403)
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
Add client_post() test helper. This makes us more consistent, since we have other wrappers like client_patch, client_put, and client_delete. Wrapping also will facilitate instrumentation of our posting code.
2016-07-28 00:30:22 +02:00
result = self.client_post("/api/v1/dev_fetch_api_key",
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
dict(username=self.email))
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class DevGetEmailsTest(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_success(self) -> None:
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_success(result)
zerver/tests: Use unicode strings. * Use unicode strings for strings containing non-ASCII characters. * Decode response content when text output is expected.
2016-07-12 15:41:45 +02:00
self.assert_in_response("direct_admins", result)
self.assert_in_response("direct_users", result)
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_dev_auth_disabled(self) -> None:
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
with mock.patch('zerver.views.auth.dev_auth_enabled', return_value=False):
dev_login: Identify each user's realm when listing them. This is a mobile-specific endpoint used for logging into a dev server. On mobile without this realm_uri it's impossible to send a login request to the corresponding realm on the dev server and proceed further; we can only guess, which doesn't work for using multiple realms. Also rename the endpoint to reflect the additional data. Testing Plan: Sent a request to the endpoint, and inspected the result. [greg: renamed function to match, squashed renames with data change, and adjusted commit message.]
2018-04-05 21:16:56 +02:00
result = self.client_get("/api/v1/dev_list_users")
Add route to fetch emails for mobile passwordless login. [Tweaked by tabbott to rename API to explicitly support not just Android]
2016-06-01 02:28:43 +02:00
self.assert_json_error_contains(result, "Dev environment not enabled.", 400)
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
tests: Renamed AuthedTestCase to ZulipTestCase.
2016-08-23 02:08:42 +02:00
class FetchAuthBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def assert_on_error(self, error: Optional[str]) -> None:
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
if error:
raise AssertionError(error)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_server_settings(self) -> None:
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
def check_result(result: HttpResponse, extra_fields: List[Tuple[str, Validator]]=[]) -> None:
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
authentication_methods_list = [
('password', check_bool),
]
for backend_name_with_case in AUTH_BACKEND_NAME_MAP:
authentication_methods_list.append((backend_name_with_case.lower(), check_bool))
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
self.assert_json_success(result)
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
checker = check_dict_only([
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
('authentication_methods', check_dict_only(authentication_methods_list)),
server_settings: Add email auth related features to data sent to clients. This should make it possible for the mobile app to correctly allow non-email addresses as usernames exactly when it makes sense to do so.
2017-09-15 19:13:48 +02:00
('email_auth_enabled', check_bool),
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
('is_incompatible', check_bool),
server_settings: Add email auth related features to data sent to clients. This should make it possible for the mobile app to correctly allow non-email addresses as usernames exactly when it makes sense to do so.
2017-09-15 19:13:48 +02:00
('require_email_format_usernames', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('realm_uri', check_string),
('zulip_version', check_string),
push notifs: Add a diagnostic in API of whether push notifs enabled. When the answer is False, this will allow the mobile app to show a warning that push notifications will not work and the server admin should set them up. Based partly on Kunal's PR #7810. Provides the necessary backend API for zulip/zulip-mobile#1507.
2018-02-12 23:34:59 +01:00
('push_notifications_enabled', check_bool),
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
('msg', check_string),
('result', check_string),
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
] + extra_fields)
self.assert_on_error(checker("data", result.json()))
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result)
server_settings: Add additional subdomains test case. This will help preserve 100% test coverage as we refactor to set REALMS_HAVE_SUBDOMAINS=True unconditonally.
2017-08-25 23:59:49 +02:00
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="ZulipInvalid")
self.assertTrue(result.json()["is_incompatible"])
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result)
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
compatibility: Add a compatibility check to api_get_server_settings. This should make it convenient for the mobile app to present errors of the form "Your Zulip app is not new enough for this Zulip server".
2018-12-06 02:49:34 +01:00
result = self.client_get("/api/v1/server_settings", subdomain="zulip", HTTP_USER_AGENT="")
tests: Dedupe a bit the test for server_settings. We keep having to change the same thing in three places here; and also the duplicates have accumulated unnecessary variation that makes it hard to see what's actually supposed to be different and not different in the three cases.
2018-02-12 23:12:47 +01:00
check_result(result, [
auth: Add new route to get server settings. Specifically, this makes easily available to the desktop and mobile apps data on the server's configuration, including important details like the realm icon, name, and description. It deprecates /api/v1/get_auth_backends.
2017-05-04 01:13:56 +02:00
('realm_name', check_string),
('realm_description', check_string),
('realm_icon', check_string),
])
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_fetch_auth_backend_format(self) -> None:
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
expected_keys = {'msg', 'password', 'zulip_version', 'result'}
for backend_name_with_case in AUTH_BACKEND_NAME_MAP:
expected_keys.add(backend_name_with_case.lower())
Add client_get() test helper.
2016-07-28 00:38:45 +02:00
result = self.client_get("/api/v1/get_auth_backends")
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
self.assertEqual(set(data.keys()), expected_keys)
server-version: Add server version to api endpoints. - Add server version to `fetch_initial_state_data`. - Add server version to register event queue api endpoint. - Add server version to `get_auth_backends` api endpoint. - Change source for server version in `home` endpoint. - Fix tests. Fixes #3663
2017-02-27 08:30:26 +01:00
for backend in set(data.keys()) - {'msg', 'result', 'zulip_version'}:
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assertTrue(isinstance(data[backend], bool))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_fetch_auth_backend(self) -> None:
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
def get_expected_result(expected_backends: Set[str], password_auth_enabled: bool=False) -> Dict[str, Any]:
result = {
'msg': '',
'result': 'success',
'password': password_auth_enabled,
'zulip_version': ZULIP_VERSION,
}
for backend_name_raw in AUTH_BACKEND_NAME_MAP:
backend_name = backend_name_raw.lower()
result[backend_name] = backend_name in expected_backends
return result
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
backends = [GoogleMobileOauth2Backend(), DevAuthBackend()]
with mock.patch('django.contrib.auth.get_backends', return_value=backends):
Add client_get() test helper.
2016-07-28 00:38:45 +02:00
result = self.client_get("/api/v1/get_auth_backends")
Add get_auth_backends endpoint to API. We would like to know which kind of authentication backends the server supports. This is information you can get from /login, but not in a way easily parseable by API apps (e.g. the Zulip mobile apps).
2016-06-21 03:32:23 +02:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
# Check that a few keys are present, to guard against
# AUTH_BACKEND_NAME_MAP being broken
self.assertIn("email", data)
self.assertIn("github", data)
self.assertIn("google", data)
self.assertEqual(data, get_expected_result({"google", "dev"}))
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
# Test subdomains cases
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=False):
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends")
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
self.assertEqual(data, get_expected_result({"google", "dev"}))
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
# Verify invalid subdomain
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="invalid")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_error_contains(result, "Invalid subdomain", 400)
# Verify correct behavior with a valid subdomain with
# some backends disabled for the realm
realm = get_realm("zulip")
actions: Add do_set_realm_property function and migrate to it. zerver/lib/actions: removed do_set_realm_* functions and added do_set_realm_property, which takes in a realm object and the name and value of an attribute to update on that realm. zerver/tests/test_events.py: refactored realm tests with do_set_realm_property. Kept the do_set_realm_authentication_methods and do_set_realm_message_editing functions because their function signatures are different. Addresses part of issue #3854.
