o ?hv@sNdZddlZddlmmZddlZddlZddl Z ddl Z ddl m Z ddZ ddZejjdd Zejjd d Zejjd d ZejjddZejjddZejjddZejjddZejjddZejjddZejjddZejjddZejjddZejjd d!Zejjd"d#Zejjd$d%ZdS)&a test_admin.py Purpose: Comprehensive test suite for administrative functionality including user management, audit logging, cross-user data oversight, and admin-specific security controls. Tests admin panel operations, user CRUD operations, and administrative APIs. This module implements red-team level security testing with comprehensive input validation and follows modular, well-organized patterns for production Apache2 deployment scenarios. Each test ensures proper authentication, authorization, audit logging, and database state verification. Test Categories: - Admin panel access and authentication - User management (add, remove, password changes) - Admin JSON APIs for user and camera management - Cross-user data access and management - Audit logging and security oversight - Admin-specific input validation - Authorization boundary testing - Database integrity verification N)get_dbcCsttdd}d|S)z'Generate a unique username for testing.@B testuser_inttime) timestampr ,/var/www/html/tests/functional/test_admin.pyget_unique_username s r cCs8ttdd}ttdd}|d|dS)z1Generate a unique 12-digit camera ID for testing.riri'08d04dr)r random_partr r r get_unique_camera_id&srcCs|d}|d}|d}|j}gd}||v}|sNtd|fd||fdtvs/t|r4t|ndt|t|d}d d |i} tt | d }}}|j d |d |ddd} | j}d}||k}|std|fd||fdtvst| rt| ndt|t|d}d d |i} tt | d }}}|d}|j}d}||k}|std|fd||fdtvst|rt|ndt|t|d}d d |i} tt | d }}}|j dddid|j d |d |ddd} | j}d}||k}|sJtd|fd||fdtvs+t| r0t| ndt|t|d}d d |i} tt | d }}}|d}|j}d}||k}|std|fd||fdtvsxt|r}t|ndt|t|d}d d |i} tt | d }}}g}d} |j } | | v}|} |sd}|j }||v}|} | s;td|fd| | ft| dtvst|rt|ndt| d} dd| i}| ||s&td|fd||ft|dtvs t|rt|ndt|d }d!d"|i}| |t |d#i}d$d%|i}tt |d } }} }} }}}d S)&zATest admin panel access via GET /admin with proper authorization.adminregular/admin.iiinz3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)sresponsepy0py2py5assert %(py7)spy7N/loginusernamepasswordr!r"datar==z3%(py2)s {%(py2)s = %(py0)s.status_code } == %(py5)slogin_response/logout csrf_tokenssr?r@rArBrCrDr;session_transaction application app_contextrexecutefetchonerlcheckpwencode)rHrIrJrfrmr)rLrMrNrOrPsessr+rdbrbrQ @py_format4rSrR @py_assert8 @py_assert10 @py_assert12 @py_assert14 @py_assert16 @py_assert18rZr r r !test_admin_add_user_functionalityRs>    |$rc Cs|d}|jd|d|ddd}|j}d}||k}|sQtd|fd ||fd tvs2t|r7t|nd t|t|d }d d |i}tt |d}}}| d| } | dd} Wdn1sqwY|jd| dddd} | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}|jd| dddd} | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}|jd| dddd} | j}d}||k}|sjtd|fd ||fdtvsKt| rPt| ndt|t|d }d d |i}tt |d}}}dS)z$Test user addition input validation.rr r!r"r#r$rr&r(r)rrrNrr+r,r^ab password123rTestUser validuser123 rEr<r=r>r?r@rArBrCrDr;rt) rHrIrJr)rLrMrNrOrPr{r+rr r r test_admin_add_user_validation|s8      