OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1458 Commits
13 Branches
0 Tags
45 MiB
Tree: b9b7461fe4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9b7461fe4'
${ noResults }
server-tools/auth_totp/tests/test_main.py

393 lines
15 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime
  6. import mock
  7. from openerp.http import Response
  8. from openerp.tests.common import TransactionCase
  9. from ..controllers.main import AuthTotp
  11. CONTROLLER_PATH = 'openerp.addons.auth_totp.controllers.main'
  12. REQUEST_PATH = CONTROLLER_PATH + '.request'
  13. SUPER_PATH = CONTROLLER_PATH + '.Home.web_login'
  14. JSON_PATH = CONTROLLER_PATH + '.JsonSecureCookie'
  15. ENVIRONMENT_PATH = CONTROLLER_PATH + '.Environment'
  16. RESPONSE_PATH = CONTROLLER_PATH + '.Response'
  17. DATETIME_PATH = CONTROLLER_PATH + '.datetime'
  18. TRANSLATE_PATH_CONT = CONTROLLER_PATH + '._'
  19. MODEL_PATH = 'openerp.addons.auth_totp.models.res_users'
  20. GENERATE_PATH = MODEL_PATH + '.ResUsers.generate_mfa_login_token'
  21. VALIDATE_PATH = MODEL_PATH + '.ResUsers.validate_mfa_confirmation_code'
  22. TRANSLATE_PATH_MOD = MODEL_PATH + '._'
  25. @mock.patch(REQUEST_PATH)
  26. class TestAuthTotp(TransactionCase):
  28. def setUp(self):
  29. super(TestAuthTotp, self).setUp()
  31. self.test_controller = AuthTotp()
  33. self.test_user = self.env.ref('base.user_root')
  34. self.env['res.users.authenticator'].create({
  35. 'name': 'Test Authenticator',
  36. 'secret_key': 'iamatestsecretyo',
  37. 'user_id': self.test_user.id,
  38. })
  39. self.test_user.mfa_enabled = True
  40. self.test_user.generate_mfa_login_token()
  41. self.test_user.trusted_device_ids = None
  43. # Needed when tests are run with no prior requests (e.g. on a new DB)
  44. patcher = mock.patch('openerp.http.request')
  45. self.addCleanup(patcher.stop)
  46. patcher.start()
  48. @mock.patch(SUPER_PATH)
  49. def test_web_login_no_password_login(self, super_mock, request_mock):
  50. '''Should return wrapped result of super if no password log in'''
  51. test_response = 'Test Response'
  52. super_mock.return_value = test_response
  53. request_mock.params = {}
  55. self.assertEqual(self.test_controller.web_login().data, test_response)
  57. @mock.patch(SUPER_PATH)
  58. def test_web_login_user_no_mfa(self, super_mock, request_mock):
  59. '''Should return wrapped result of super if user did not enable MFA'''
  60. test_response = 'Test Response'
  61. super_mock.return_value = test_response
  62. request_mock.params = {'login_success': True}
  63. request_mock.env = self.env
  64. request_mock.uid = self.test_user.id
  65. self.test_user.mfa_enabled = False
  67. self.assertEqual(self.test_controller.web_login().data, test_response)
  69. @mock.patch(JSON_PATH)
  70. @mock.patch(SUPER_PATH)
  71. def test_web_login_valid_cookie(self, super_mock, json_mock, request_mock):
  72. '''Should return wrapped result of super if valid device cookie'''
  73. test_response = 'Test Response'
  74. super_mock.return_value = test_response
  75. request_mock.params = {'login_success': True}
  76. request_mock.env = self.env
  77. request_mock.uid = self.test_user.id
  79. device_model = self.env['res.users.device']
  80. test_device = device_model.create({'user_id': self.test_user.id})
  81. json_mock.unserialize().get.return_value = test_device.id
  83. self.assertEqual(self.test_controller.web_login().data, test_response)
  85. @mock.patch(SUPER_PATH)
  86. @mock.patch(GENERATE_PATH)
  87. def test_web_login_no_cookie(self, gen_mock, super_mock, request_mock):
  88. '''Should respond correctly if no device cookie with expected key'''
  89. request_mock.env = self.env
  90. request_mock.uid = self.test_user.id
  91. request_mock.params = {
  92. 'login_success': True,
