hLIdZddlZddlmcmZddlZddlZddl m Z ejjdZ ejjdZejjdZejjdZejjdZejjd Zejjd Zejjd Zejjd Zejjd ZejjdZejjdZejjdZejjdZejjdZejjdZejjdZy)a test_auth.py Purpose: Comprehensive test suite for authentication functionality including login, logout, rate limiting, session management, and CSRF protection. Test Categories: - Successful login with valid credentials - Failed login with invalid credentials - Logout functionality and session clearing - Rate limiting enforcement per user and IP - Session management and security Nget_dbcj|j}|d}|jd|d|dd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|j}|j}d} || } | sdd t j vstj|rtj|nd tj|tj|tj| tj| dz} ttj| dx}x}x} } |jd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}y)z=Test successful login with valid credentials via POST /login.regular/loginusernamepasswordrr data.==z3%(py2)s {%(py2)s = %(py0)s.status_code } == %(py5)sresponsepy0py2py5assert %(py7)spy7N/selecthassert %(py8)s {%(py8)s = %(py4)s {%(py4)s = %(py2)s {%(py2)s = %(py0)s.location }.endswith }(%(py6)s) }rrpy4py6py8) test_clientpost status_code @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanationlocationendswithget)app test_usersclear_rate_limitsclientuserr @py_assert1 @py_assert4 @py_assert3 @py_format6 @py_format8 @py_assert5 @py_assert7 @py_format9s MC:\Users\algun\Documents\ceba web\Ceba - Github\tests\functional\test_auth.py'test_successful_login_valid_credentialsr;s__ F i D{{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   0  % %0i0 %i 00 00000080008000 000 %000i000 0000000zz)$H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&c|j}|jdddd}|j}d}||k(}|stjd|fd||fd t j vstj|rtj|nd tj|tj|d z}d d |iz} ttj| d x}x}}|j}|j}d} || } | sdd t j vstj|rtj|nd tj|tj|tj| tj| dz} ttj| d x}x}x} } |jd}|j}d}||k(}|stjd|fd||fd t j vstj|rtj|nd tj|tj|d z}d d |iz} ttj| d x}x}}g}d} |j}| |v}|}|sd}|j}||v}|}|stjd|fd| |ftj| d t j vstj|rtj|nd tj|dz} dd| iz}|j||stjdfdftj|d t j vstj|rtj|nd tj|dz}dd|iz}|j|tj |diz}dd|iz}ttj|d x}x}x} x}x}x}x}}y ) z(Test failed login with invalid username.rnonexistentuser anypasswordr r r rrrrrrN/rrrPogrekorisniinz,%(py3)s in %(py7)s {%(py7)s = %(py5)s.data }py3rr%(py9)spy9z0%(py12)s in %(py16)s {%(py16)s = %(py14)s.data }py12py14py16%(py18)spy18assert %(py21)spy21rr r!r"r#r$r%r&r'r(r)r*r+r,r append_format_boolop)r-r.r/r0rr2r3r4r5r6r7r8r9 @py_assert2 @py_assert6 @py_assert0 @py_assert11 @py_assert15 @py_assert13 @py_format10 @py_format17 @py_format19 @py_format20 @py_format22s r:"test_failed_login_invalid_usernamerb,s__ F{{8%!+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   *  % %*c* %c ** ******8***8*** *** %***c*** *******zz#H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&C8Cx}}C8} $C ChmmC m(CCCCC8}CCC8CCCCCCxCCCxCCC}CCCCCCC mCCC CCCCCChCCChCCCmCCCCCCCCCCCCCCr<c|j}|d}|jd|ddd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|j}|j}d} || } | sdd t j vstj|rtj|nd tj|tj|tj| tj| dz} ttj| dx}x}x} } |jd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}g}d}|j}||v}|}|sd}|j}||v}|}|stjd|fd||ftj|d