2017-03-21 18:08:40 +01:00
do_set_realm_authentication_methods(realm, dict(Google=False, Email=False, Dev=True))
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="zulip")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
self.assertEqual(data, get_expected_result({"dev"}))
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(ROOT_DOMAIN_LANDING_PAGE=True):
settings: Rename SUBDOMAINS_HOMEPAGE to ROOT_DOMAIN_LANDING_PAGE. This new setting name is a lot more readable.
2017-08-25 04:32:16 +02:00
# With ROOT_DOMAIN_LANDING_PAGE, homepage fails
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_error_contains(result, "Subdomain required", 400)
settings: Rename SUBDOMAINS_HOMEPAGE to ROOT_DOMAIN_LANDING_PAGE. This new setting name is a lot more readable.
2017-08-25 04:32:16 +02:00
# With ROOT_DOMAIN_LANDING_PAGE, subdomain pages succeed
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
result = self.client_get("/api/v1/get_auth_backends",
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
subdomain="zulip")
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
self.assert_json_success(result)
result.json: Upgrade test_auth_backends.
2017-08-17 08:28:05 +02:00
data = result.json()
test_auth_backends: Eliminate manual lists of authentication backends. This should dramatically reduce the manual work involved with correctly adding a new authentication backend to Zulip with this test suite.
2018-12-19 01:35:13 +01:00
self.assertEqual(data, get_expected_result({"dev"}))
auth: Fix fetch_auth_backends to properly report supported methods. This fixes 2 related issues: * We incorrectly would report authentication methods that are supported by a server (but have been disabled for a given realm/subdomain) as supported. * We did not return an error with an invalid subdomain on a valid Zulip server. * We did not return an error when requesting auth backends for the homepage if SUBDOMAINS_HOMEPAGE is set. Comes with complete tests.
2017-03-10 06:29:09 +01:00
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
class TestTwoFactor(ZulipTestCase):
def test_direct_dev_login_with_2fa(self) -> None:
email = self.example_email('hamlet')
user_profile = self.example_user('hamlet')
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
# User logs in but when otp device doesn't exist.
self.assertNotIn('otp_device_id', self.client.session.keys())
self.create_default_device(user_profile)
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
# User logs in when otp device exists.
self.assertIn('otp_device_id', self.client.session.keys())
@mock.patch('two_factor.models.totp')
def test_two_factor_login_with_ldap(self, mock_totp):
# type: (mock.MagicMock) -> None
token = 123456
email = self.example_email('hamlet')
password = 'testing'
user_profile = self.example_user('hamlet')
user_profile.set_password(password)
user_profile.save()
self.create_default_device(user_profile)
def totp(*args, **kwargs):
# type: (*Any, **Any) -> int
return token
mock_totp.side_effect = totp
# Setup LDAP
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
mock_initialize = ldap_patcher.start()
mock_ldap = MockLDAP()
mock_initialize.return_value = mock_ldap
full_name = 'New LDAP fullname'
mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ],
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
'fn': [full_name],
'sn': ['shortname'],
}
}
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
TWO_FACTOR_CALL_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_SMS_GATEWAY='two_factor.gateways.fake.Fake',
TWO_FACTOR_AUTHENTICATION_ENABLED=True,
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
first_step_data = {"username": email,
"password": password,
"two_factor_login_view-current_step": "auth"}
result = self.client_post("/accounts/login/", first_step_data)
self.assertEqual(result.status_code, 200)
second_step_data = {"token-otp_token": str(token),
"two_factor_login_view-current_step": "token"}
result = self.client_post("/accounts/login/", second_step_data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
# Going to login page should redirect to `realm.uri` if user is
# already logged in.
result = self.client_get('/accounts/login/')
self.assertEqual(result.status_code, 302)
self.assertEqual(result['Location'], 'http://zulip.testserver')
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
class TestDevAuthBackend(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
2FA: Add tests for two-factor auth.
2017-07-13 13:42:57 +02:00
def test_login_success_with_2fa(self) -> None:
user_profile = self.example_user('hamlet')
self.create_default_device(user_profile)
email = user_profile.email
data = {'direct_email': email}
with self.settings(TWO_FACTOR_AUTHENTICATION_ENABLED=True):
result = self.client_post('/accounts/login/local/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, 'http://zulip.testserver')
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
self.assertIn('otp_device_id', list(self.client.session.keys()))
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
def test_redirect_to_next_url(self) -> None:
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def do_local_login(formaction: str) -> HttpResponse:
auth.py: Make redirects to 'next' url work for dev environment. This makes these redirects work for the local authentication backend.
2018-03-12 12:25:50 +01:00
user_email = self.example_email('hamlet')
data = {'direct_email': user_email}
return self.client_post(formaction, data)
res = do_local_login('/accounts/login/local/')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
res = do_local_login('/accounts/login/local/?next=/user_uploads/path_to_image')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver/user_uploads/path_to_image')
login_redirects: Make redirects to narrows from login page work.
2018-03-12 14:08:12 +01:00
# In local Email based authentication we never make browser send the hash
# to the backend. Rather we depend upon the browser's behaviour of persisting
# hash anchors in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = do_local_login('/accounts/login/local/?next=#narrow/stream/7-test-here')
self.assertEqual(res.status_code, 302)
self.assertEqual(res.url, 'http://zulip.testserver')
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_with_subdomain(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
data = {'direct_email': email}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post('/accounts/login/local/', data)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm(self) -> None:
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', subdomain="zulip")
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
result = self.client_post('/devlogin/', subdomain="")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["Click on a user to log in!"], result)
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
data = {'new_realm': 'zephyr'}
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
result = self.client_post('/devlogin/', data, subdomain="zulip")
self.assertEqual(result.status_code, 302)
self.assertEqual(result.url, "http://zephyr.testserver")
result = self.client_get('/devlogin/', subdomain="zephyr")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
test_choose_realm: Hardcode REALMS_HAVE_SUBDOMAINS. This is the only case that'll be important in the future, and this is a nice checkpoint on the path to making REALMS_HAVE_SUBDMAINS=True.
2017-09-15 22:03:49 +02:00
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_choose_realm_with_subdomains_enabled(self) -> None:
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.is_subdomain_root_or_alias', return_value=False):
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zulip')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zulip.testserver/devlogin/")
self.assert_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_not_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to Zulip Dev!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
with mock.patch('zerver.views.auth.get_realm_from_request', return_value=get_realm('zephyr')):
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_post("http://zulip.testserver/devlogin/", {'new_realm': 'zephyr'})
self.assertEqual(result["Location"], "http://zephyr.testserver")
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
result = self.client_get("http://zephyr.testserver/devlogin/")
self.assert_not_in_success_response(["iago@zulip.com", "hamlet@zulip.com"], result)
self.assert_in_success_response(["starnine@mit.edu", "espuser@mit.edu"], result)
self.assert_in_success_response(["Click on a user to log in to MIT!"], result)
dev_login: List realms and show only users in the selected realm.
