OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1399 Commits
13 Branches
0 Tags
45 MiB
Tree: 1b11bd6d6c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b11bd6d6c'
${ noResults }
server-tools/auth_totp/tests/test_res_users.py

202 lines
8.3 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime
  6. import mock
  7. import string
  8. from openerp.exceptions import ValidationError
  9. from openerp.tests.common import TransactionCase
  10. from ..exceptions import (
  11. MfaTokenError,
  12. MfaTokenInvalidError,
  13. MfaTokenExpiredError,
  14. )
  15. from ..models.res_users_authenticator import ResUsersAuthenticator
  17. DATETIME_PATH = 'openerp.addons.auth_totp.models.res_users.datetime'
  20. class TestResUsers(TransactionCase):
  22. def setUp(self):
  23. super(TestResUsers, self).setUp()
  25. self.test_user = self.env.ref('base.user_root')
  26. self.test_user.mfa_enabled = False
  27. self.test_user.authenticator_ids = False
  28. self.env.uid = self.test_user.id
  30. def test_check_enabled_with_authenticator_mfa_no_auth(self):
  31. '''Should raise correct error if MFA enabled without authenticators'''
  32. with self.assertRaisesRegexp(ValidationError, 'locked out'):
  33. self.test_user.mfa_enabled = True
  35. def test_check_enabled_with_authenticator_no_mfa_auth(self):
  36. '''Should not raise error if MFA not enabled with authenticators'''
  37. try:
  38. self.env['res.users.authenticator'].create({
  39. 'name': 'Test Name',
  40. 'secret_key': 'Test Key',
  41. 'user_id': self.test_user.id,
  42. })
  43. except ValidationError:
  44. self.fail('A ValidationError was raised and should not have been.')
  46. def test_check_enabled_with_authenticator_mfa_auth(self):
  47. '''Should not raise error if MFA enabled with authenticators'''
  48. try:
  49. self.env['res.users.authenticator'].create({
  50. 'name': 'Test Name',
  51. 'secret_key': 'Test Key',
  52. 'user_id': self.test_user.id,
  53. })
  54. self.test_user.mfa_enabled = True
  55. except ValidationError:
  56. self.fail('A ValidationError was raised and should not have been.')
  58. def test_check_credentials_no_match(self):
  59. '''Should raise appropriate error if there is no match'''
  60. with self.assertRaises(MfaTokenInvalidError):
  61. self.env['res.users'].check_credentials('invalid')
  63. @mock.patch(DATETIME_PATH)
  64. def test_check_credentials_expired(self, datetime_mock):
  65. '''Should raise appropriate error if match based on expired token'''
  66. datetime_mock.now.return_value = datetime(2016, 12, 1)
  67. self.test_user.generate_mfa_login_token()
  68. test_token = self.test_user.mfa_login_token
  69. datetime_mock.now.return_value = datetime(2017, 12, 1)
  71. with self.assertRaises(MfaTokenExpiredError):
  72. self.env['res.users'].check_credentials(test_token)
  74. def test_check_credentials_current(self):
  75. '''Should not raise error if match based on active token'''
  76. self.test_user.generate_mfa_login_token()
  77. test_token = self.test_user.mfa_login_token
  79. try:
  80. self.env['res.users'].check_credentials(test_token)
  81. except MfaTokenError:
  82. self.fail('An MfaTokenError was raised and should not have been.')
