|
|
- import time
- from unittest.mock import patch
-
- from django.test.utils import override_settings
- from hc.test import BaseTestCase
-
-
- @override_settings(RP_ID="testserver")
- class LoginWebAuthnTestCase(BaseTestCase):
- def setUp(self):
- super().setUp()
-
- # This is the user we're trying to authenticate
- session = self.client.session
- session["2fa_user"] = [self.alice.id, self.alice.email, (time.time()) + 300]
- session.save()
-
- self.url = "/accounts/login/two_factor/"
- self.checks_url = f"/projects/{self.project.code}/checks/"
-
- def test_it_shows_form(self):
- r = self.client.get(self.url)
- self.assertContains(r, "Waiting for security key")
- self.assertNotContains(r, "Use the authenticator app instead?")
-
- # It should put a "state" key in the session:
- self.assertIn("state", self.client.session)
-
- def test_it_shows_totp_option(self):
- self.profile.totp = "0" * 32
- self.profile.save()
-
- r = self.client.get(self.url)
- self.assertContains(r, "Use the authenticator app instead?")
-
- def test_it_requires_unauthenticated_user(self):
- self.client.login(username="[email protected]", password="password")
-
- r = self.client.get(self.url)
- self.assertEqual(r.status_code, 400)
-
- def test_it_rejects_changed_email(self):
- session = self.client.session
- session["2fa_user"] = [self.alice.id, "[email protected]", int(time.time())]
- session.save()
-
- r = self.client.get(self.url)
- self.assertEqual(r.status_code, 400)
-
- def test_it_rejects_old_timestamp(self):
- session = self.client.session
- session["2fa_user"] = [self.alice.id, self.alice.email, int(time.time()) - 310]
- session.save()
-
- r = self.client.get(self.url)
- self.assertRedirects(r, "/accounts/login/")
-
- @override_settings(RP_ID=None)
- def test_it_requires_rp_id(self):
- r = self.client.get(self.url)
- self.assertEqual(r.status_code, 500)
-
- @patch("hc.accounts.views._check_credential")
- def test_it_logs_in(self, mock_check_credential):
- mock_check_credential.return_value = True
-
- session = self.client.session
- session["state"] = "dummy-state"
- session.save()
-
- payload = {
- "name": "My New Key",
- "credential_id": "e30=",
- "client_data_json": "e30=",
- "authenticator_data": "e30=",
- "signature": "e30=",
- }
-
- r = self.client.post(self.url, payload)
- self.assertRedirects(r, self.checks_url)
-
- self.assertNotIn("state", self.client.session)
- self.assertNotIn("2fa_user_id", self.client.session)
-
- @patch("hc.accounts.views._check_credential")
- def test_it_redirects_after_login(self, mock_check_credential):
- mock_check_credential.return_value = True
-
- session = self.client.session
- session["state"] = "dummy-state"
- session.save()
-
- payload = {
- "name": "My New Key",
- "credential_id": "e30=",
- "client_data_json": "e30=",
- "authenticator_data": "e30=",
- "signature": "e30=",
- }
-
- url = self.url + "?next=" + self.channels_url
- r = self.client.post(url, payload)
- self.assertRedirects(r, self.channels_url)
-
- @patch("hc.accounts.views._check_credential")
- def test_it_handles_bad_base64(self, mock_check_credential):
- mock_check_credential.return_value = None
-
- session = self.client.session
- session["state"] = "dummy-state"
- session.save()
-
- payload = {
- "name": "My New Key",
- "credential_id": "this is not base64 data",
- "client_data_json": "e30=",
- "authenticator_data": "e30=",
- "signature": "e30=",
- }
-
- r = self.client.post(self.url, payload)
- self.assertEqual(r.status_code, 400)
-
- @patch("hc.accounts.views._check_credential")
- def test_it_handles_authentication_failure(self, mock_check_credential):
- mock_check_credential.return_value = None
-
- session = self.client.session
- session["state"] = "dummy-state"
- session.save()
-
- payload = {
- "name": "My New Key",
- "credential_id": "e30=",
- "client_data_json": "e30=",
- "authenticator_data": "e30=",
- "signature": "e30=",
- }
-
- r = self.client.post(self.url, payload)
- self.assertEqual(r.status_code, 400)
|
