added tests for modifying user permissions

This commit is contained in:
Simon Pirkelmann 2022-01-30 21:54:35 +01:00
parent ee6ee0e111
commit 080ea0f3b0

View File

@ -1,7 +1,10 @@
import pytest
from bs4 import BeautifulSoup
from flask_security.utils import find_user
from imaginaerraum_door_admin.door_handle import DoorHandle
import re
import secrets
def test_login(browser, live_server):
response = browser.get(f'http://localhost:{live_server.port}')
@ -10,15 +13,15 @@ def test_login(browser, live_server):
response = browser.get(f'http://localhost:{live_server.port}/login')
email_form = browser.find_element_by_id('email').send_keys('gandalf@shire.me')
password_form = browser.find_element_by_id('password').send_keys('shadowfax')
submit_button = browser.find_element_by_id('submit').click()
email_form = browser.find_element('id', 'email').send_keys('gandalf@shire.me')
password_form = browser.find_element('id', 'password').send_keys('shadowfax')
submit_button = browser.find_element('id', 'submit').click()
assert 'Tür öffnen' in browser.page_source
def extract_csrf_token(response):
soup = BeautifulSoup(response.data)
soup = BeautifulSoup(response.data, 'html.parser')
csrf_token = soup.find('input', attrs={'id': 'csrf_token'})['value']
return csrf_token
@ -39,7 +42,7 @@ def headless_login(client, user='gandalf@shire.me', password='shadowfax'):
def test_login_headless(client):
response = headless_login(client)
soup = BeautifulSoup(response.data)
soup = BeautifulSoup(response.data, 'html.parser')
# make sure login succeeded -> Tür öffnen button will appear
assert any(['Tür öffnen' in link.contents[0] for link in soup.findAll('a', attrs={'class': ['btn'], 'role': 'button'})])
@ -52,6 +55,7 @@ def client_authenticated(client):
yield client
@pytest.mark.parametrize("url,function", [('/open', 'open_door'), ('/close', 'close_door')])
def test_access_door_button(client_authenticated, mocker, url, function):
mocker.patch('imaginaerraum_door_admin.door_handle.DoorHandle.' + function)
@ -87,14 +91,14 @@ def test_manage_admins(client_authenticated):
assert "gandalf@shire.me" in response.data.decode()
def test_create_admin(client_authenticated):
def create_user(client_authenticated, username, email):
# visit admin management page
response = client_authenticated.get('/manage_admins')
csrf_token = extract_csrf_token(response)
# post data for creating a new admin
payload = {'name': 'bilbo',
'email': 'bilbo@shire.me',
payload = {'name': username,
'email': email,
'csrf_token': csrf_token}
response = client_authenticated.post('/manage_admins', data=payload,
follow_redirects=True)
@ -107,18 +111,167 @@ def test_create_admin(client_authenticated):
assert match is not None
extracted_password = match['password']
return extracted_password
@pytest.fixture
def temp_user(client_authenticated):
"""Fixture for creating a temporary user for testing"""
username = secrets.token_hex(4)
email = username + '@example.com'
# create user for test
password = create_user(client_authenticated, username, email)
return {'username': username,
'email': email,
'password': password}
@pytest.fixture
def temp_admin(client_authenticated):
"""Fixture for creating a temporary admin user for testing"""
username = secrets.token_hex(4)
email = username + '@example.com'
# create user for test
password = create_user(client_authenticated, username, email)
response = client_authenticated.get(
f"/promote_admin/{username}",
follow_redirects=True)
user = find_user(username)
assert user.has_role('admin')
return {'username': username,
'email': email,
'password': password}
def test_create_admin(client_authenticated):
password = create_user(client_authenticated, 'bilbo', 'bilbo@shire.me')
# log out current user
response = client_authenticated.get('/logout')
# try to log in new user using the extracted password
response = headless_login(client_authenticated, user='bilbo',
password=extracted_password)
password=password)
# - see if it works
soup = BeautifulSoup(response.data)
soup = BeautifulSoup(response.data, 'html.parser')
# make sure login succeeded
# -> username should be displayed
assert 'Benutzer <span>bilbo</span>' in soup.decode()
