import random import string import json import hashlib import base64 from django.test import TestCase from rest_framework.test import APITestCase from rest_framework import status from core.utils import get_tokens_for_user from . import models from . import factories # Create your tests here. class CustomUserViewSetTest(APITestCase): """CustomUser viewset tests """ def setUp(self): """Tests setup """ self.endpoint = '/api/v1/users/' self.factory = factories.CustomUserFactory self.model = models.CustomUser # create admin user self.admin_email = f"admin_user@mail.com" self.password = ''.join(random.choices(string.ascii_uppercase, k = 10)) self.user = self.factory(email=self.admin_email, password=self.password, is_active=True) # create regular user self.reg_email = f"regular_user@mail.com" self.password = ''.join(random.choices(string.ascii_uppercase, k = 10)) self.user = self.factory(email=self.reg_email, password=self.password, is_active=True) # anon user def test_anon_user_can_create_inactive_instance(self): """Not logged-in user can create new instance of User but it's inactive """ data = { 'email': 'test@email.com', 'full_name': 'TEST NAME', 'password': 'VENTILADORES1234499.89', } # Query endpoint response = self.client.post(self.endpoint, data=data) # Assert creation is successful self.assertEqual(response.status_code, status.HTTP_201_CREATED) # check for new user instance created self.assertEquals(1, self.model.objects.filter(email=data['email']).count()) # assert password has been set new_user = self.model.objects.get(email=data['email']) self.assertNotEqual('', new_user.password) # assert instance is inactive info = json.loads(response.content) self.assertFalse(info['is_active']) def test_anon_user_cannot_modify_existing_instance(self): """Not logged-in user cannot modify existing instance """ # Create instance instance = self.factory() # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.put(url, {}, format='json') # Assert forbidden code self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) def test_anon_user_cannot_delete_existing_instance(self): """Not logged-in user cannot delete existing instance """ # Create instances instance = self.factory() # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.delete(url) self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) # Assert instance still exists on db self.assertTrue(self.model.objects.get(id=instance.pk)) def test_anon_user_cannot_list_instances(self): """Not logged-in user can't read instance """ # Request list response = self.client.get(self.endpoint) # Assert access is forbidden self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) # auth regular user def test_regular_user_cannot_create_instance(self): """Regular user cannot create new instance """ # Authenticate token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint response = self.client.post(self.endpoint, data={}) # Assert access is forbidden self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_regular_user_cannot_modify_existing_instance(self): """Regular user cannot modify existing instance """ # Create instance instance = self.factory() # Authenticate token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.put(url, {}, format='json') # Assert forbidden code self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_regular_user_cannot_delete_existing_instance(self): """Regular user cannot delete existing instance """ # Create instances instance = self.factory() # Authenticate token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.delete(url) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) # Assert instance still exists on db self.assertTrue(self.model.objects.get(id=instance.pk)) def test_regular_user_cannot_list_instances(self): """Regular user can't list instances """ # Request list response = self.client.get(self.endpoint) # Authenticate token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Assert access is forbidden self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) def test_user_update_password(self): '''Test the modification of PASSWORD field value for an instance of User ''' # modify values of alert instance new_password = "updated_super secret password" self.user.set_password(new_password) self.user.save() # get updated intance using PK updated_user = self.model.objects.get(pk=self.user.pk) # assert fields exist, and data matches stored_value = updated_user.__dict__['password'] hash_type, iteration, salt, stored_password_hash = stored_value.split('$') new_password_hash = hashlib.pbkdf2_hmac( hash_name='sha256', password=new_password.encode(), salt=salt.encode(), iterations=int(iteration), ) self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode()) # admin user def test_admin_user_can_create_instance(self): """Admin user can create new instance """ # set user as admin self.user.is_staff = True self.user.save() # Define request data data = { 'email': 'test@email.com', 'full_name': 'TEST NAME', 'password': 'VENTILADORES1234499.89', } # Authenticate user token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint response = self.client.post(self.endpoint, data=data, format='json') # Assert endpoint returns created status self.assertEqual(response.status_code, status.HTTP_201_CREATED) # Assert instance exists on db self.assertTrue(self.model.objects.get(email=response.data['email'])) def test_admin_user_can_modify_existing_instance(self): """Admin user can modify existing instance """ # set user as admin self.user.is_staff = True self.user.save() # Create instances instance = self.factory() # Define request data data = { 'email': 'test_alt@email.com', 'full_name': 'TEST NAME ALT' } # Authenticate user token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.put(url, data, format='json') # Assert endpoint returns OK code self.assertEqual(response.status_code, status.HTTP_200_OK) # Assert instance has been modified for key in data: self.assertEqual(data[key], response.data[key]) def test_admin_user_can_delete_existing_instance(self): """Admin user can delete existing instance """ # set user as admin self.user.is_staff = True self.user.save() # Create instances instance = self.factory() # Authenticate user token = get_tokens_for_user(self.user) self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}") # Query endpoint url = self.endpoint + f'{instance.pk}/' response = self.client.delete(url) # assert 204 no content self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) # Assert instance doesn't exists anymore on db self.assertFalse(self.model.objects.filter(id=instance.pk).exists())