2017-08-15 00:13:58 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
data = {'direct_email': email}
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
auth: Redirect to an error page instead of 500. Previously, we used to raise an exception if the direct dev login code path was attempted when: * we were running under production environment. * dev. login was not enabled. Now we redirect to an error page and give an explanatory message to the user. Fixes #8249.
2018-02-21 06:31:53 +01:00
with mock.patch('django.core.handlers.exception.logger'):
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
Add tests for TestDevAuthBackend.
2016-10-24 08:35:16 +02:00
email = 'nonexisting@zulip.com'
data = {'direct_email': email}
auth: Redirect to an error page instead of 500. Previously, we used to raise an exception if the direct dev login code path was attempted when: * we were running under production environment. * dev. login was not enabled. Now we redirect to an error page and give an explanatory message to the user. Fixes #8249.
2018-02-21 06:31:53 +01:00
with mock.patch('django.core.handlers.exception.logger'):
response = self.client_post('/accounts/login/local/', data)
self.assertRedirects(response, reverse('dev_not_supported'))
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
class TestZulipRemoteUserBackend(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_sso_append_domain(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
username = 'hamlet'
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',),
SSO_APPEND_DOMAIN='zulip.com'):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=username)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexisting_user(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
email = 'nonexisting@zulip.com'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
self.assertEqual(result.status_code, 200)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
frontend: Edit confirm_continue_registration.html to be clearer. Fixes #5707.
2017-07-17 17:31:05 +02:00
self.assert_in_response("No account found for", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_invalid_email(self) -> None:
remote_user_sso: Improve invalid email message. Show a user friendly message to the user if email is invalid. Currently we show a generic message: "Your username or password is incorrect."
2017-04-07 08:21:29 +02:00
email = 'hamlet'
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assert_json_error_contains(result, "Enter a valid email address.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_missing_field(self) -> None:
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/')
self.assert_json_error_contains(result, "No REMOTE_USER set.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
self.assertIs(get_session_dict_user(self.client.session), None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''):
Change bot domains to string_id.EXTERNAL_HOST. Change applies to both subdomains and non-subdomains case, though we use just the EXTERNAL_HOST in the non-subdomains case if there is only 1 realm. Fixes #3903.
2017-03-05 04:17:12 +01:00
result = self.client_post('http://testserver:9080/accounts/login/sso/',
REMOTE_USER=email)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
self.assertEqual(result.status_code, 200)
self.assertIs(get_session_dict_user(self.client.session), None)
auth: Make "Continue to registration" actually register you. The main change here is to send a proper confirmation link to the frontend in the `confirm_continue_registration` code path even if the user didn't request signup, so that we don't need to re-authenticate the user's control over their email address in that flow. This also lets us delete some now-unnecessary code: The `invalid_email` case is now handled by HomepageForm.is_valid(), which has nice error handling, so we no longer need logic in the context computation or template for `confirm_continue_registration` for the corner case where the user somehow has an invalid email address authenticated. We split one GitHub auth backend test to now cover both corner cases (invalid email for realm, and valid email for realm), and rewrite the Google auth test for this code path as well. Fixes #5895.
2018-04-23 00:12:52 +02:00
self.assert_in_response("You need an invitation to join this organization.", result)
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
email = user_profile.email
Add tests for TestZulipRemoteUserBackend.
2016-10-24 09:09:31 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
with self.settings(
AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/', REMOTE_USER=email)
self.assertEqual(result.status_code, 302)
self.assertIs(get_session_dict_user(self.client.session), user_profile.id)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
def test_login_mobile_flow_otp_success_email(self) -> None:
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
user_profile = self.example_user('hamlet')
email = user_profile.email
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
mobile_flow_otp = '1234abcd' * 8
onboarding: Change logic for preventing new login emails for a new user. Issue: When you created a new organization with /new, the "new login" emails were emailed. We previously had a hack of adding the .just_registered property to the user Python object to attempt to prevent the emails, and checking that in zerver/signals.py. This commit gets rid of the .just_registered check. Instead of the .just_registered check, this checks if the user has joined more than a minute before. A test test_dont_send_login_emails_for_new_user_registration_logins already exists. Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD. Fixes #10179.
2018-08-10 00:58:44 +02:00
# Verify that the right thing happens with an invalid-format OTP
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="1234"),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="invalido" * 8),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp=mobile_flow_otp),
REMOTE_USER=email,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
auth: Handle SSO_APPEND_DOMAIN in remote_user SSO for mobile. Apparently, while the main code path through login_or_register_remote_user was correctly calling remote_user_to_email(username) to get a proper email address for situations where auth username != email (i.e. when SSO_APPEND_DOMAIN is set), we neglected to do so in the mobile_flow_otp corner case. Fixes #11005.
2018-12-10 19:33:52 +01:00
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
@override_settings(SEND_LOGIN_EMAILS=True)
@override_settings(SSO_APPEND_DOMAIN="zulip.com")
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',))
def test_login_mobile_flow_otp_success_username(self) -> None:
user_profile = self.example_user('hamlet')
email = user_profile.email
remote_user = email_to_username(email)
user_profile.date_joined = timezone_now() - datetime.timedelta(seconds=61)
user_profile.save()
mobile_flow_otp = '1234abcd' * 8
# Verify that the right thing happens with an invalid-format OTP
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="1234"),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp="invalido" * 8),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertIs(get_session_dict_user(self.client.session), None)
self.assert_json_error_contains(result, "Invalid OTP", 400)
result = self.client_post('/accounts/login/sso/',
dict(mobile_flow_otp=mobile_flow_otp),
REMOTE_USER=remote_user,
HTTP_USER_AGENT = "ZulipAndroid")
self.assertEqual(result.status_code, 302)
redirect_url = result['Location']
parsed_url = urllib.parse.urlparse(redirect_url)
query_params = urllib.parse.parse_qs(parsed_url.query)
self.assertEqual(parsed_url.scheme, 'zulip')
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assertEqual(query_params["realm"], ['http://zulip.testserver'])
self.assertEqual(query_params["email"], [self.example_email("hamlet")])
encrypted_api_key = query_params["otp_encrypted_api_key"][0]
users: Get all API keys via wrapper method. Now reading API keys from a user is done with the get_api_key wrapper method, rather than directly fetching it from the user object. Also, every place where an action should be done for each API key is now using get_all_api_keys. This method returns for the moment a single-item list, containing the specified user's API key. This commit is the first step towards allowing users have multiple API keys.
2018-08-01 10:53:40 +02:00
hamlet_api_keys = get_all_api_keys(self.example_user('hamlet'))
self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
auth: Add support for mobile_flow_otp for RemoteUserBackend. Because we have a pretty good framework for the existing mobile_flow_otp system, this requires very little new code. Fixes #8291.
2018-02-06 23:29:57 +01:00
self.assertEqual(len(mail.outbox), 1)
self.assertIn('Zulip on Android', mail.outbox[0].body)
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
def test_redirect_to(self) -> None:
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
"""This test verifies the behavior of the redirect_to logic in
login_or_register_remote_user."""
zerver/tests: Change use of typing.Text to str.