rcCs|d}t}d}|jd|d|ddd}|j}d}||k}|sVtd |fd ||fd tvs7t|r.r removetest123r r!r"r#r$rr&r(r)rrrNriz9INSERT INTO users (username, password_hash) VALUES (?, ?)FINSERT INTO cameras (user_id, camera_id, camera_name) VALUES (?, ?, ?)zTest Camera for Removalrr+r,/admin/remove_user/ ?csrf_token=rz SELECT * FROM users WHERE id = ?isz%(py0)s is %(py3)srbrcrdrz'SELECT * FROM cameras WHERE user_id = ?r)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)slencamerasrrhr/py6assert %(py8)spy8)r rEr<r=r>r?r@rArBrCrDrurvrrlhashpwrzgensaltdecoderw lastrowidrrcommitr;rtrxfetchallr)rHrIrJrfrmr)rLrMrNrOrPr|pwd_hashcursor test_user_idunique_camera_idr{r+rrbrQr}r @py_assert5 @py_format7 @py_format9r r r $test_admin_remove_user_functionalitys\       ~$rcCs|d}|d}d}|jd|d|ddd}|j}d }||k}|sWtd |fd ||fd tvs8t|r=t|nd t|t|d } dd| i} tt | d}}}| d| } | dd} Wdn1swwY|jd|dd| d|id} | j}d }||k}|std |fd ||fdtvst| rt| ndt|t|d } dd| i} tt | d}}}|j t}|d|df}|dur WddStj}|j}d}||}|d}|j}d}||}|||}|sjddtvs"ttr'ttndt|dtvs9t|r>t|ndt|t|t|t|t|t|t|t|d }tt |d}}}}}}}}}Wdn 1swY|jdddid|jd|d|dd}|j}d }||k}|std |fd ||fd tvst|rt|nd t|t|d } dd| i} tt | d}}}dS) zGTest changing user passwords via POST /admin/change_password/.rlimitednewchangedpass123r r!r"r#r$rr&r(r)rrrNrr+r,/admin/change_password/idr new_passwordrz,SELECT password_hash FROM users WHERE id = ?rirjrkrlrnr*)rEr<r=r>r?r@rArBrCrDr;rtrurvrrwrxrlryrz)rHrIrJ target_userrr)rLrMrNrOrPr{r+rr|rbrRr~rrrrrrZr r r (test_admin_change_password_functionalitysH      rcCs|d}|jd|d|ddd}|j}d}||k}|sQtd|fd ||fd tvs2t|r7t|nd t|t|d }d d |i}tt |d}}}| d} | j}d}||k}|std|fd ||fdtvs|t| rt| ndt|t|d }d d |i}tt |d}}}t | j } d} | | v} | std| fd| | ft| dtvst| rt| ndd} dd| i}tt |d} } | d}t|t}|s7ddtvsttrttnddtvst|rt|nddtvs"ttr'ttndt|d}tt |d}t|} d}| |k}|std|fd| |fd tvs]ttrbttnd dtvspt|rut|ndt| t|d!}d"d#|i}tt |d} }}d$}|D]}| d|dkr]d%}|d&} d%}| |u} | std'| fd(| |ft| t|d)}d*d+|i}tt |d} } }d,} | |v} | std| fd| |ft| d-tvst|rt|nd-d} dd| i}tt |d} } d.} | |v} | sWtd| fd| |ft| d-tvs@t|rEt|nd-d} dd| i}tt |d} } nq|sd/d0d1tvsqt|rvt|nd1i}tt |dS)2z3Test admin users listing via GET /admin/users.json.rr r!r"r#r$rr&r(r)rrrN/admin/users.jsonr-rusersrz%(py1)s in %(py3)sr%rgrdr5assert %(py4)s {%(py4)s = %(py0)s(%(py1)s, %(py2)s) } isinstancelistrrhrpy4)>=)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } >= %(py6)srrrrFTis_adminrz%(py1)s is %(py4)srhrassert %(py6)sr camera_countrbrzassert %(py0)sr admin_found)rEr<r=r>r?r@rArBrCrDr;jsonloadsr%rrr)rHrIrJr)rLrMrNrOrPrr%rSrQr}r @py_format5rrrrrb @py_format1r r r test_admin_users_json_apis.   xl~~HrcCs|d}|d}t}|jd|d|ddd}|j}d}||k}|sXtd |fd ||fd tvs9t|r>t|nd t|t|d } d d| i} t t | d}}}|j Pt } | d|df} | sddl} | |dd| d}| d|d||df}|j}n| d}| d|t|df| Wdn1swY|j t } | d|df}|r|dn|d}Wdn1swY|d|d}|j}d}||k}|s3td |fd ||fdtvst|rt|ndt|t|d } d d| i} t t | d}}}t|j}d}||v}|sztd|fd||ft|dtvsct|rht|ndd }d!d"|i} t t | d}}|d}t|t}|sd#d$tvsttrttnd$dtvst|rt|ndd%tvsttrttnd%t|d&}t t |d}d}|D]}t|d'|kr|}nqd}||u}|s&td(|fd)||fd*tvs t|rt|nd*t|d+}d!d"|i} t t | d}}|d,}d}||k}|sZtd |fd-||ft|t|d.