t j vstj|rtj|nd tj|dz} dd| iz}|j||stjdfdftj|d t j vstj|rtj|nd tj|dz}dd|iz}|j|tj |diz}dd |iz}ttj|dx}x}x}x}x}x}x}}y)!z(Test failed login with invalid password.limitedrr wrongpasswordr r r rrrrrrNr@rrrrArBrCrErFrHrIrJrKrOrPrQrRrSrT)r-r.r/r0r1rr2r3r4r5r6r7r8r9rWrXrYrZr[r\r]r^r_r`ras r:"test_failed_login_invalid_passwordrfAs__ F i D{{8$#+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   *  % %*c* %c ** ******8***8*** *** %***c*** *******zz#H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&C8Cx}}C8} $C ChmmC m(CCCCC8}CCC8CCCCCCxCCCxCCC}CCCCCCC mCCC CCCCCChCCChCCCmCCCCCCCCCCCCCCr<c|j}|jdddd}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|d z}d d |iz}ttj|d x}x}}|j}|j}d } || } | sddt j vstj|rtj|ndtj|tj|tj| tj| dz} ttj| d x}x}x} } y )z)Test failed login with empty credentials.rr r r rrrrrrNr@rr) rr r!r"r#r$r%r&r'r(r)r*r+) r-r/r0rr2r3r4r5r6r7r8r9s r:#test_failed_login_empty_credentialsriWs)__ F{{8+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   *  % %*c* %c ** ******8***8*** *** %***c*** *******r<cT ||j}|d}|jd|d|dd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|jd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|j5} | jdd} ddd|jdd i}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|j}|j}d} || }|sdd t j vstj|rtj|nd tj|tj|tj| tj|dz}ttj|dx}x}x} }|jd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}y#1swYxYw)z@Test logout functionality via POST /logout and session clearing.adminrrr r r r rrrrrrNrr csrf_tokenrh/logoutr@rr)rr r!r"r#r$r%r&r'r(r)r,session_transactionr*r+)r-r.r/r0r1rr2r3r4r5r6sessrlr7r8r9s r:test_logout_functionalityrpgs__ F g D{{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&zz)$H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # %XXlB/  &{{9L*+E{FH   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   *  % %*c* %c ** ******8***8*** *** %***c*** *******zz)$H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&& & %s *RR'c|j}|d}|jd|d|dd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|jd}|j}ddg}||v}|stjd|fd||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}y)z3Test that GET /logout is not supported (only POST).rrrr r r r rrrrrrNrmiirC)z3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)s) rr r!r"r#r$r%r&r'r(r)r,) r-r.r/r0r1rr2r3r4r5r6s r:%test_logout_get_request_not_supportedrrs=__ F i D{{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&zz)$H   -C:- : ---- :------8---8--- ---:-------r<c6||j}ddl}ddlm}|j 5|}|j dj d|jjd}ddl }dt|j}|jd||df} |jddd|jd dd  } | j} d } | | k(} | stj d | fd| | fdt#j$vstj&| rtj(| ndtj(| tj(| dz}dd|iz}t+tj,|dx} x} } t/dD]}|j1d} | j} d} | | k(} | stj d | fd| | fdt#j$vstj&| rtj(| ndtj(| tj(| dz}dd|iz}t+tj,|dx} x} } y#1swYxYw)z7Test that session persists across requests after login.rNrtestpassutf-8 sessionuser_FINSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)Frr r r rrrrrrrr)rbcryptapp_modules.dbr app_contexthashpwencodegensaltdecodetimeintexecutecommitr r!r"r#r$r%r&r'r(r)ranger,)r-r/r0ryrdbtest_password_hashrunique_usernamecursorrr2r3r4r5r6is r:test_session_managementrs__ F%   X#]]:+<+)z/%(py3)s {%(py3)s = %(py0)s(%(py1)s) } > %(py6)slenrpy1rGrassert %(py8)sr) rr,r!r"r#r$r%r&r'r(r)rnr)r-r/r0rr2r3r4r5r6rorlrW @py_format4r7 @py_format7r9s r:test_csrf_token_generationrs__ Fzz#H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # %XXl+ !