2018-05-11 01:39:38 +02:00
def test_with_redirect_to_param_set_as_next(next: str='') -> HttpResponse:
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
user_profile = self.example_user('hamlet')
email = user_profile.email
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)):
result = self.client_post('/accounts/login/sso/?next=' + next, REMOTE_USER=email)
return result
res = test_with_redirect_to_param_set_as_next()
self.assertEqual('http://zulip.testserver', res.url)
res = test_with_redirect_to_param_set_as_next('/user_uploads/image_path')
self.assertEqual('http://zulip.testserver/user_uploads/image_path', res.url)
tests: Replace messy direct test of login_or_register_remote_user. This code path is much more naturally tested with the existing end-to-end test for the function that we have for the RemoteUser auth backend.
2018-04-22 23:14:27 +02:00
# Third-party domains are rejected and just send you to root domain
res = test_with_redirect_to_param_set_as_next('https://rogue.zulip-like.server/login')
self.assertEqual('http://zulip.testserver', res.url)
auth: Make redirects to next work for REMOTE_USER based Apache SSO. It's possible that this won't work with some versions of the third-party backend, but tabbott has tested carefully that it does work correctly with the Apache basic auth backend in our test environment.
2018-02-24 22:38:48 +01:00
# In SSO based auth we never make browser send the hash to the backend.
# Rather we depend upon the browser's behaviour of persisting hash anchors
# in between redirect requests. See below stackoverflow conversation
# https://stackoverflow.com/questions/5283395/url-hash-is-persisting-between-redirects
res = test_with_redirect_to_param_set_as_next('#narrow/stream/7-test-here')
self.assertEqual('http://zulip.testserver', res.url)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
class TestJWTLogin(ZulipTestCase):
"""
JWT uses ZulipDummyBackend.
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
realm = get_realm('zulip')
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = get_user(email, realm)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "No user specified in JSON web token claims", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_realm_is_missing(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
i18n: Fix a last few strings mentioning realms.
2018-03-08 02:05:50 +01:00
self.assert_json_error_contains(result, "No organization specified in JSON web token claims", 400)
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
data = {'json_web_token': 'not relevant'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Auth key for this subdomain not found.", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_key_is_missing(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_bad_token_is_passed(self) -> None:
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
result = self.client_post('/accounts/login/jwt/')
self.assert_json_error_contains(result, "No JSON web token passed in request", 400)
data = {'json_web_token': 'bad token'}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Bad JSON web token", 400)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_user_does_not_exist(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'nonexisting', 'realm': 'zulip.com'}
tests: Make requests use the "zulip" subdomain by default. Previously, we didn't pass customized HTTP_HOST headers when making network requests. As we move towards a world where everything is on a subdomain, we'll want to start doing that. The vast majority of our test code is written to interact with the default "zulip" realm, which has a subdomain of "zulip". While probably longer-term, we'll wish this was the root domain, for now, we need to make our HTTP requests match what is expected by the test code. This commit almost certainly introduces some weird bugs where code was expecting a different subdomain but the tests doesn't fail yet. It's not clear how to find all of these, but I've done some grepping.
2017-08-25 22:02:00 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
auth_key = settings.JWT_AUTH_KEYS['zulip']
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
self.assertIs(get_session_dict_user(self.client.session), None)
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
# The /accounts/login/jwt/ endpoint should also handle the case
# where the authentication attempt throws UserProfile.DoesNotExist.
with mock.patch(
'zerver.views.auth.authenticate',
side_effect=UserProfile.DoesNotExist("Do not exist")):
result = self.client_post('/accounts/login/jwt/', data)
pep8: Add compliance with rule E261 test_auth_backends.py.
2017-06-04 11:36:52 +02:00
self.assertEqual(result.status_code, 200) # This should ideally be not 200.
test-backend: Raise zerver/views/auth.py test coverage to 100%.
2017-03-25 20:44:14 +01:00
self.assertIs(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'acme': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='acme'), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['acme']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
self.assertEqual(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_empty_subdomain(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'': 'key'}):
JWT: Filter out logging.warning output in tests.
2017-10-28 00:48:13 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value=''), \
mock.patch('logging.warning'):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
auth_key = settings.JWT_AUTH_KEYS['']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assert_json_error_contains(result, "Wrong subdomain", 400)
self.assertEqual(get_session_dict_user(self.client.session), None)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_under_subdomains(self) -> None:
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
payload = {'user': 'hamlet', 'realm': 'zulip.com'}
test_auth_backends: Extract REALMS_HAVE_SUBDOMAINS overrides. This will make the diff a lot smaller when we hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-03 01:31:20 +02:00
with self.settings(JWT_AUTH_KEYS={'zulip': 'key'}):
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
with mock.patch('zerver.views.auth.get_subdomain', return_value='zulip'):
auth_key = settings.JWT_AUTH_KEYS['zulip']
web_token = jwt.encode(payload, auth_key).decode('utf8')
data = {'json_web_token': web_token}
result = self.client_post('/accounts/login/jwt/', data)
self.assertEqual(result.status_code, 302)
tests: Remove get_user_profile_by_email from numerous tests.
2017-05-23 20:57:59 +02:00
user_profile = self.example_user('hamlet')
Add tests for JWT based login.
2016-10-24 11:38:38 +02:00
self.assertEqual(get_session_dict_user(self.client.session), user_profile.id)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class ZulipLDAPTestCase(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def setUp(self) -> None:
Use self.example_user() in more places. This fixes most cases where we were assigning a user to the var email and then calling get_user_profile_by_email with that var. (This was fixed mostly with a script.)
2017-05-07 19:39:30 +02:00
user_profile = self.example_user('hamlet')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.setup_subdomain(user_profile)
ldap_patcher = mock.patch('django_auth_ldap.config.ldap.initialize')
self.mock_initialize = ldap_patcher.start()
self.mock_ldap = MockLDAP()
self.mock_initialize.return_value = self.mock_ldap
self.backend = ZulipLDAPAuthBackend()
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
# Internally `_realm` and `_prereg_user` attributes are automatically set
# by the `authenticate()` method. But for testing the `get_or_build_user()`
# method separately, we need to set them manually.
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.backend._realm = get_realm('zulip')
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
self.backend._prereg_user = None
Add LDAP tests.
2016-10-24 14:41:45 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def tearDown(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.reset()
self.mock_initialize.stop()
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def setup_subdomain(self, user_profile: UserProfile) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm = user_profile.realm
models.Realm: Rename subdomain to string_id. Does a database migration to rename Realm.subdomain to Realm.string_id, and makes Realm.subdomain a property. Eventually, Realm.string_id will replace Realm.domain as the handle by which we retrieve Realm objects.
2016-10-26 18:13:43 +02:00
realm.string_id = 'zulip'
Add LDAP tests.
2016-10-24 14:41:45 +02:00
realm.save()
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class TestLDAP(ZulipLDAPTestCase):
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
def test_generate_dev_ldap_dir(self) -> None:
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('A', 10)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 10)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+(\,ou\=users\,dc\=zulip\,dc\=com)')
dev_ldap: Add custom profile data.
2019-01-29 14:49:53 +01:00
common_attrs = ['cn', 'userPassword', 'phoneNumber', 'birthDate']
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
dev_ldap: Add custom profile data.
2019-01-29 14:49:53 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['thumbnailPhoto', 'userAccountControl'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('b', 9)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 9)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+(\,ou\=users\,dc\=zulip\,dc\=com)')
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
dev_ldap: Add custom profile data.