}d/d0|i}t t |d}}}dS)1zKTest admin user cameras listing via GET /admin/user//cameras.json.rrr r!r"r#r$rr&r(r)rrrN'SELECT id FROM users WHERE username = ?rriFINSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)rrrzAdmin Test Camera /admin/user/ /cameras.jsonr-rrrrr%rgrdrrrrr camera_idr_ra our_camerarc camera_name)z%(py1)s == %(py4)srrr)rrEr<r=r>r?r@rArBrCrDrurvrrwrxrlrrzrrrrrr;rrr%rrstr)rHrIrJrKrr)rLrMrNrOrPr| user_checkrlrjractual_user_id user_in_dbrr%rSrQr}rrrcamerarr r r test_admin_user_cameras_json_api<sZ       ~~prcCs|d}|d}t}|jd|d|ddd}|j}d} || k} | sXtd | fd || fd tvs9t|r>t|nd t|t| d } d d| i} t t | d}} } |j Pt } | d|df}|sddl}||dd|d}| d|d||df}|j}n|d}| d|t|df| Wdn1swYddlm}||||d}|j t } | d|df}|r|dn|d}Wdn1swY|d|d}|j}d} || k} | sAtd | fd || fdtvs"t|r't|ndt|t| d } d d| i} t t | d}} } t|j}dS)zITest admin user images listing via GET /admin/user//images.json.rrr r!r"r#r$rr&r(r)rrrNrrrirrrrzImages Test Cameracreate_test_image_filejpgr /images.jsonr-r)rrEr<r=r>r?r@rArBrCrDrurvrrwrxrlrrzrrrrrtests.functional.test_imagesrr;rrr%)rHrI temp_staticsample_image_datarJrKrr)rLrMrNrOrPr|rrlrjrrrrel_pathrrr%r r r test_admin_user_images_json_apizsH       rcCs|d}|d}t}d}|jd|d|ddd}|j}d }||k} | sZtd | fd ||fd tvs;t|r@t|nd t|t|d } dd| i} t t | d}} }|j Pt } | d|df} | sddl}||dd|d}| d|d||df}|j}n| d}| d|t|df| Wdn1swY|d|}|dd}Wdn1swY|j t } | d|df}|r|dn|d}Wdn 1swY|jd|d|||ddd }|j}d!}||k} | s]td | fd ||fd"tvs>t|rCt|nd"t|t|d } dd| i} t t | d}} }t|j}|d#}d$} || u}|std%|fd&|| ft|t| d'}d(d)|i}t t |d}}} |j t } | d*t|f}d}||u}|std+|fd,||fd-tvst|rt|nd-t|d.}d/d0|i} t t | d}}|d1}||k}|s/td |fd2||ft|d3tvst|rt|nd3d4}d/d0|i} t t | d}}WddS1s?wYdS)5zITest admin camera renaming via POST /admin/user//cameras/rename.rrzAdmin Renamed Camerar r!r"r#r$rr&r(r)rrrNrrrirrrrzOriginal Camera Namerr+r,rz/cameras/rename?csrf_token=)rrapplication/jsonr content_typer-rsuccessTrrrrrz3SELECT camera_name FROM cameras WHERE camera_id = ?r_rarrcrdrrrenew_camera_namergrrEr<r=r>r?r@rArBrCrDrurvrrwrxrlrrzrrrrrr;rtrrr%)rHrIrJrKrrr)rLrMrNrOrPr|rrlrjrrr{r+rrr%rSrQrrrr}r r r test_admin_rename_user_camerasp         l ~$rcCs|d}|d}t}|jd|d|ddd}|j}d}||k}|sXtd |fd ||fd tvs9t|r>t|nd t|t|d } d d| i} t t | d}}}|j Pt } | d|df} | sddl} | |dd| d}| d|d||df}|j}n| d}| d|t|df| Wdn1swY|d|}|dd}Wdn1swY|j t } | d|df}|r|dn|d}Wdn 1swY|jd|d|d|idd}|j}d }||k}|sZtd |fd ||fd!tvs;t|r@t|nd!t|t|d } d d| i} t t | d}}}t|j}|d"}d#}||u}|std$|fd%||ft|t|d&}d'd(|i}t t |d}}}|j Vt } | d)t|f}d}||u}|std$|fd*||fd+tvst|rt|nd+t|d,}d-d.|i} t t | d}}WddS1swYdS)/zITest admin camera deletion via POST /admin/user//cameras/delete.rrr r!r"r#r$rr&r(r)rrrNrrrirrrrzCamera to Deleterr+r,rz/cameras/delete?csrf_token=rrrr-rrTrrrrrz)SELECT * FROM cameras WHERE camera_id = ?rrrcrdrr)rHrIrJrKrr)rLrMrNrOrPr|rrlrjrrr{r+rrr%rSrQrrrr}r r r test_admin_delete_user_camerash         l $rcCsV|d}|d}t}|jd|d|ddd}|j}d} || k} | sXtd | fd || fd tvs9t|r>t|nd t|t| d } d d| i} t t | d}} } |j Pt } | d|df}|sddl}||dd|d}| d|d||df}|j}n|d}| d|t|df| Wdn1swYddlm}||||d}|d|}|dd}Wdn1swY|j !t } | d|df}|r|dn|d}Wdn 1swY|jd|||ddd }|j}d!