You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
3.2 KiB
97 lines
3.2 KiB
import time
|
|
from unittest.mock import patch
|
|
|
|
from hc.api.models import TokenBucket
|
|
from hc.test import BaseTestCase
|
|
|
|
|
|
class LoginTotpTestCase(BaseTestCase):
|
|
def setUp(self):
|
|
super().setUp()
|
|
|
|
# This is the user we're trying to authenticate
|
|
session = self.client.session
|
|
session["2fa_user"] = [self.alice.id, self.alice.email, (time.time()) + 300]
|
|
session.save()
|
|
|
|
self.profile.totp = "0" * 32
|
|
self.profile.save()
|
|
|
|
self.url = "/accounts/login/two_factor/totp/"
|
|
self.checks_url = f"/projects/{self.project.code}/checks/"
|
|
|
|
def test_it_shows_form(self):
|
|
r = self.client.get(self.url)
|
|
self.assertContains(r, "Please enter the six-digit code")
|
|
|
|
def test_it_requires_unauthenticated_user(self):
|
|
self.client.login(username="[email protected]", password="password")
|
|
|
|
r = self.client.get(self.url)
|
|
self.assertEqual(r.status_code, 400)
|
|
|
|
def test_it_requires_totp_secret(self):
|
|
self.profile.totp = None
|
|
self.profile.save()
|
|
|
|
r = self.client.get(self.url)
|
|
self.assertEqual(r.status_code, 400)
|
|
|
|
def test_it_rejects_changed_email(self):
|
|
session = self.client.session
|
|
session["2fa_user"] = [self.alice.id, "[email protected]", int(time.time())]
|
|
session.save()
|
|
|
|
r = self.client.get(self.url)
|
|
self.assertEqual(r.status_code, 400)
|
|
|
|
def test_it_rejects_old_timestamp(self):
|
|
session = self.client.session
|
|
session["2fa_user"] = [self.alice.id, self.alice.email, int(time.time()) - 310]
|
|
session.save()
|
|
|
|
r = self.client.get(self.url)
|
|
self.assertRedirects(r, "/accounts/login/")
|
|
|
|
@patch("hc.accounts.views.pyotp.totp.TOTP")
|
|
def test_it_logs_in(self, mock_TOTP):
|
|
mock_TOTP.return_value.verify.return_value = True
|
|
|
|
r = self.client.post(self.url, {"code": "000000"})
|
|
self.assertRedirects(r, self.checks_url)
|
|
|
|
self.assertNotIn("2fa_user_id", self.client.session)
|
|
|
|
@patch("hc.accounts.views.pyotp.totp.TOTP")
|
|
def test_it_redirects_after_login(self, mock_TOTP):
|
|
mock_TOTP.return_value.verify.return_value = True
|
|
|
|
url = self.url + "?next=" + self.channels_url
|
|
r = self.client.post(url, {"code": "000000"})
|
|
self.assertRedirects(r, self.channels_url)
|
|
|
|
@patch("hc.accounts.views.pyotp.totp.TOTP")
|
|
def test_it_handles_authentication_failure(self, mock_TOTP):
|
|
mock_TOTP.return_value.verify.return_value = False
|
|
|
|
r = self.client.post(self.url, {"code": "000000"})
|
|
self.assertContains(r, "The code you entered was incorrect.")
|
|
|
|
def test_it_uses_rate_limiting(self):
|
|
obj = TokenBucket(value=f"totp-{self.alice.id}")
|
|
obj.tokens = 0
|
|
obj.save()
|
|
|
|
r = self.client.post(self.url, {"code": "000000"})
|
|
self.assertContains(r, "Too Many Requests")
|
|
|
|
@patch("hc.accounts.views.pyotp.totp.TOTP")
|
|
def test_it_rejects_used_code(self, mock_TOTP):
|
|
mock_TOTP.return_value.verify.return_value = True
|
|
|
|
obj = TokenBucket(value=f"totpc-{self.alice.id}-000000")
|
|
obj.tokens = 0
|
|
obj.save()
|
|
|
|
r = self.client.post(self.url, {"code": "000000"})
|
|
self.assertContains(r, "Too Many Requests")
|