consumocuidado-server/core/tests.py

import random
import string
import json
import hashlib
import base64

from django.test import TestCase

from rest_framework.test import APITestCase
from rest_framework import status

from core.utils import get_tokens_for_user

from . import models
from . import factories
# Create your tests here.


class CustomUserViewSetTest(APITestCase):
    """CustomUser viewset tests
    """

    def setUp(self):
        """Tests setup
        """
        self.endpoint = '/api/v1/users/'
        self.factory = factories.CustomUserFactory
        self.model = models.CustomUser
        # create regular user
        self.reg_email = f"user@mail.com"
        self.password = ''.join(random.choices(string.ascii_uppercase, k = 10))
        self.user = self.factory(email=self.reg_email, password=self.password, is_active=True)

    # anon user
    def test_anon_user_can_create_inactive_instance(self):
        """Not logged-in user can create new instance of User but it's inactive
        """
        data = {
            'email': 'test@email.com',
            'full_name': 'TEST NAME',
            'password': 'VENTILADORES1234499.89',
            'provider': 'TWITTER',
        }

        # Query endpoint
        response = self.client.post(self.endpoint, data=data)

        # Assert creation is successful
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
        # check for new user instance created
        self.assertEquals(1, self.model.objects.filter(email=data['email']).count())
        # assert password has been set
        new_user =  self.model.objects.get(email=data['email'])
        self.assertNotEqual('', new_user.password)
        # assert instance is inactive
        info = json.loads(response.content)
        self.assertFalse(info['is_active'])

    def test_anon_user_cannot_modify_existing_instance(self):
        """Not logged-in user cannot modify existing instance
        """
        # Create instance
        instance = self.factory()

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.put(url, {}, format='json')

        # Assert forbidden code
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_anon_user_cannot_delete_existing_instance(self):
        """Not logged-in user cannot delete existing instance
        """
        # Create instances
        instance = self.factory()

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.delete(url)

        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        # Assert instance still exists on db
        self.assertTrue(self.model.objects.get(id=instance.pk))

    def test_anon_user_cannot_list_instances(self):
        """Not logged-in user can't read instance
        """
        # Request list
        response = self.client.get(self.endpoint)

        # Assert access is forbidden
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    # auth regular user
    def test_regular_user_cannot_create_instance(self):
        """Regular user cannot create new instance
        """
        # Authenticate
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        response = self.client.post(self.endpoint, data={})

        # Assert access is forbidden
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_regular_user_can_modify_own_instance(self):
        """Regular user can modify own instance
        """
        # Create instance
        data = {
            "email": "new_email@mail.com",
            "full_name": "New Full Name",
            "password": "SUPERSECRETNEWPASSWORD",
        }

        # Authenticate
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        url = self.endpoint + f'{self.user.pk}/'
        response = self.client.put(url, data=data, format='json')

        # Assert forbidden code
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)

        # assert new password hash properly updated
        # assert fields exist, and data matches
        updated_user = self.model.objects.get(pk=self.user.id)
        stored_value = updated_user.__dict__['password']
        hash_type, iteration, salt, stored_password_hash = stored_value.split('$')
        new_password_hash = hashlib.pbkdf2_hmac(
                hash_name='sha256',
                password=data['password'].encode(),
                salt=salt.encode(),
                iterations=int(iteration),
                )
        self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode())

    def test_regular_user_cannot_modify_existing_instance(self):
        """Regular user cannot modify existing instance
        """
        # Create instance
        instance = self.factory()

        # Authenticate
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.put(url, {}, format='json')

        # Assert forbidden code
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_regular_user_cannot_delete_existing_instance(self):
        """Regular user cannot delete existing instance
        """
        # Create instances
        instance = self.factory()

        # Authenticate
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.delete(url)

        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        # Assert instance still exists on db
        self.assertTrue(self.model.objects.get(id=instance.pk))

    def test_regular_user_cannot_list_instances(self):
        """Regular user can't list instances
        """
        # Request list
        response = self.client.get(self.endpoint)

        # Authenticate
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Assert access is forbidden
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_user_update_password(self):
        '''Test the modification of PASSWORD field value for an instance of User '''
        # modify values of alert instance
        new_password = "updated_super secret password"
        self.user.set_password(new_password)
        self.user.save()
        # get updated intance using PK
        updated_user = self.model.objects.get(pk=self.user.pk)
        # assert fields exist, and data matches
        stored_value = updated_user.__dict__['password']
        hash_type, iteration, salt, stored_password_hash = stored_value.split('$')
        new_password_hash = hashlib.pbkdf2_hmac(
                hash_name='sha256',
                password=new_password.encode(),
                salt=salt.encode(),
                iterations=int(iteration),
                )
        self.assertEqual(stored_password_hash, base64.b64encode(new_password_hash).decode())

    # admin user
    def test_admin_user_can_create_instance(self):
        """Admin user can create new instance
        """
        # set user as admin
        self.user.is_staff = True
        self.user.save()

        # Define request data
        data = {
            'email': 'test@email.com',
            'full_name': 'TEST NAME',
            'password': 'VENTILADORES1234499.89',
        }

        # Authenticate user
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        response = self.client.post(self.endpoint, data=data, format='json')

        # Assert endpoint returns created status
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)

        # Assert instance exists on db
        self.assertTrue(self.model.objects.get(email=response.data['email']))

    def test_admin_user_can_modify_existing_instance(self):
        """Admin user can modify existing instance
        """
        # set user as admin
        self.user.is_staff = True
        self.user.save()

        # Create instances
        instance = self.factory()

        # Define request data
        data = {
            'email': 'test_alt@email.com',
            'full_name': 'TEST NAME ALT'
        }

        # Authenticate user
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.put(url, data, format='json')

        # Assert endpoint returns OK code
        self.assertEqual(response.status_code, status.HTTP_200_OK)

        # Assert instance has been modified
        for key in data:
            self.assertEqual(data[key], response.data[key])

    def test_admin_user_can_delete_existing_instance(self):
        """Admin user can delete existing instance
        """
        # set user as admin
        self.user.is_staff = True
        self.user.save()

        # Create instances
        instance = self.factory()

        # Authenticate user
        token = get_tokens_for_user(self.user)
        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")

        # Query endpoint
        url = self.endpoint + f'{instance.pk}/'
        response = self.client.delete(url)

        # assert 204 no content
        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
        # Assert instance doesn't exists anymore on db
        self.assertFalse(self.model.objects.filter(id=instance.pk).exists())