import pytest from bs4 import BeautifulSoup from flask_security.utils import find_user from imaginaerraum_door_admin.door_handle import DoorHandle import re import secrets def test_login(browser, live_server): response = browser.get(f'http://localhost:{live_server.port}') assert '

Space Zugangsverwaltung

' in browser.page_source response = browser.get(f'http://localhost:{live_server.port}/login') email_form = browser.find_element('id', 'email').send_keys('gandalf@shire.me') password_form = browser.find_element('id', 'password').send_keys('shadowfax') submit_button = browser.find_element('id', 'submit').click() assert 'Tür öffnen' in browser.page_source def extract_csrf_token(response): soup = BeautifulSoup(response.data, 'html.parser') csrf_token = soup.find('input', attrs={'id': 'csrf_token'})['value'] return csrf_token def headless_login(client, user='gandalf@shire.me', password='shadowfax'): # extract csrf token from the login page source response = client.get('/login') csrf_token = extract_csrf_token(response) # send login information payload = { 'csrf_token': csrf_token, 'email': user, 'password': password } return client.post('/login', data=payload, follow_redirects=True) def test_login_headless(client): response = headless_login(client) soup = BeautifulSoup(response.data, 'html.parser') # make sure login succeeded -> Tür öffnen button will appear assert any(['Tür öffnen' in link.contents[0] for link in soup.findAll('a', attrs={'class': ['btn'], 'role': 'button'})]) @pytest.fixture def client_authenticated(client): # log in using admin account for testing headless_login(client) yield client @pytest.mark.parametrize("url,function", [('/open', 'open_door'), ('/close', 'close_door')]) def test_access_door_button(client_authenticated, mocker, url, function): mocker.patch('imaginaerraum_door_admin.door_handle.DoorHandle.' + function) # visit route for open client_authenticated.get(url) # make sure the open method was called getattr(DoorHandle, function).assert_called_once_with(user='gandalf') @pytest.mark.parametrize("url,function", [('/open', 'open_door'), ('/close', 'close_door')]) def test_access_door_unauthenticated(client, mocker, url, function): # test for trying to visit opening/closing door while not logged in mocker.patch('imaginaerraum_door_admin.door_handle.DoorHandle.' + function) # visit route for open response = client.get(url, follow_redirects=True) # we should get redirected to login page assert 'login' in response.request.url # the open door function should not be called getattr(DoorHandle, function).assert_not_called() def test_manage_admins(client_authenticated): # visit admin management page response = client_authenticated.get('/manage_admins') assert "Nutzer Übersicht" in response.data.decode() assert "gandalf" in response.data.decode() assert "gandalf@shire.me" in response.data.decode() def create_user(client_authenticated, username, email): # visit admin management page response = client_authenticated.get('/manage_admins') csrf_token = extract_csrf_token(response) # post data for creating a new admin payload = {'name': username, 'email': email, 'csrf_token': csrf_token} response = client_authenticated.post('/manage_admins', data=payload, follow_redirects=True) # after the new admin user is created, we should have been redirected to the # /manage_admin page. there, the password for login is displayed # we test if the newly created user can log in with that password # extract password displayed on the page match = re.search('Passwort (?P.*) um', response.data.decode()) assert match is not None extracted_password = match['password'] return extracted_password @pytest.fixture def temp_user(client_authenticated): """Fixture for creating a temporary user for testing""" username = secrets.token_hex(4) email = username + '@example.com' # create user for test password = create_user(client_authenticated, username, email) return {'username': username, 'email': email, 'password': password} @pytest.fixture def temp_admin(client_authenticated): """Fixture for creating a temporary admin user for testing""" username = secrets.token_hex(4) email = username + '@example.com' # create user for test password = create_user(client_authenticated, username, email) response = client_authenticated.get( f"/promote_admin/{username}", follow_redirects=True) user = find_user(username) assert user.has_role('admin') return {'username': username, 'email': email, 'password': password} def