2019-01-29 14:49:53 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['jpegPhoto'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
auth: Use different defaults for name and email for fakeldap. Fixes part of #10297. Use FAKE_LDAP_NUM_USERS which specifies the number of LDAP users instead of FAKE_LDAP_EXTRA_USERS which specified the number of extra users.
2018-08-18 02:35:19 +02:00
ldap_dir = generate_dev_ldap_dir('c', 8)
tests: Stop using fixtures to test generate_dev_ldap_dir. The output of generate_dev_ldap_dir was being tested against the fixture located at zerver/tests/fixtures/ldap_dir.json. This didn't make much sense as generate_dev_ldap_dir was itself used by developers to generate/update the fixtures. Instead, test_generate_dev_ldap_dir checks the structure of the dict returned by generate_dev_ldap_dir. The structure is checked by regex checks, checking whether the dict contains some keys or not, etc.
2018-08-18 04:22:37 +02:00
self.assertEqual(len(ldap_dir), 8)
regex = re.compile(r'(uid\=)+[a-zA-Z0-9_.+-]+(\,ou\=users\,dc\=zulip\,dc\=com)')
for key, value in ldap_dir.items():
self.assertTrue(regex.match(key))
dev_ldap: Add custom profile data.
2019-01-29 14:49:53 +01:00
self.assertCountEqual(list(value.keys()), common_attrs + ['email'])
auth: Add function for generating test ldap_dir to backends.py. Generates ldap_dir based on the mode and the no. of extra users. It supports three modes, 'a', 'b' and 'c', description for which can be found in prod_settings_templates.py.
2018-08-03 20:05:19 +02:00
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_dev_ldap_fail_login(self) -> None:
# Tests that login with a substring of password fails. We had a bug in
# dev LDAP environment that allowed login via password substrings.
self.mock_ldap.directory = generate_dev_ldap_dir('B', 8)
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
user_profile = self.backend.authenticate('ldapuser1', 'dapu',
realm=get_realm('zulip'))
assert(user_profile is None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_login_success_with_username(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
user_profile = self.backend.authenticate("hamlet", 'testing',
realm=get_realm('zulip'))
assert(user_profile is not None)
self.assertEqual(user_profile.email, self.example_email("hamlet"))
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_email_attr(self) -> None:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
self.mock_ldap.directory = {
'uid=letham,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ],
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
'email': ['hamlet@zulip.com'],
}
}
with self.settings(LDAP_EMAIL_ATTR='email',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
user_profile = self.backend.authenticate("letham", 'testing',
realm=get_realm('zulip'))
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
assert (user_profile is not None)
self.assertEqual(user_profile.email, self.example_email("hamlet"))
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_wrong_password(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
user = self.backend.authenticate(self.example_email("hamlet"), 'wrong')
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_nonexistent_user(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
test_auth_backends: Fix indentation.
2017-06-21 10:12:56 +02:00
user = self.backend.authenticate('nonexistent@zulip.com', 'testing')
self.assertIs(user, None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_permissions(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
self.assertFalse(backend.has_perm(None, None))
self.assertFalse(backend.has_module_perms(None, None))
self.assertTrue(backend.get_all_permissions(None, None) == set())
self.assertTrue(backend.get_group_permissions(None, None) == set())
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
def test_django_to_ldap_username_without_append_domain(self) -> None:
backend = self.backend
username = backend.django_to_ldap_username('"hamlet@test"@zulip.com')
self.assertEqual(username, '"hamlet@test"@zulip.com')
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_django_to_ldap_username_with_append_domain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
username = backend.django_to_ldap_username('"hamlet@test"@zulip.com')
self.assertEqual(username, '"hamlet@test"')
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
username = backend.django_to_ldap_username('"hamlet@test"@zulip')
self.assertEqual(username, '"hamlet@test"@zulip')
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_django_to_ldap_username_with_invalid_domain(self) -> None:
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'), \
self.assertRaises(ZulipLDAPExceptionOutsideDomain):
backend.django_to_ldap_username('"hamlet@test"@test.com')
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_ldap_to_django_username(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
with self.settings(LDAP_APPEND_DOMAIN='zulip.com'):
username = backend.ldap_to_django_username('"hamlet@test"')
self.assertEqual(username, '"hamlet@test"@zulip.com')
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_exists(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
backend = self.backend
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(str(email), _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertFalse(created)
self.assertEqual(user_profile.email, email)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_does_not_exist(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
user_profile, created = backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertTrue(created)
self.assertEqual(user_profile.email, email)
self.assertEqual(user_profile.full_name, 'Full Name')
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_user_has_invalid_name(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
attrs = {'fn': ['<invalid name>'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, "Invalid characters in name!"):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
users: Verify full names explicitly in account registration. I believe this completes the project of ensuring that our recent work on limiting what characters can appears in users' full names covers the entire codebase.
2017-02-08 05:04:14 +01:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_realm_is_deactivated(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
backend = self.backend
email = 'nonexisting@zulip.com'
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
do_deactivate_realm(backend._realm)
tests: s/assertRaisesRegexp/assertRaisesRegex/ due to deprecation.
2016-12-16 02:11:42 +01:00
with self.assertRaisesRegex(Exception, 'Realm has been deactivated'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def test_get_or_build_user_when_ldap_has_no_email_attr(self) -> None:
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class _LDAPUser:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
nonexisting_attr = 'email'
with self.settings(LDAP_EMAIL_ATTR=nonexisting_attr):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, 'LDAP user doesn\'t have the needed email attribute'):
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
backend.get_or_build_user(email, _LDAPUser())
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_get_or_build_user_email(self) -> None:
class _LDAPUser:
attrs = {'fn': ['Test User']}
ldap_user_attr_map = {'full_name': 'fn'}
with self.settings(AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
realm = self.backend._realm
realm.emails_restricted_to_domains = False
realm.disallow_disposable_email_addresses = True
realm.save()
email = 'spam@mailnator.com'
with self.assertRaisesRegex(ZulipLDAPException, 'Email validation failed.'):
self.backend.get_or_build_user(email, _LDAPUser())
realm.emails_restricted_to_domains = True
realm.save(update_fields=['emails_restricted_to_domains'])
email = 'spam+spam@mailnator.com'
with self.assertRaisesRegex(ZulipLDAPException, 'Email validation failed.'):
self.backend.get_or_build_user(email, _LDAPUser())
email = 'spam@acme.com'
with self.assertRaisesRegex(ZulipLDAPException, "This email domain isn't allowed in this organization."):
self.backend.get_or_build_user(email, _LDAPUser())
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_get_or_build_user_when_ldap_has_no_full_name_mapping(self) -> None:
class _LDAPUser:
attrs = {'fn': ['Full Name'], 'sn': ['Short Name']}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={}):
backend = self.backend
email = 'nonexisting@zulip.com'
with self.assertRaisesRegex(Exception, "Missing required mapping for user's full name"):
backend.get_or_build_user(email, _LDAPUser())
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_django_to_ldap_username_when_domain_does_not_match(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
backend = self.backend
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
ldap: Improve error message for username/LDAP domain mismatches.
2018-08-20 19:38:59 +02:00
with self.assertRaisesRegex(Exception, 'Email hamlet@zulip.com does not match LDAP domain acme.com.'):
Add LDAP tests.