  93. 'redirect': 'Test Redir',
  94. }
  95. self.test_user.mfa_login_token = 'Test Token'
  96. request_mock.httprequest.cookies = {}
  97. request_mock.reset_mock()
  99. test_result = self.test_controller.web_login()
  100. gen_mock.assert_called_once_with()
  101. request_mock.session.logout.assert_called_once_with(keep_db=True)
  102. self.assertIn(
  103. '/auth_totp/login?redirect=Test+Redir&mfa_login_token=Test+Token',
  104. test_result.data,
  105. )
  107. @mock.patch(SUPER_PATH)
  108. @mock.patch(JSON_PATH)
  109. @mock.patch(GENERATE_PATH)
  110. def test_web_login_bad_device_id(
  111. self, gen_mock, json_mock, super_mock, request_mock
  112. ):
  113. '''Should respond correctly if invalid device_id in device cookie'''
  114. request_mock.env = self.env
  115. request_mock.uid = self.test_user.id
  116. request_mock.params = {
  117. 'login_success': True,
  118. 'redirect': 'Test Redir',
  119. }
  120. self.test_user.mfa_login_token = 'Test Token'
  121. json_mock.unserialize.return_value = {'device_id': 1}
  122. request_mock.reset_mock()
  124. test_result = self.test_controller.web_login()
  125. gen_mock.assert_called_once_with()
  126. request_mock.session.logout.assert_called_once_with(keep_db=True)
  127. self.assertIn(
  128. '/auth_totp/login?redirect=Test+Redir&mfa_login_token=Test+Token',
  129. test_result.data,
  130. )
  132. def test_mfa_login_get(self, request_mock):
  133. '''Should render mfa_login template with correct context'''
  134. request_mock.render.return_value = 'Test Value'
  135. request_mock.reset_mock()
  136. self.test_controller.mfa_login_get()
  138. request_mock.render.assert_called_once_with(
  139. 'auth_totp.mfa_login',
  140. qcontext=request_mock.params,
  141. )
  143. @mock.patch(TRANSLATE_PATH_MOD)
  144. def test_mfa_login_post_invalid_token(self, tl_mock, request_mock):
  145. '''Should return correct redirect if login token invalid'''
  146. request_mock.env = self.env
  147. request_mock.params = {
  148. 'mfa_login_token': 'Invalid Token',
  149. 'redirect': 'Test Redir',
  150. }
  151. tl_mock.side_effect = lambda arg: arg
  152. tl_mock.reset_mock()
  154. test_result = self.test_controller.mfa_login_post()
  155. tl_mock.assert_called_once()
  156. self.assertIn('/web/login?redirect=Test+Redir', test_result.data)
  157. self.assertIn(
  158. '&error=Your+MFA+login+token+is+not+valid.',
  159. test_result.data,
  160. )
  162. @mock.patch(TRANSLATE_PATH_MOD)
  163. def test_mfa_login_post_expired_token(self, tl_mock, request_mock):
  164. '''Should return correct redirect if login token expired'''
  165. request_mock.env = self.env
  166. self.test_user.generate_mfa_login_token(-1)
  167. request_mock.params = {
  168. 'mfa_login_token': self.test_user.mfa_login_token,
  169. 'redirect': 'Test Redir',
  170. }
  171. tl_mock.side_effect = lambda arg: arg
  172. tl_mock.reset_mock()
  174. test_result = self.test_controller.mfa_login_post()
  175. tl_mock.assert_called_once()
  176. self.assertIn('/web/login?redirect=Test+Redir', test_result.data)
  177. self.assertIn(
  178. '&error=Your+MFA+login+token+has+expired.',
  179. test_result.data,
  180. )
  182. @mock.patch(TRANSLATE_PATH_CONT)
  183. def test_mfa_login_post_invalid_conf_code(self, tl_mock, request_mock):
  184. '''Should return correct redirect if confirmation code is invalid'''
  185. request_mock.env = self.env
  186. request_mock.params = {
  187. 'mfa_login_token': self.test_user.mfa_login_token,
  188. 'redirect': 'Test Redir',
  189. 'confirmation_code': 'Invalid Code',
  190. }
  191. tl_mock.side_effect = lambda arg: arg
  192. tl_mock.reset_mock()
  194. test_result = self.test_controller.mfa_login_post()
  195. tl_mock.assert_called_once()
