Home-Assistant
/
core
mirror of https://github.com/home-assistant/core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
core/tests/auth/test_init.py

638 lines
20 KiB
Python
Raw Normal View History

Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
"""Tests for the Home Assistant auth module."""
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
from datetime import timedelta
from unittest.mock import Mock, patch
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
import pytest
from homeassistant import auth, data_entry_flow
Reorg auth (#15443)
2018-07-13 09:43:08 +00:00
from homeassistant.auth import (
models as auth_models, auth_store, const as auth_const)
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
from homeassistant.auth.mfa_modules import SESSION_EXPIRATION
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
from homeassistant.util import dt as dt_util
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
from tests.common import (
MockUser, ensure_auth_manager_loaded, flush_store, CLIENT_ID)
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
@pytest.fixture
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
def mock_hass(loop):
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
"""Hass mock with minimum amount of data set to make it work with auth."""
hass = Mock()
hass.config.skip_pip = True
return hass
async def test_auth_manager_from_config_validates_config_and_id(mock_hass):
"""Test get auth providers."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'name': 'Test Name',
'type': 'insecure_example',
'users': [],
}, {
'name': 'Invalid config because no users',
'type': 'insecure_example',
'id': 'invalid_config',
}, {
'name': 'Test Name 2',
'type': 'insecure_example',
'id': 'another',
'users': [],
}, {
'name': 'Wrong because duplicate ID',
'type': 'insecure_example',
'id': 'another',
'users': [],
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
}], [])
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
providers = [{
'name': provider.name,
'id': provider.id,
'type': provider.type,
User management (#15420) * User management * Lint * Fix dict * Reuse data instance * OrderedDict all the way
2018-07-13 13:31:20 +00:00
} for provider in manager.auth_providers]
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert providers == [{
'name': 'Test Name',
'type': 'insecure_example',
'id': None,
}, {
'name': 'Test Name 2',
'type': 'insecure_example',
'id': 'another',
}]
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
async def test_auth_manager_from_config_auth_modules(mock_hass):
"""Test get auth modules."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'name': 'Test Name',
'type': 'insecure_example',
'users': [],
}, {
'name': 'Test Name 2',
'type': 'insecure_example',
'id': 'another',
'users': [],
}], [{
'name': 'Module 1',
'type': 'insecure_example',
'data': [],
}, {
'name': 'Module 2',
'type': 'insecure_example',
'id': 'another',
'data': [],
}, {
'name': 'Duplicate ID',
'type': 'insecure_example',
'id': 'another',
'data': [],
}])
providers = [{
'name': provider.name,
'type': provider.type,
'id': provider.id,
} for provider in manager.auth_providers]
assert providers == [{
'name': 'Test Name',
'type': 'insecure_example',
'id': None,
}, {
'name': 'Test Name 2',
'type': 'insecure_example',
'id': 'another',
}]
modules = [{
'name': module.name,
'type': module.type,
'id': module.id,
} for module in manager.auth_mfa_modules]
assert modules == [{
'name': 'Module 1',
'type': 'insecure_example',
'id': 'insecure_example',
}, {
'name': 'Module 2',
'type': 'insecure_example',
'id': 'another',
}]
async def test_create_new_user(hass):
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
"""Test creating new user."""
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
manager = await auth.auth_manager_from_config(hass, [{
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
'name': 'Test Name'
}]
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
}], [])
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
step = await manager.login_flow.async_init(('insecure_example', None))
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
assert step['type'] == data_entry_flow.RESULT_TYPE_CREATE_ENTRY
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
user = step['result']
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert user is not None
Add user via cmd line creates owner (#15470) * Add user via cmd line creates owner * Ensure access tokens are not verified for inactive users * Stale print * Lint
2018-07-15 18:46:15 +00:00
assert user.is_owner is False
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert user.name == 'Test Name'
async def test_login_as_existing_user(mock_hass):
"""Test login as existing user."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
'name': 'Test Name'
}]
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
}], [])
mock_hass.auth = manager
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
ensure_auth_manager_loaded(manager)
Fix credentials lookup (#15409)
2018-07-10 18:33:03 +00:00
# Add a fake user that we're not going to log in with
user = MockUser(
id='mock-user2',
is_owner=False,
is_active=False,
name='Not user',
).add_to_auth_manager(manager)
Reorg auth (#15443)
2018-07-13 09:43:08 +00:00
user.credentials.append(auth_models.Credentials(
Fix credentials lookup (#15409)
2018-07-10 18:33:03 +00:00
id='mock-id2',
auth_provider_type='insecure_example',
auth_provider_id=None,
data={'username': 'other-user'},
is_new=False,
))