# -> Tür öffnen button will appear
assert any(['Tür öffnen' in link.contents[0] for link in soup.findAll('a', attrs={'class': ['btn'], 'role': 'button'})])
assert any(['Tür öffnen' in link.contents[0] for link in
soup.findAll('a', attrs={'class': ['btn'], 'role': 'button'})])
def test_activate_deactivate_user(temp_user, client_authenticated):
response = client_authenticated.get('/admin_toggle_active/nosuchuser',
follow_redirects=True)
assert 'Ungültiger Nutzer' in response.data.decode()
# deactivate the user
response = client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}",
follow_redirects=True)
# make sure the user is now inactive
user = find_user(temp_user['username'])
assert user is not None
assert not user.active
# activate the user again
client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}",
follow_redirects=True)
# now the user should be active again
user = find_user(temp_user['username'])
assert user is not None
assert user.active
def test_delete_admin(temp_user, client_authenticated):
# first we test deleting a non-existing user
response = client_authenticated.post('/delete_admins/nosuchuser',
follow_redirects=True)
assert 'Ungültiger Nutzer' in response.data.decode()
# next, we create a temporary user and try to delete that one
response = client_authenticated.post(f"/delete_admins/{temp_user['username']}",
follow_redirects=True)
# we need to deactivate the user first
assert 'Bitte den Benutzer zuerst deaktivieren.' in response.data.decode()
# make sure the user still exists
user = find_user(temp_user['username'])
assert user is not None
# deactivate the user and try deleting it again
response = client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}",
follow_redirects=True)
# try deleting it without filling in the confirmation form
response = client_authenticated.post(f"/delete_admins/{temp_user['username']}",
follow_redirects=True)
assert 'Der eingegebene Nutzername stimmt nicht überein' in response.data.decode()
# make sure the user still exists
user = find_user(temp_user['username'])
assert user is not None
# now we send the confirmation data with the request
response = client_authenticated.get(f"/delete_admins/{temp_user['username']}",
follow_redirects=True)
csrf_token = extract_csrf_token(response)
payload = {'name': temp_user['username'], 'csrf_token': csrf_token}
response = client_authenticated.post(
f"/delete_admins/{temp_user['username']}",
data=payload,
follow_redirects=True)
assert f"Benutzer {temp_user['username']} wurde gelöscht." in response.data.decode()
# make sure the user now is gone
user = find_user(temp_user['username'])
assert user is None
def test_promote_user(temp_user, client_authenticated):
# first we test with a non-existing user
response = client_authenticated.get('/promote_admin/nosuchuser',
follow_redirects=True)
assert 'Ungültiger Nutzer' in response.data.decode()
user = find_user(temp_user['username'])
assert user is not None
assert not user.has_role('admin')
# grant admin permissions to test user
response = client_authenticated.get(f"/promote_admin/{temp_user['username']}",
follow_redirects=True)
assert user.has_role('admin')
# try granting admin permissions again
response = client_authenticated.get(f"/promote_admin/{temp_user['username']}",
follow_redirects=True)
assert f"Benutzer {temp_user['username']} hat bereits Admin-Rechte!"
assert user.has_role('admin')
def test_demote_user(temp_admin, client_authenticated):
# first we test with a non-existing user
response = client_authenticated.get('/demote_admin/nosuchuser',
follow_redirects=True)
assert 'Ungültiger Nutzer' in response.data.decode()
user = find_user(temp_admin['username'])
assert user.has_role('admin')
# try removing admin permissions
response = client_authenticated.get(f"/demote_admin/{temp_admin['username']}",
follow_redirects=True)
assert not user.has_role('admin')
# try removing admin permissions
response = client_authenticated.get(f"/demote_admin/{temp_admin['username']}",
follow_redirects=True)
assert f"Benutzer {temp_admin['username']} ist bereits kein Admin!"
assert not user.has_role('admin')