  196. self.assertIn('/auth_totp/login?redirect=Test+Redir', test_result.data)
  197. self.assertIn(
  198. '&error=Your+confirmation+code+is+not+correct.',
  199. test_result.data,
  200. )
  201. self.assertIn(
  202. '&mfa_login_token=%s' % self.test_user.mfa_login_token,
  203. test_result.data,
  204. )
  206. @mock.patch(GENERATE_PATH)
  207. @mock.patch(VALIDATE_PATH)
  208. def test_mfa_login_post_new_token(self, val_mock, gen_mock, request_mock):
  209. '''Should refresh user's login token w/right lifetime if info valid'''
  210. request_mock.env = self.env
  211. request_mock.db = self.registry.db_name
  212. test_token = self.test_user.mfa_login_token
  213. request_mock.params = {'mfa_login_token': test_token}
  214. val_mock.return_value = True
  215. gen_mock.reset_mock()
  216. self.test_controller.mfa_login_post()
  218. gen_mock.assert_called_once_with(60 * 24 * 30)
  220. @mock.patch(ENVIRONMENT_PATH)
  221. @mock.patch(VALIDATE_PATH)
  222. def test_mfa_login_post_session(self, val_mock, env_mock, request_mock):
  223. '''Should log user in with new token as password if info valid'''
  224. request_mock.env = self.env
  225. request_mock.db = self.registry.db_name
  226. old_test_token = self.test_user.mfa_login_token
  227. request_mock.params = {'mfa_login_token': old_test_token}
  228. val_mock.return_value = True
  229. env_mock.return_value = self.env
  230. request_mock.reset_mock()
  231. self.test_controller.mfa_login_post()
  233. new_test_token = self.test_user.mfa_login_token
  234. request_mock.session.authenticate.assert_called_once_with(
  235. request_mock.db,
  236. self.test_user.login,
  237. new_test_token,
  238. self.test_user.id,
  239. )
  241. @mock.patch(GENERATE_PATH)
  242. @mock.patch(VALIDATE_PATH)
  243. def test_mfa_login_post_redirect(self, val_mock, gen_mock, request_mock):
  244. '''Should return correct redirect if info valid and redirect present'''
  245. request_mock.env = self.env
  246. request_mock.db = self.registry.db_name
  247. test_redir = 'Test Redir'
  248. request_mock.params = {
  249. 'mfa_login_token': self.test_user.mfa_login_token,
  250. 'redirect': test_redir,
  251. }
  252. val_mock.return_value = True
  254. test_result = self.test_controller.mfa_login_post()
  255. self.assertIn("window.location = '%s'" % test_redir, test_result.data)
  257. @mock.patch(GENERATE_PATH)
  258. @mock.patch(VALIDATE_PATH)
  259. def test_mfa_login_post_redir_def(self, val_mock, gen_mock, request_mock):
  260. '''Should return redirect to /web if info valid and no redirect'''
  261. request_mock.env = self.env
  262. request_mock.db = self.registry.db_name
  263. test_token = self.test_user.mfa_login_token
  264. request_mock.params = {'mfa_login_token': test_token}
  265. val_mock.return_value = True
  267. test_result = self.test_controller.mfa_login_post()
  268. self.assertIn("window.location = '/web'", test_result.data)
  270. @mock.patch(GENERATE_PATH)
  271. @mock.patch(VALIDATE_PATH)
  272. def test_mfa_login_post_device(self, val_mock, gen_mock, request_mock):
  273. '''Should add trusted device to user if remember flag set'''
  274. request_mock.env = self.env
  275. request_mock.db = self.registry.db_name
  276. test_token = self.test_user.mfa_login_token
  277. request_mock.params = {
  278. 'mfa_login_token': test_token,
  279. 'remember_device': True,
  280. }
  281. val_mock.return_value = True
  282. self.test_controller.mfa_login_post()
  284. self.assertEqual(len(self.test_user.trusted_device_ids), 1)
  286. @mock.patch(RESPONSE_PATH)
  287. @mock.patch(JSON_PATH)
  288. @mock.patch(GENERATE_PATH)
  289. @mock.patch(VALIDATE_PATH)
  290. def test_mfa_login_post_cookie_werkzeug_cookie(
  291. self, val_mock, gen_mock, json_mock, resp_mock, request_mock
  292. ):