%%z%%%%z%%%%%%z%%%z%%%%%%%%%%:############s###s######:###:############# & % %s :GK  Kc |j}|d}|jd|d|dd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}|j5} | jdd} ddd|jdddd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}y#1swYxYw)z9Test CSRF protection on various state-changing endpoints.rkrrr r r r rrrrrrNrlrhz/admin/add_user testuser123 testpass123rrrs r:/test_csrf_protection_on_state_changing_requestsrsy__ F g D{{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # %XXlB/  &{{,!!4{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&& & %s HH c*|j}|d}|j5t}|jd|j ddd|j d|d|dd}|j }d }||k(} | stjd | fd ||fd tjvstj|rtj|nd tj|tj|d z} dd| iz} ttj| dx}x} }|j5t}|jdd|dfj} t!| } d}| |k(}|stjd |fd| |fdtjvstjt rtjt nddtjvstj| rtj| ndtj| tj|dz}dd|iz}ttj|dx} x}}| d}|d}|d} || k(} | sltjd | fd|| ftj|tj| dz}dd|iz}ttj|dx}x} } |d}d} || u} | sltjd| fd || ftj|tj| dz}dd|iz}ttj|dx}x} } |d!}d} || k(} | sltjd | fd|| ftj|tj| dz}dd|iz}ttj|dx}x} } ddd|j}|j d|dd"d}|j }d }||k(} | stjd | fd ||fd tjvstj|rtj|nd tj|tj|d z} dd| iz} ttj| dx}x} }|j5t}|jdd#|dfj} t!| } d}| |k(}|stjd |fd| |fdtjvstjt rtjt nddtjvstj| rtj| ndtj| tj|dz}dd|iz}ttj|dx} x}}| d}|d}|d} || k(} | sltjd | fd|| ftj|tj| dz}dd|iz}ttj|dx}x} } |d!}d#} || k(} | sltjd | fd|| ftj|tj| dz}dd|iz}ttj|dx}x} } dddy#1swYxYw#1swYixYw#1swYyxYw)$z4Test that authentication events are properly logged.rdzDELETE FROM auth_logNrrr r r r rrrrrrz7SELECT * FROM auth_log WHERE event = ? AND username = ? login_successrQ)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)srlogsrrrr)z%(py1)s == %(py4)srrassert %(py6)sruser_idr)z%(py1)s is not %(py4)seventre login_failure)rr{rrrr r!r"r#r$r%r&r'r(r)fetchallr)r-r.r/r0r1rrr2r3r4r5r6rrWr7rr9logrY @py_format5client_2s r:!test_authentication_event_loggingr#s__ F i D   X )*   {{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   XzzS)4 +;<>>Fhj 4yAyA~yAss44yA1g:2$z"22"22222"2222222"222222229~)T)~T))))~T)))~)))T)))))))7|..|....|...|..........  H}}X$#-}H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&   XzzS)4 +;<>>Fhj 4yAyA~yAss44yA1g:2$z"22"22222"2222222"222222227|..|....|...|..........  A    &  s%,]/K]<I^ /]9<^ ^c< |j}|d}|jd}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|dz} dd | iz} ttj| d x}x}}|j5} | jd d } d d d |jd |d|dd}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|dz} dd | iz} ttj| d x}x}}|j5} | jd} d }| |u}|stjd|fd| |fdt j vstj| rtj| ndtj|dz}dd|iz} ttj| d x}}d d d |jd}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|dz} dd | iz} ttj| d x}x}}|j5} | jd d }d }||k7}|stjd|fd||fdt j vstj|rtj|ndtj|dz}dd|iz} ttj| d x}}d d d y #1swYhxYw#1swYxYw#1swYy xYw)zFTest that session is regenerated on login to prevent session fixation.rr@rrrrrrrNrlrhrrr r r r rrrlogged_in_user_idrrrr!