Mercurial Repository: p/roundup/code: test/test

comparison test/test_liveserver.py @ 8412:0663a7bcef6c reauth-confirm_id

feat: finish reauth docs, enhance code. Decided to keep name Reauth for now. admin_guide.txt: add reference mark to roundup admin help. Used for template command reference in upgrading.txt. customizing.txt: added worked example of adding a reauth auditor for address and password. Also links to OWASP recommendations. Added link to example code in design.doc on detectors. glossary.txt: reference using roundup-admin template command in def for tracker templates. pydoc.txt: Added methods for Client class. Added class and methods for (cgi) Action, LoginAction and ReauthAction. reference.txt Edited and restructured detector section. Added section on registering a detector and priority use/execution order. (reference to design doc was used before). Added/enhanced description of exception an auditor can raise (includes Reauth). Added section on Reauth implementation and use (Confirming the User). Also has paragraph on future ideas. upgrading.txt Stripped down the original section. Moved a lot to reference.txt. Referenced customizing example, mention installation of _generic.reauth.html and reference reference.txt. cgi/actions.py: fixed bad ReST that was breaking pydoc.txt processing changed doc on limitations of Reauth code. added docstring for Reauth::verifyPassword cgi/client.py: fix ReST for a method breaking pydoc.py processing cgi/templating.py: fix docstring on embed_form_fields templates/*/html/_generic.reauth.html disable spelling for password field add timing info to the javascript function that processes file data. reformat javascript IIFE templates/jinja2/html/_generic.reauth.html create a valid jinja2 template. Looks like my original jinja template got overwritten and committed. feature parity with the other reauth templates. test/test_liveserver.py add test case for Reauth workflow. Makefile add doc.

author	John Rouillard <rouilj@ieee.org>
date	Wed, 13 Aug 2025 23:52:49 -0400
parents	51f277ed8adc
children	cc3edb260c1b