  84. def test_generate_mfa_login_token_token_field_content(self):
  85. '''Should set token field to 20 char string of ASCII letters/digits'''
  86. self.test_user.generate_mfa_login_token()
  87. test_chars = set(string.ascii_letters + string.digits)
  89. self.assertEqual(len(self.test_user.mfa_login_token), 20)
  90. self.assertTrue(set(self.test_user.mfa_login_token) <= test_chars)
  92. def test_generate_mfa_login_token_token_field_random(self):
  93. '''Should set token field to new value each time'''
  94. test_tokens = set([])
  95. for __ in xrange(3):
  96. self.test_user.generate_mfa_login_token()
  97. test_tokens.add(self.test_user.mfa_login_token)
  99. self.assertEqual(len(test_tokens), 3)
  101. @mock.patch(DATETIME_PATH)
  102. def test_generate_mfa_login_token_exp_field_default(self, datetime_mock):
  103. '''Should set token lifetime to 15 minutes if no argument provided'''
  104. datetime_mock.now.return_value = datetime(2016, 12, 1)
  105. self.test_user.generate_mfa_login_token()
  107. self.assertEqual(
  108. self.test_user.mfa_login_token_exp,
  109. '2016-12-01 00:15:00'
  110. )
  112. @mock.patch(DATETIME_PATH)
  113. def test_generate_mfa_login_token_exp_field_custom(self, datetime_mock):
  114. '''Should set token lifetime to value provided'''
  115. datetime_mock.now.return_value = datetime(2016, 12, 1)
  116. self.test_user.generate_mfa_login_token(45)
  118. self.assertEqual(
  119. self.test_user.mfa_login_token_exp,
  120. '2016-12-01 00:45:00'
  121. )
  123. def test_user_from_mfa_login_token_validate_not_singleton(self):
  124. '''Should raise correct error when recordset is not a singleton'''
  125. self.test_user.copy()
  126. test_set = self.env['res.users'].search([('id', '>', 0)], limit=2)
  128. with self.assertRaises(MfaTokenInvalidError):
  129. self.env['res.users']._user_from_mfa_login_token_validate()
  130. with self.assertRaises(MfaTokenInvalidError):
  131. test_set._user_from_mfa_login_token_validate()
  133. @mock.patch(DATETIME_PATH)
  134. def test_user_from_mfa_login_token_validate_expired(self, datetime_mock):
  135. '''Should raise correct error when record has expired token'''
  136. datetime_mock.now.return_value = datetime(2016, 12, 1)
  137. self.test_user.generate_mfa_login_token()
  138. datetime_mock.now.return_value = datetime(2017, 12, 1)
  140. with self.assertRaises(MfaTokenExpiredError):
  141. self.test_user._user_from_mfa_login_token_validate()
  143. def test_user_from_mfa_login_token_validate_current_singleton(self):
  144. '''Should not raise error when one record with active token'''
  145. self.test_user.generate_mfa_login_token()
  147. try:
  148. self.test_user._user_from_mfa_login_token_validate()
  149. except MfaTokenError:
  150. self.fail('An MfaTokenError was raised and should not have been.')
  152. def test_user_from_mfa_login_token_match(self):
  153. '''Should retreive correct user when there is a current match'''
  154. self.test_user.generate_mfa_login_token()
  155. test_token = self.test_user.mfa_login_token
  157. self.assertEqual(
  158. self.env['res.users'].user_from_mfa_login_token(test_token),
  159. self.test_user,
  160. )
  162. def test_user_from_mfa_login_token_falsy(self):
  163. '''Should raise correct error when token is falsy'''
  164. with self.assertRaises(MfaTokenInvalidError):
  165. self.env['res.users'].user_from_mfa_login_token(None)
  167. def test_user_from_mfa_login_token_no_match(self):
  168. '''Should raise correct error when there is no match'''
  169. with self.assertRaises(MfaTokenInvalidError):
  170. self.env['res.users'].user_from_mfa_login_token('Test Token')
  172. @mock.patch(DATETIME_PATH)
  173. def test_user_from_mfa_login_token_match_expired(self, datetime_mock):
  174. '''Should raise correct error when the match is expired'''
  175. datetime_mock.now.return_value = datetime(2016, 12, 1)
  176. self.test_user.generate_mfa_login_token()
  177. test_token = self.test_user.mfa_login_token
  178. datetime_mock.now.return_value = datetime(2017, 12, 1)
  180. with self.assertRaises(MfaTokenExpiredError):
  181. self.env['res.users'].user_from_mfa_login_token(test_token)
  183. def test_validate_mfa_confirmation_code_not_singleton(self):
  184. '''Should raise correct error when recordset is not singleton'''
  185. test_user_2 = self.env['res.users']
  186. test_user_3 = self.env.ref('base.public_user')
  187. test_set = self.test_user + test_user_3
  189. with self.assertRaisesRegexp(ValueError, 'Expected singleton'):
  190. test_user_2.validate_mfa_confirmation_code('Test Code')
  191. with self.assertRaisesRegexp(ValueError, 'Expected singleton'):
  192. test_set.validate_mfa_confirmation_code('Test Code')
  194. @mock.patch.object(ResUsersAuthenticator, 'validate_conf_code')
  195. def test_validate_mfa_confirmation_code_singleton_return(self, mock_func):
  196. '''Should return validate_conf_code() value if singleton recordset'''
  197. mock_func.return_value = 'Test Result'
  199. self.assertEqual(
  200. self.test_user.validate_mfa_confirmation_code('Test Code'),
  201. 'Test Result',
  202. )