2016-10-24 14:41:45 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
backend.django_to_ldap_username(email)
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_when_domain_does_not_match(self) -> None:
LDAP: Restore an except clause and add test to cover it. Most of the paths leading through this except clause were cut in 73e8bba37 "ldap auth: Reassure django_auth_ldap". The remaining one had no test coverage -- the case that leads to it had a narrow unit test, but no test had the exception actually propagate here. As a result, the clause was mistakenly cut, in commit 8d7f961a6 "LDAP: Remove now-impossible except clause.", which could lead to an uncaught exception in production. Restore the except clause, and add a test for it.
2017-09-27 21:30:53 +02:00
with self.settings(LDAP_APPEND_DOMAIN='acme.com'):
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'pass')
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
def test_login_success_with_different_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
'fn': ['King Hamlet', ],
'sn': ['Hamlet', ],
'userPassword': ['testing', ],
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
Realm.objects.create(string_id='acme')
Add LDAP tests.
2016-10-24 14:41:45 +02:00
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
user_profile = self.backend.authenticate(self.example_email('hamlet'), 'testing',
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
realm=get_realm('acme'))
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
self.assertEqual(user_profile.email, self.example_email('hamlet'))
Add LDAP tests.
2016-10-24 14:41:45 +02:00
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_invalid_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=None)
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.assertIs(user_profile, None)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_success_with_valid_subdomain(self) -> None:
Add LDAP tests.
2016-10-24 14:41:45 +02:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
Add LDAP tests.
2016-10-24 14:41:45 +02:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
self.assertEqual(user_profile.email, self.example_email("hamlet"))
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_login_failure_due_to_deactivated_user(self) -> None:
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ]
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
}
}
user_profile = self.example_user("hamlet")
do_deactivate_user(user_profile)
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
realm=get_realm('zulip'))
self.assertIs(user_profile, None)
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
@override_settings(AUTH_LDAP_USER_ATTR_MAP={
"full_name": "cn",
"avatar": "thumbnailPhoto",
})
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
def test_login_success_when_user_does_not_exist_with_valid_subdomain(self) -> None:
RealmDomain.objects.create(realm=self.backend._realm, domain='acme.com')
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.mock_ldap.directory = {
'uid=nonexisting,ou=users,dc=acme,dc=com': {
'cn': ['NonExisting', ],
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ],
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
'thumbnailPhoto': [open(os.path.join(settings.STATIC_ROOT, "images/team/tim.png"), "rb").read()],
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
}
}
with self.settings(
LDAP_APPEND_DOMAIN='acme.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=acme,dc=com'):
user_profile = self.backend.authenticate('nonexisting@acme.com', 'testing',
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm=get_realm('zulip'))
mypy: Fix strict-optional errors for test files. Fix mypy --strict-optional errors in zerver/tests
2017-05-24 04:21:29 +02:00
assert(user_profile is not None)
Fix `ZulipLDAPAuthBackend` not to rely on user's email domain. In case realms have subdomains and the user hasn't been populated yet in the Django User model, `ZulipLDAPAuthBackend` should not rely on user's email domain to determine in which realm it should be created in. Fixes: #2227.
2017-01-22 11:21:27 +01:00
self.assertEqual(user_profile.email, 'nonexisting@acme.com')
self.assertEqual(user_profile.full_name, 'NonExisting')
self.assertEqual(user_profile.realm.string_id, 'zulip')
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
# Verify avatar gets created
self.assertEqual(user_profile.avatar_source, UserProfile.AVATAR_FROM_USER)
result = self.client_get(avatar_url(user_profile))
self.assertEqual(result.status_code, 200)
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_login_success_when_user_does_not_exist_with_split_full_name_mapping(self) -> None:
self.mock_ldap.directory = {
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
'uid=nonexisting,ou=users,dc=zulip,dc=com': {
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
'fn': ['Non', ],
'ln': ['Existing', ],
dev_ldap: Make `userPassword` a multi-value attribute. `fakeldap` assumes every attribute to be a multi-value attribute while making comparison in `_comapare_s()` and so while making comparisons for password it gives a false positive. The result of this was that it was possible to login in the dev environment using LDAP using a substring of the password. For example, if the LDAP password is `ldapuser1` even entering `u` would log you in.
2019-01-16 08:36:27 +01:00
'userPassword': ['testing', ],
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
}
}
with self.settings(
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
LDAP_APPEND_DOMAIN='zulip.com',
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
AUTH_LDAP_BIND_PASSWORD='',
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com',
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
AUTH_LDAP_USER_ATTR_MAP={'first_name': 'fn', 'last_name': 'ln'}):
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
user_profile = self.backend.authenticate('nonexisting@zulip.com', 'testing',
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
realm=get_realm('zulip'))
assert(user_profile is not None)
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
self.assertEqual(user_profile.email, 'nonexisting@zulip.com')
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
self.assertEqual(user_profile.full_name, 'Non Existing')
self.assertEqual(user_profile.realm.string_id, 'zulip')
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
class TestZulipLDAPUserPopulator(ZulipLDAPTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_authenticate(self) -> None:
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
backend = ZulipLDAPUserPopulator()
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
result = backend.authenticate(self.example_email("hamlet"), 'testing') # type: ignore # complains that the function does not return any value!
Add ZulipLDAPUserPopulator test.
2016-10-26 12:46:51 +02:00
self.assertIs(result, None)
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def perform_ldap_sync(self, user_profile: UserProfile) -> None:
with self.settings(
LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
result = sync_user_from_ldap(user_profile)
self.assertTrue(result)
def test_update_full_name(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['New Name', ],
}
}
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.full_name, 'New Name')
def test_update_split_full_name(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'fn': ['Full', ],
'ln': ['Name', ],
}
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'first_name': 'fn',
'last_name': 'ln'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.full_name, 'Full Name')
def test_same_full_name(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
}
}
with mock.patch('zerver.lib.actions.do_change_full_name') as fn:
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_not_called()
def test_too_short_name(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['a', ],
}
}
with self.assertRaises(ZulipLDAPException):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_deactivate_user(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'userAccountControl': ['2', ],
}
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'userAccountControl': 'userAccountControl'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertFalse(hamlet.is_active)
def test_reactivate_user(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'userAccountControl': ['0', ],
}
}
do_deactivate_user(self.example_user('hamlet'))
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'userAccountControl': 'userAccountControl'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
self.assertTrue(hamlet.is_active)
def test_update_user_avatar(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'thumbnailPhoto': [open(os.path.join(settings.STATIC_ROOT, "images/team/tim.png"), "rb").read()]
}
}
with mock.patch('zerver.lib.upload.upload_avatar_image') as fn, \
self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'avatar': 'thumbnailPhoto'}):
self.perform_ldap_sync(self.example_user('hamlet'))
fn.assert_called_once()
hamlet = self.example_user('hamlet')
self.assertEqual(hamlet.avatar_source, UserProfile.AVATAR_FROM_USER)
ldap: Add a setting to automatically deactivate non_matching users. Fixes: #11151.