comparison

equal deleted inserted replaced

-:ef1ea918b07a
+:0663a7bcef6c
 from roundup import password
 from roundup.anypy.strings import b2s
 from roundup.cgi.wsgi_handler import RequestDispatcher
 from .wsgi_liveserver import LiveServerTestCase
 from . import db_test_base
+from textwrap import dedent
 from time import sleep
 from .test_postgresql import skip_postgresql
 from wsgiref.validate import validator
 '''
 # tests in this class.
 # set up and open a tracker
 cls.instance = db_test_base.setupTracker(cls.dirname, cls.backend)
+# add an auditor that triggers a Reauth
+with open("%s/detectors/reauth.py" % cls.dirname, "w") as f:
+auditor = dedent("""
+from roundup.cgi.exceptions import Reauth
+def trigger_reauth(db, cl, nodeid, newvalues):
+if 'realname' in newvalues and not hasattr(db, 'reauth_done'):
+raise Reauth('Add an optional message to the user')
+def init(db):
+db.user.audit('set', trigger_reauth, priority=110)
+""")
+f.write(auditor)
 # open the database
 cls.db = cls.instance.open('admin')
 # add a user without edit access for status.
 cls.db.user.create(username="fred", roles='User',
 password=password.Password('sekrit'), address='fred@example.com')
+# add a user for reauth tests
+cls.db.user.create(username="reauth",
+realname="reauth test user",
+password=password.Password("reauth"),
+address="reauth@example.com", roles="User")
 # set the url the test instance will run at.
 cls.db.config['TRACKER_WEB'] = cls.tracker_web
 # set up mailhost so errors get reported to debuging capture file
 cls.db.config.MAILHOST = "localhost"
 cls.db.config.MAIL_HOST = "localhost"
 cls.db.config.MAIL_DEBUG = "../_test_tracker_mail.log"
+# also report it in the web.
+cls.db.config.WEB_DEBUG = "yes"
 # added to enable csrf forgeries/CORS to be tested
 cls.db.config.WEB_CSRF_ENFORCE_HEADER_ORIGIN = "required"
 cls.db.config.WEB_ALLOWED_API_ORIGINS = "https://client.com"
 cls.db.config['WEB_CSRF_ENFORCE_HEADER_X-REQUESTED-WITH'] = "required"
 class BaseTestCases(WsgiSetup, ClientSetup):
 """Class with all tests to run against wsgi server. Is reused when
 wsgi server is started with various feature flags
 """
+def test_reauth_workflow(self):
+"""as admin user:
+change reauth user realname include all fields on the form
+also add a dummy file to the submitted request.
+get back a reauth page/template (look for id="reauth_form")
+verify hidden input for realname
+verify hidden input for roles
+verify the base 64 file content are on the page.
+submit form with bad password
+verify error reported
+verify hidden input for realname
+(note the file contents will be gone because
+preserving that requires javascript)
+enter good password
+verify on user page (look for
+"(the default is 0)" hint for timezone)
+verify new name present
+verify success banner
+"""
+from html.parser import HTMLParser
+class HTMLExtractForm(HTMLParser):
+"""Custom parser to extract input fields from a form.
+Set the form_label to extract inputs only inside a form
+with a name or id matching form_label. Default is
+"reauth_form".
+Set names to a tuple/list/set with the names of the
+inputs you are interested in. Defalt is None which
+extracts all inputs on the page with a name property.
+"""
+def __init__(self, names=None, form_label="reauth_form"):
+super().__init__()
+self.fields = {}
+self.names = names
+self.form_label = form_label
+self._inside_form = False
+def handle_starttag(self, tag, attrs):
+if tag == 'form':
+for attr, value in attrs:
+if attr in ('id', 'name') and value == self.form_label:
+self._inside_form = True
+return
+if not self._inside_form: return
+if tag == 'input':
+field_name = None
+field_value = None
+for attr, value in attrs:
+if attr == 'name':
+field_name = value
+if attr == 'value':
+field_value = value
+# skip input type="submit" without name
+if not field_name: return
+if self.names is None:
+self.fields[field_name] = field_value
+elif field_name in self.names:
+self.fields[field_name] = field_value
+def handle_endtag(self, tag):
+if tag == "form":
+self._inside_form = False
+def get_fields(self):
+return self.fields
+user_url = "%s/user%s" % (self.url_base(),
+self.db.user.lookup('reauth'))
+session, _response = self.create_login_session()
+user_page = session.get(user_url)
+self.assertEqual(user_page.status_code, 200)
+self.assertTrue(b'reauth' in user_page.content)
+parser = HTMLExtractForm(('@lastactivity', '@csrf'), 'itemSynopsis')
+parser.feed(user_page.text)
+change = {"realname": "reauth1",
+"username": "reauth",
+"password": "",
+"@confirm@password": "",
+"phone": "",
+"organisation": "",
+"roles": "User",
+"timezone": "",
+"address": "reauth@example.com",
+"alternate_addresses": "",
+"@template": "item",
+"@required": "username,address",
+"@submit_button": "Submit Changes",
+"@action": "edit",
+**parser.get_fields()
+}
+lastactivity = parser.get_fields()['@lastactivity']
+# make the simple name/value dict into a name/tuple dict
+# setting tuple[0] to None to indicate pulre string
+# value. Then we use change2 with file to trigger
+# multipart/form-data form encoding which preserves fields
+# with empty values. application/x-www-form-urlencoded forms
+# have fields with empty values dropped by cgi by default.
+userpage_change = {key: (None, value) for key, value in change.items()}
+userpage_change.update({"@file": ("filename.txt", "this is some text")})
+on_reauth = session.post(user_url, files=userpage_change)
+self.assertIn(b'id="reauth_form"', on_reauth.content)
+self.assertIn(b'Please enter your password to continue with',
+on_reauth.content)
+# make sure the base64 encoded content for @file is present on
+# the page. Because we are not running a javascript capable
+# browser, it is not converted into an actual file input.
+# But this check shows that a file generated by reauth is trying
+# to maintain the file input.
+self.assertIn(b'dGhpcyBpcyBzb21lIHRleHQ=', on_reauth.content)
+parser = HTMLExtractForm()
+parser.feed(on_reauth.text)
+fields = parser.get_fields()
+self.assertEqual(fields["@lastactivity"], lastactivity)
+self.assertEqual(fields["@next_action"], "edit")
+self.assertEqual(fields["@action"], "reauth")
+self.assertEqual(fields["address"], "reauth@example.com")
+self.assertEqual(fields["phone"], "")
+self.assertEqual(fields["roles"], "User")
+self.assertEqual(fields["realname"], "reauth1")
+reauth_fields = {
+"@reauth_password": (None, "sekret not right"),
+"submit": (None, " Authorize Change "),
+}
+reauth_submit = {key: (None, value) for key, value in fields.items()}
+reauth_submit.update(reauth_fields)
+fail_reauth = session.post(user_url,
+files=reauth_submit)
+self.assertIn(b'id="reauth_form"', fail_reauth.content)
+self.assertIn(b'Please enter your password to continue with',
+fail_reauth.content)
+self.assertIn(b'Password incorrect', fail_reauth.content)
+parser = HTMLExtractForm(('@csrf',))
+parser.feed(fail_reauth.text)
+# remeber we are logged in as admin - use admin pw.
+reauth_submit.update({"@reauth_password": (None, "sekrit"),
+"@csrf":
+(None, parser.get_fields()['@csrf'])})
+pass_reauth = session.post(user_url,
+files=reauth_submit)
+self.assertNotIn(b'id="reauth_form"', pass_reauth.content)
+self.assertNotIn(b'Please enter your password to continue with',
+pass_reauth.content)
+self.assertIn(b'user 4 realname edited ok', pass_reauth.content)
+self.assertIn(b'(the default is 0)', pass_reauth.content)
 def test_cookie_attributes(self):
 session, _response = self.create_login_session()
 cookie_box = session.cookies._cookies['localhost.local']['/']
 cookie = cookie_box['roundup_session_Roundupissuetracker']

Mercurial > p > roundup > code

comparison test/test_liveserver.py @ 8412:0663a7bcef6c reauth-confirm_id