=)z%(py0)s != %(py3)scsrf_token_after_login) rr,r!r"r#r$r%r&r'r(r)rnr )r-r.r/r0r1rr2r3r4r5r6roinitial_csrf_tokenrrWrrs r:"test_session_regeneration_on_loginrUs__ F i Dzz#H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # %!XXlB7 &{{8$$+{H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # % HHY/(,, ,,,, ,,,,,, ,,, ,,,,,,,,,, & zz)$H   &3& 3 &&&& 3&&&&&&8&&&8&&& &&&3&&&&&&&  # # %!%,!;)++%++++%++++++%+++%++++++++++ & %) & % & % & %s&?Q8B7R6B9R8RRRc |d}|j}|j}|jd|d|dd}|j}d}||k(} | stjd| fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x} }|jd|d|dd} | j}d}||k(} | stjd| fd ||fdt j vstj| rtj| ndtj|tj|d z} d d | iz} ttj| dx}x} }|jd}|j}d}||k(} | stjd| fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x} }|jd} | j}d}||k(} | stjd| fd ||fdt j vstj| rtj| ndtj|tj|d z} d d | iz} ttj| dx}x} }|j5} | jdd}ddd|jddi|jd} | j}d}||k(} | stjd| fd ||fdt j vstj| rtj| ndtj|tj|d z} d d | iz} ttj| dx}x} }y#1swYxYw)z@Test handling of multiple concurrent sessions for the same user.rkrrr r r r rr response1rrrN response2rrrlrhrm) rr r!r"r#r$r%r&r'r(r)r,rn)r-r.r/r1client1client2rr2r3r4r5r6rro csrf_token1s r:!test_multiple_concurrent_sessionsrzs+ g DooGooG X$$- I  'C' C '''' C''''''9'''9''' '''C''''''' X$$- I  'C' C '''' C''''''9'''9''' '''C''''''' I&I  'C' C '''' C''''''9'''9''' '''C''''''' I&I  'C' C '''' C''''''9'''9''' '''C'''''''  $ $ &$hh|R0  ' LL, !=)z%(py1)s >= %(py4)srrr)rryrzrr{r|r}r~rrrrrrr r!r"r#r$r%r&r'r(r)fetchone)r-r/r0ryrrrrrrrrr2r3r4r5r6attemptsrYrWrrs r:)test_rate_limiting_per_user_comprehensivers__ F%   X#]]:+<+1I;>Jc\|j}ddl}ddlm}ddl}|j 5|}|j djd|jjd}g}tdD]H} dt|jd| } |jd | |d f} |j| J|jdddg} D]^} tdD]D}|jd | d d }| j|j |j dk(sDn| ddk(s^ng}d}|| v}|}|sd}|| v}|}|sXt#j$d|fd|| ft#j&|dt)j*vst#j,| rt#j&| nddz}dd|iz}|j||st#j$dfd| ft#j&|dt)j*vst#j,| rt#j&| nddz}dd|iz}|j|t#j.|diz}dd|iz}t1t#j2|dx}x}x}x}x}}|j 5|}|jdj5}t7|}d}||k\}|st#j$d |fd!||fd"t)j*vst#j,t6rt#j&t6nd"d#t)j*vst#j,|rt#j&|nd#t#j&|t#j&|d$z}d%d&|iz}t1t#j2|dx}x}}dddy#1swY:xYw#1swYyxYw)'z.Test rate limiting enforcement per IP address.rNrrtrurxipuser__rwFrrer r ir rC)z%(py3)s in %(py5)s responses)rGrz%(py7)sr)z%(py10)s in %(py12)s)py10rLz%(py14)srMrQzassert %(py17)srzSELECT * FROM login_ip_attemptsr)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } >= %(py6)sr ip_attemptsrrr)rryrzrrr{r|r}r~rrrrrUrr r!r"r#r'r$r%r&rVr(r)rr) r-r/r0ryrrrrusersrrrrrjrr2rWr3rY @py_assert9rZr5r6 @py_format13 @py_format15 @py_format16 @py_format18rr7rr9s r:test_rate_limiting_per_iprs__ F%   X#]]:+<+OZZX "4e<F LL )    IqA{{8$+3{H   X11 2##s* R=C  03/3) /s/si/////3)///3//////)///)///////si///s//////i///i//////////////   Xjj!BCLLN ;$1$1$$$$1$$$$$$s$$$s$$$$$$;$$$;$$$$$$1$$$$$$$  G  F  sB.PD7P"P"P+)__doc__builtinsr$_pytest.assertion.rewrite assertionrewriter"pytestrrzrmarkauthr;rbrfrirprrrrrrrrrrrrrr<r:rs#  !'',DD(DD* + +"'"'J..,"+"+J + + ''2 $ $ ''8././b!,!,H%(%(PRR,)/)/X1%1%r<