} || k} | sgtd | fd || fd"tvsHt|rMt|nd"t|t| d } d d| i} t t | d}} } t|j}|d#}d$} || u}|std%|fd&|| ft|t| d'}d(d)|i}t t |d}}} dS)*z7Test admin image deletion via POST /admin/image/delete.rrr r!r"r#r$rr&r(r)rrrNrrrirrrrzImage Delete Test Camerarrrr+r,z/admin/image/delete?csrf_token=)reluser_idrrr-rrTrrrrr)rrEr<r=r>r?r@rArBrCrDrurvrrwrxrlrrzrrrrrrrr;rtrrr%)rHrIrrrJrKrr)rLrMrNrOrPr|rrlrjrrrrr{r+rrr%rSrQrrr r r test_admin_delete_user_image:s\           prcCs|d}|jd|d|ddd}|j}d}||k}|sQtd|fd ||fd tvs2t|r7t|nd t|t|d }d d |i}tt |d}}}ddd|ddd|ddg} | D]L} | | } | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}qk| d| } | dd} Wdn1swYddddfd|difd|dddifg}|D]X\} }|j| d| |d} | j}d}||k}|sEtd|fd ||fdtvs&t| r+t| ndt|t|d }d d |i}tt |d}}}qdS) z.Test admin operation authorization boundaries.rr r!r"r#r$rr&r(r)rrrNrrrrrrr/r+r,/admin/add_usertestrrrnewpassrr)rHrIrKr)rLrMrNrOrPadmin_endpointsendpointrr{r+admin_post_operationsr%r r r #test_admin_authorization_boundaries}s4      rcCs|d}t}d}|jd|d|ddd}|j}d}||k}|sVtd |fd ||fd tvs7t|rr?r@rArBrCrDr;rtrrr%dictrr)rHrIrJrfrmr)rLrMrNrOrPr{r+rr%rQr r r test_admin_audit_loggings.       rcCs(gd}|D] \}}|dkr||}n|j|id}|j}gd}||v}|s]td|fd||fdtvs>t|rCt|ndt|t|d}d d |i} t t | d }}}|jd krg}d } |j } | | v}|} |sd} |j }| |v}|} | std|fd| | ft| dtvst|rt|ndt| d} dd| i}| ||std|fd| |ft| dtvst|rt|ndt|d}dd|i}| |t |di}dd|i}t t |d } }} }} } }}qd S)z-Test admin operations require authentication.) )rGET)rr)z/admin/user/1/cameras.jsonr)z/admin/user/1/images.jsonr)rPOST)z/admin/remove_user/1r)z/admin/change_password/1r)z/admin/user/1/cameras/renamer)z/admin/user/1/cameras/deleter)z/admin/image/deleterr)rrrrrrrrNrrlogin)z0%(py3)s in %(py7)s {%(py7)s = %(py5)s.location }r.r0r1)z4%(py12)s in %(py16)s {%(py16)s = %(py14)s.location }r2r6r7r8r9r:)r;rEr<r=r>r?r@rArBrCrDlocationrFrG)rHrrmethodrrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r r r ,test_admin_operations_require_authentications   Rrc Cs|d}|jd|d|ddd}|j}d}||k}|sQtd|fd ||fd tvs2t|r7t|nd t|t|d }d d |i}tt |d}}}| d| } | dd} Wdn1sqwY|d| } | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}|jd| ddid} | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}| d} | j}ddg}||v}|s^td|fd||fdtvs?t| rDt| ndt|t|d }d d |i}tt |d}}}|dd} |jd| | ddd} | j}d}||k}|std|fd ||fdtvst| rt| ndt|t|d }d d |i}tt |d}}}dS)z(Test admin operations with invalid data.rr r!r"r#r$rr&r(r)rrrNrr+r,z$/admin/remove_user/99999?csrf_token=rz(/admin/change_password/99999?csrf_token=r newpass123z/admin/user/99999/cameras.jsonr-rrrrr^ testpass123r) rHrIrJr)rLrMrNrOrPr{r+rexisting_usernamer r r test_admin_invalid_operationss2       r) __doc__builtinsr?_pytest.assertion.rewrite assertionrewriter=pytestrrrlapp_modules.dbrr rmarkrr\rrrrrrrrrrrrrrr r r r sL"  $ ) , < 2 " = 6 F A B ' (