2019-01-13 13:53:52 +01:00
def test_deactivate_non_matching_users(self) -> None:
self.mock_ldap.directory = {}
with self.settings(LDAP_APPEND_DOMAIN='zulip.com',
AUTH_LDAP_BIND_PASSWORD='',
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com',
LDAP_DEACTIVATE_NON_MATCHING_USERS=True):
result = sync_user_from_ldap(self.example_user('hamlet'))
self.assertFalse(result)
hamlet = self.example_user('hamlet')
self.assertFalse(hamlet.is_active)
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
def test_update_custom_profile_field(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'phoneNumber': ['123456789', ],
'birthDate': ['1900-09-08', ],
}
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__phone_number': 'phoneNumber',
'custom_profile_field__birthday': 'birthDate'}):
self.perform_ldap_sync(self.example_user('hamlet'))
hamlet = self.example_user('hamlet')
test_data = [
{
'field_name': 'Phone number',
'expected_value': '123456789',
},
{
'field_name': 'Birthday',
'expected_value': '1900-09-08',
},
]
for test_case in test_data:
field = CustomProfileField.objects.get(realm=hamlet.realm, name=test_case['field_name'])
field_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=field).value
self.assertEqual(field_value, test_case['expected_value'])
def test_update_non_existent_profile_field(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'phoneNumber': ['123456789', ],
}
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__non_existent': 'phoneNumber'}):
with self.assertRaisesRegex(ZulipLDAPException, 'Custom profile field with name non_existent not found'):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_update_custom_profile_field_invalid_data(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'birthDate': ['123456789', ],
}
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate'}):
with self.assertRaisesRegex(ZulipLDAPException, 'Invalid data for birthday field'):
self.perform_ldap_sync(self.example_user('hamlet'))
def test_update_custom_profile_field_no_mapping(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'birthDate': ['1990-01-01', ],
}
}
hamlet = self.example_user('hamlet')
no_op_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Phone number')
expected_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate'}):
self.perform_ldap_sync(self.example_user('hamlet'))
actual_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
self.assertEqual(actual_value, expected_value)
def test_update_custom_profile_field_no_update(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
'phoneNumber': ['new-number', ],
'birthDate': ['1990-01-01', ],
}
}
hamlet = self.example_user('hamlet')
phone_number_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Phone number')
birthday_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Birthday')
phone_number_field_value = CustomProfileFieldValue.objects.get(user_profile=hamlet,
field=phone_number_field)
phone_number_field_value.value = 'new-number'
phone_number_field_value.save(update_fields=['value'])
expected_call_args = [hamlet, [
{
'id': birthday_field.id,
'value': '1990-01-01',
},
]]
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate',
'custom_profile_field__phone_number': 'phoneNumber'}):
with mock.patch('zproject.backends.do_update_user_custom_profile_data') as f:
self.perform_ldap_sync(self.example_user('hamlet'))
f.assert_called_once_with(*expected_call_args)
ldap: Continue syncing other fields even if a field is missing. Earlier the behavior was to raise an exception thereby stopping the whole sync. Now we log an error message and skip the field. Also fixes the `query_ldap` command to report missing fields without error. Fixes: #11780.
2019-03-05 09:40:40 +01:00
def test_update_custom_profile_field_not_present_in_ldap(self) -> None:
self.mock_ldap.directory = {
'uid=hamlet,ou=users,dc=zulip,dc=com': {
'cn': ['King Hamlet', ],
}
}
hamlet = self.example_user('hamlet')
no_op_field = CustomProfileField.objects.get(realm=hamlet.realm, name='Birthday')
expected_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'custom_profile_field__birthday': 'birthDate'}):
self.perform_ldap_sync(self.example_user('hamlet'))
actual_value = CustomProfileFieldValue.objects.get(user_profile=hamlet, field=no_op_field).value
self.assertEqual(actual_value, expected_value)
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
class TestQueryLDAP(ZulipLDAPTestCase):
class _LDAPUser:
attrs = {
'cn': ['King Hamlet', ],
'sn': ['Hamlet', ],
'thumbnailPhoto': [open(os.path.join(settings.STATIC_ROOT, "images/team/tim.png"), "rb").read()],
'birthDate': ['1990-01-01', ],
'twitter': ['@handle', ],
}
def __init__(self, backend: LDAPBackend, username: str) -> None:
super().__init__()
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',))
def test_ldap_not_configured(self) -> None:
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(values, ['LDAP backend not configured on this server.'])
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_user_not_present(self) -> None:
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(values, ['No such user found'])
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_normal_query(self) -> None:
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'short_name': 'sn',
'avatar': 'thumbnailPhoto',
'custom_profile_field__birthday': 'birthDate',
'custom_profile_field__phone_number': 'phoneNumber',
'custom_profile_field__twitter': 'twitter'}), \
mock.patch('zproject.backends._LDAPUser', self._LDAPUser, create=True):
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(len(values), 6)
self.assertIn('full_name: King Hamlet', values)
self.assertIn('short_name: Hamlet', values)
self.assertIn('avatar: (An avatar image file)', values)
self.assertIn('custom_profile_field__birthday: 1990-01-01', values)
self.assertIn('custom_profile_field__phone_number: LDAP field not present', values)
self.assertIn('custom_profile_field__twitter: @handle', values)
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
def test_query_email_attr(self) -> None:
self._LDAPUser.attrs = {
'cn': ['King Hamlet', ],
'sn': ['Hamlet', ],
'email_attr': ['separate_email@zulip.com', ],
}
with self.settings(AUTH_LDAP_USER_ATTR_MAP={'full_name': 'cn',
'short_name': 'sn'},
LDAP_EMAIL_ATTR='email_attr'), \
mock.patch('zproject.backends._LDAPUser', self._LDAPUser, create=True):
values = query_ldap(self.example_email('hamlet'))
self.assertEqual(len(values), 3)
self.assertIn('full_name: King Hamlet', values)
self.assertIn('short_name: Hamlet', values)
self.assertIn('email: separate_email@zulip.com', values)
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
class TestZulipAuthMixin(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_get_user(self) -> None:
Add ZulipAuthMixin tests.
2016-10-26 12:39:09 +02:00
backend = ZulipAuthMixin()
result = backend.get_user(11111)
self.assertIs(result, None)
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
class TestPasswordAuthEnabled(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_password_auth_enabled_for_ldap(self) -> None:
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',)):
Remove unnecessary uses of Realm.domain in zerver/tests.
2017-01-08 20:24:05 +01:00
realm = Realm.objects.get(string_id='zulip')
Add tests for password_auth_enabled function.
2016-10-26 13:50:00 +02:00
self.assertTrue(password_auth_enabled(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
class TestRequireEmailFormatUsernames(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_append_domain(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_only(self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',)):
realm = Realm.objects.get(string_id='zulip')
self.assertTrue(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_email_attr(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_EMAIL_ATTR="email"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_require_email_format_usernames_for_email_and_ldap_with_append_email(
self) -> None:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.EmailAuthBackend',
'zproject.backends.ZulipLDAPAuthBackend'),
LDAP_APPEND_DOMAIN="zulip.com"):
realm = Realm.objects.get(string_id='zulip')
self.assertFalse(require_email_format_usernames(realm))
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
class TestMaybeSendToRegistration(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_does_not_exist(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
with self.settings(ONLY_SSO=True):
Refactor views.create_homepage_form into its callers. The indirection is no longer that useful, and obscures Django's conventional style for calling a form.