  293. '''Should create Werkzeug cookie w/right info if remember flag set'''
  294. request_mock.env = self.env
  295. request_mock.db = self.registry.db_name
  296. test_token = self.test_user.mfa_login_token
  297. request_mock.params = {
  298. 'mfa_login_token': test_token,
  299. 'remember_device': True,
  300. }
  301. val_mock.return_value = True
  302. resp_mock().__class__ = Response
  303. json_mock.reset_mock()
  304. self.test_controller.mfa_login_post()
  306. test_device = self.test_user.trusted_device_ids
  307. config_model = self.env['ir.config_parameter']
  308. test_secret = config_model.get_param('database.secret')
  309. json_mock.assert_called_once_with(
  310. {'device_id': test_device.id},
  311. test_secret,
  312. )
  314. @mock.patch(DATETIME_PATH)
  315. @mock.patch(RESPONSE_PATH)
  316. @mock.patch(JSON_PATH)
  317. @mock.patch(GENERATE_PATH)
  318. @mock.patch(VALIDATE_PATH)
  319. def test_mfa_login_post_cookie_werkzeug_cookie_exp(
  320. self, val_mock, gen_mock, json_mock, resp_mock, dt_mock, request_mock
  321. ):
  322. '''Should serialize Werkzeug cookie w/right exp if remember flag set'''
  323. request_mock.env = self.env
  324. request_mock.db = self.registry.db_name
  325. test_token = self.test_user.mfa_login_token
  326. request_mock.params = {
  327. 'mfa_login_token': test_token,
  328. 'remember_device': True,
  329. }
  330. val_mock.return_value = True
  331. dt_mock.utcnow.return_value = datetime(2016, 12, 1)
  332. resp_mock().__class__ = Response
  333. json_mock.reset_mock()
  334. self.test_controller.mfa_login_post()
  336. json_mock().serialize.assert_called_once_with(datetime(2016, 12, 31))
  338. @mock.patch(DATETIME_PATH)
  339. @mock.patch(RESPONSE_PATH)
  340. @mock.patch(JSON_PATH)
  341. @mock.patch(GENERATE_PATH)
  342. @mock.patch(VALIDATE_PATH)
  343. def test_mfa_login_post_cookie_final_cookie(
  344. self, val_mock, gen_mock, json_mock, resp_mock, dt_mock, request_mock
  345. ):
  346. '''Should add correct cookie to response if remember flag set'''
  347. request_mock.env = self.env
  348. request_mock.db = self.registry.db_name
  349. test_token = self.test_user.mfa_login_token
  350. request_mock.params = {
  351. 'mfa_login_token': test_token,
  352. 'remember_device': True,
  353. }
  354. val_mock.return_value = True
  355. dt_mock.utcnow.return_value = datetime(2016, 12, 1)
  356. config_model = self.env['ir.config_parameter']
  357. config_model.set_param('auth_totp.secure_cookie', '0')
  358. resp_mock().__class__ = Response
  359. resp_mock.reset_mock()
  360. self.test_controller.mfa_login_post()
  362. resp_mock().set_cookie.assert_called_once_with(
  363. 'trusted_devices_%s' % self.test_user.id,
  364. json_mock().serialize(),
  365. max_age=30 * 24 * 60 * 60,
  366. expires=datetime(2016, 12, 31),
  367. httponly=True,
  368. secure=False,
  369. )
  371. @mock.patch(RESPONSE_PATH)
  372. @mock.patch(GENERATE_PATH)
  373. @mock.patch(VALIDATE_PATH)
  374. def test_mfa_login_post_cookie_final_cookie_secure(
  375. self, val_mock, gen_mock, resp_mock, request_mock
  376. ):
  377. '''Should set secure cookie if config parameter set accordingly'''
  378. request_mock.env = self.env
  379. request_mock.db = self.registry.db_name
  380. test_token = self.test_user.mfa_login_token
  381. request_mock.params = {
  382. 'mfa_login_token': test_token,
  383. 'remember_device': True,
  384. }
  385. val_mock.return_value = True
  386. config_model = self.env['ir.config_parameter']
  387. config_model.set_param('auth_totp.secure_cookie', '1')
  388. resp_mock().__class__ = Response
  389. resp_mock.reset_mock()
  390. self.test_controller.mfa_login_post()
  392. new_test_security = resp_mock().set_cookie.mock_calls[0][2]['secure']
  393. self.assertIs(new_test_security, True)