test_create_admin(client_authenticated): password = create_user(client_authenticated, 'bilbo', 'bilbo@shire.me') # log out current user response = client_authenticated.get('/logout') # try to log in new user using the extracted password response = headless_login(client_authenticated, user='bilbo', password=password) # - see if it works soup = BeautifulSoup(response.data, 'html.parser') # make sure login succeeded # -> username should be displayed assert 'Benutzer bilbo' in soup.decode() # -> Tür öffnen button will appear assert any(['Tür öffnen' in link.contents[0] for link in soup.findAll('a', attrs={'class': ['btn'], 'role': 'button'})]) def test_activate_deactivate_user(temp_user, client_authenticated): response = client_authenticated.get('/admin_toggle_active/nosuchuser', follow_redirects=True) assert 'Ungültiger Nutzer' in response.data.decode() # deactivate the user response = client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}", follow_redirects=True) # make sure the user is now inactive user = find_user(temp_user['username']) assert user is not None assert not user.active # activate the user again client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}", follow_redirects=True) # now the user should be active again user = find_user(temp_user['username']) assert user is not None assert user.active def test_delete_admin(temp_user, client_authenticated): # first we test deleting a non-existing user response = client_authenticated.post('/delete_admins/nosuchuser', follow_redirects=True) assert 'Ungültiger Nutzer' in response.data.decode() # next, we create a temporary user and try to delete that one response = client_authenticated.post(f"/delete_admins/{temp_user['username']}", follow_redirects=True) # we need to deactivate the user first assert 'Bitte den Benutzer zuerst deaktivieren.' in response.data.decode() # make sure the user still exists user = find_user(temp_user['username']) assert user is not None # deactivate the user and try deleting it again response = client_authenticated.get(f"/admin_toggle_active/{temp_user['username']}", follow_redirects=True) # try deleting it without filling in the confirmation form response = client_authenticated.post(f"/delete_admins/{temp_user['username']}", follow_redirects=True) assert 'Der eingegebene Nutzername stimmt nicht überein' in response.data.decode() # make sure the user still exists user = find_user(temp_user['username']) assert user is not None # now we send the confirmation data with the request response = client_authenticated.get(f"/delete_admins/{temp_user['username']}", follow_redirects=True) csrf_token = extract_csrf_token(response) payload = {'name': temp_user['username'], 'csrf_token': csrf_token} response = client_authenticated.post( f"/delete_admins/{temp_user['username']}", data=payload, follow_redirects=True) assert f"Benutzer {temp_user['username']} wurde gelöscht." in response.data.decode() # make sure the user now is gone user = find_user(temp_user['username']) assert user is None def test_promote_user(temp_user, client_authenticated): # first we test with a non-existing user response = client_authenticated.get('/promote_admin/nosuchuser', follow_redirects=True) assert 'Ungültiger Nutzer' in response.data.decode() user = find_user(temp_user['username']) assert user is not None assert not user.has_role('admin') # grant admin permissions to test user response = client_authenticated.get(f"/promote_admin/{temp_user['username']}", follow_redirects=True) assert user.has_role('admin') # try granting admin permissions again response = client_authenticated.get(f"/promote_admin/{temp_user['username']}", follow_redirects=True) assert f"Benutzer {temp_user['username']} hat bereits Admin-Rechte!" assert user.has_role('admin') def test_demote_user(temp_admin, client_authenticated): # first we test with a non-existing user response = client_authenticated.get('/demote_admin/nosuchuser', follow_redirects=True) assert 'Ungültiger Nutzer' in response.data.decode() user = find_user(temp_admin['username']) assert user.has_role('admin') # try removing admin permissions response = client_authenticated.get(f"/demote_admin/{temp_admin['username']}", follow_redirects=True) assert not user.has_role('admin') # try removing admin permissions response = client_authenticated.get(f"/demote_admin/{temp_admin['username']}", follow_redirects=True) assert f"Benutzer {temp_admin['username']} ist bereits kein Admin!" assert not user.has_role('admin')