2016-12-24 04:35:58 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(PreregistrationUser.objects.all().count(), 0)
auth: Refactor login_or_register_remote_user interface. By moving all of the logic related to the is_signup flag into maybe_send_to_registration, we make the login_or_register_remote_user function quite clean and readable. The next step is to make maybe_send_to_registration less of a disaster.
2018-04-22 23:58:37 +02:00
result = maybe_send_to_registration(request, self.example_email("hamlet"), is_signup=True)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
tests: Improve test coverage of templates. Addresses part of #1677.
2016-12-01 08:54:21 +01:00
result = self.client_get(result.url)
self.assert_in_response('action="/accounts/register/"', result)
self.assert_in_response('value="{0}" name="key"'.format(confirmation_key), result)
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_sso_only_when_preregistration_user_exists(self) -> None:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
rf = RequestFactory()
request = rf.get('/')
request.session = {}
request.user = None
# Creating a mock Django form in order to keep the test simple.
# This form will be returned by the create_hompage_form function
# and will always be valid so that the code that we want to test
# actually runs.
zerver/tests: Remove inheritance from object.
2017-11-05 11:49:43 +01:00
class Form:
zerver/tests: Use python 3 syntax for typing (part 3).
2017-11-19 04:02:03 +01:00
def is_valid(self) -> bool:
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
return True
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
email = self.example_email("hamlet")
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
user = PreregistrationUser(email=email)
user.save()
with self.settings(ONLY_SSO=True):
Refactor views.create_homepage_form into its callers. The indirection is no longer that useful, and obscures Django's conventional style for calling a form.
2016-12-24 04:35:58 +01:00
with mock.patch('zerver.views.auth.HomepageForm', return_value=Form()):
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
auth: Refactor login_or_register_remote_user interface. By moving all of the logic related to the is_signup flag into maybe_send_to_registration, we make the login_or_register_remote_user function quite clean and readable. The next step is to make maybe_send_to_registration less of a disaster.
2018-04-22 23:58:37 +02:00
result = maybe_send_to_registration(request, email, is_signup=True)
Add tests for maybe_send_to_registration function.
2016-10-26 14:40:14 +02:00
self.assertEqual(result.status_code, 302)
confirmation = Confirmation.objects.all().first()
confirmation_key = confirmation.confirmation_key
self.assertIn('do_confirm/' + confirmation_key, result.url)
self.assertEqual(PreregistrationUser.objects.all().count(), 1)
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
class TestAdminSetBackends(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_change_enabled_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True})})
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_disable_all_backends(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': False})})
admin: Make an error about auth settings not mimic auth errors. This error isn't saying that any kind of authentication or authorization failed -- it's just a validation error like any other validation error in the values the user is asking to set. The thought of authentication comes into it only because the setting happens to be *about* authentication. Fix the error to look like the other validation errors around it, rather than give a 403 HTTP status code and a "reason" field that mimics the "reason" fields in `api_fetch_api_key`.
2017-07-25 02:28:33 +02:00
self.assert_json_error(result, 'At least one authentication method must be enabled.')
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertTrue(password_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_supported_backends_only_updated(self) -> None:
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Log in as admin
Replace iago@zulip.com with example_email('iago').
2017-05-25 01:44:04 +02:00
self.login(self.example_email("iago"))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Set some supported and unsupported backends
result = self.client_patch("/json/realm", {
pep8: Fix E203 violations
2016-12-02 00:08:34 +01:00
'authentication_methods': ujson.dumps({u'Email': False, u'Dev': True, u'GitHub': False})})
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assert_json_success(result)
Rename models.get_realm_by_string_id to get_realm. Finishes the refactoring started in c1bbd8d. The goal of the refactoring is to change the argument to get_realm from a Realm.domain to a Realm.string_id. The steps were * Add a new function, get_realm_by_string_id. * Change all calls to get_realm to use get_realm_by_string_id instead. * Remove get_realm. * (This commit) Rename get_realm_by_string_id to get_realm. Part of a larger migration to remove the Realm.domain field entirely.
2017-01-04 05:30:48 +01:00
realm = get_realm('zulip')
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
# Check that unsupported backend is not enabled
self.assertFalse(github_auth_enabled(realm))
TestAdminSetBackends: Supply dev_auth_enabled() with realm argument. This fixes the fact that these tests were not correctly running against the actual realm.
2016-11-07 21:20:55 +01:00
self.assertTrue(dev_auth_enabled(realm))
admin: Enable admins to toggle supported auth methods via UI. Add a table to the administration page that will allow realm admins to activate and deactivate the supported authentication methods for that realm.
2016-11-02 21:51:56 +01:00
self.assertFalse(password_auth_enabled(realm))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
class EmailValidatorTestCase(ZulipTestCase):
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_valid_email(self) -> None:
Replace hamlet@zulip.com with example_email('hamlet').
2017-05-25 01:40:26 +02:00
validate_login_email(self.example_email("hamlet"))
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_invalid_email(self) -> None:
validator.py: Create a validator for login email. This validator raises JsonableError exception. Fixes: #2748
2017-04-10 08:06:10 +02:00
with self.assertRaises(JsonableError):
validate_login_email(u'hamlet')
auth.py: Add confirmation handlers for signup. These handlers will kick into action when is_signup is False. In case the account exists, the user will be logged in, otherwise, user will be asked if they want to proceed to registration.
2017-04-20 08:25:15 +02:00
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
def test_validate_email(self) -> None:
inviter = self.example_user('hamlet')
cordelia = self.example_user('cordelia')
error, _ = validate_email(inviter, 'fred+5555@zulip.com')
self.assertIn('containing + are not allowed', error)
_, error = validate_email(inviter, cordelia.email)
self.assertEqual(error, 'Already has an account.')
cordelia.is_active = False
cordelia.save()
_, error = validate_email(inviter, cordelia.email)
invitations: Fix email validation errors for deactivated accounts. This provides a much clearer error message when trying to invite a user who has a deactivated account. Fixes part of #8144.
2019-02-14 13:59:23 +01:00
self.assertEqual(error, 'Account has been deactivated.')
tests: Add direct coverage to validate_email(). These direct tests add some line coverage.
2018-08-14 22:17:23 +02:00
_, error = validate_email(inviter, 'fred-is-fine@zulip.com')
self.assertEqual(error, None)
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
class LDAPBackendTest(ZulipTestCase):
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
zerver/tests: Use python 3 syntax for typing (final).
2017-11-17 10:47:43 +01:00
def test_non_existing_realm(self) -> None:
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
email = self.example_email('hamlet')
data = {'username': email, 'password': initial_password(email)}
error_type = ZulipLDAPAuthBackend.REALM_IS_NONE_ERROR
error = ZulipLDAPConfigurationError('Realm is None', error_type)
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
with mock.patch('zproject.backends.ZulipLDAPAuthBackend.get_or_build_user',
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
side_effect=error), \
mock.patch('django_auth_ldap.backend._LDAPUser._authenticate_user_dn'):
response = self.client_post('/login/', data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, reverse('ldap_error_realm_is_none'))
response = self.client_get(response.url)
self.assert_in_response('You are trying to login using LDAP '
'without creating an',
response)