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
# Add fake user with credentials for example auth provider.
user = MockUser(
id='mock-user',
is_owner=False,
is_active=False,
name='Paulus',
).add_to_auth_manager(manager)
Reorg auth (#15443)
2018-07-13 09:43:08 +00:00
user.credentials.append(auth_models.Credentials(
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
id='mock-id',
auth_provider_type='insecure_example',
auth_provider_id=None,
data={'username': 'test-user'},
is_new=False,
))
step = await manager.login_flow.async_init(('insecure_example', None))
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
assert step['type'] == data_entry_flow.RESULT_TYPE_CREATE_ENTRY
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
user = step['result']
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert user is not None
assert user.id == 'mock-user'
assert user.is_owner is False
assert user.is_active is False
assert user.name == 'Paulus'
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
async def test_linking_user_to_two_auth_providers(hass, hass_storage):
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
"""Test linking user to two auth providers."""
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
manager = await auth.auth_manager_from_config(hass, [{
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
}]
}, {
'type': 'insecure_example',
'id': 'another-provider',
'users': [{
'username': 'another-user',
'password': 'another-password',
}]
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
}], [])
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
step = await manager.login_flow.async_init(('insecure_example', None))
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
user = step['result']
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert user is not None
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
step = await manager.login_flow.async_init(
('insecure_example', 'another-provider'),
context={'credential_only': True})
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'another-user',
'password': 'another-password',
})
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
new_credential = step['result']
await manager.async_link_user(user, new_credential)
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line
2018-05-01 16:20:41 +00:00
assert len(user.credentials) == 2
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
async def test_saving_loading(hass, hass_storage):
"""Test storing and saving data.
Creates one of each type that we store to test we restore correctly.
"""
manager = await auth.auth_manager_from_config(hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
}]
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
}], [])
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
step = await manager.login_flow.async_init(('insecure_example', None))
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
Get user after login flow finished (#16047) * Get user after login flow finished * Add optional parameter 'type' to /auth/login_flow * Update __init__.py
2018-08-21 08:18:04 +00:00
user = step['result']
Add user via cmd line creates owner (#15470) * Add user via cmd line creates owner * Ensure access tokens are not verified for inactive users * Stale print * Lint
2018-07-15 18:46:15 +00:00
await manager.async_activate_user(user)
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements
2018-08-14 19:14:12 +00:00
await manager.async_create_refresh_token(user, CLIENT_ID)
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
await flush_store(manager._store._store)
Reorg auth (#15443)
2018-07-13 09:43:08 +00:00
store2 = auth_store.AuthStore(hass)
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
users = await store2.async_get_users()
assert len(users) == 1
assert users[0] == user
Storage auth (#15192) * Support parallel loading * Add storage mock * Store auth * Fix tests
2018-06-29 02:14:26 +00:00
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
async def test_cannot_retrieve_expired_access_token(hass):
"""Test that we cannot retrieve expired access tokens."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(hass, [], [])
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
user = MockUser().add_to_auth_manager(manager)
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
refresh_token = await manager.async_create_refresh_token(user, CLIENT_ID)
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
assert refresh_token.user.id is user.id
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
assert refresh_token.client_id == CLIENT_ID
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
access_token = manager.async_create_access_token(refresh_token)
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements
2018-08-14 19:14:12 +00:00
assert (
await manager.async_validate_access_token(access_token)
is refresh_token
)
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
Reorg auth (#15443)
2018-07-13 09:43:08 +00:00
with patch('homeassistant.util.dt.utcnow',
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements
2018-08-14 19:14:12 +00:00
return_value=dt_util.utcnow() -
auth_const.ACCESS_TOKEN_EXPIRATION - timedelta(seconds=11)):
access_token = manager.async_create_access_token(refresh_token)
Make sure we check access token expiration (#15207) * Make sure we check access token expiration * Use correct access token websocket
2018-06-29 04:02:33 +00:00
Use JWT for access tokens (#15972) * Use JWT for access tokens * Update requirements * Improvements
2018-08-14 19:14:12 +00:00
assert (
await manager.async_validate_access_token(access_token)
is None
)
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
async def test_generating_system_user(hass):
"""Test that we can add a system user."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(hass, [], [])
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
user = await manager.async_create_system_user('Hass.io')
token = await manager.async_create_refresh_token(user)
assert user.system_generated
assert token is not None
assert token.client_id is None
async def test_refresh_token_requires_client_for_user(hass):
"""Test that we can add a system user."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(hass, [], [])
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
user = MockUser().add_to_auth_manager(manager)
assert user.system_generated is False
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
with pytest.raises(ValueError):
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
await manager.async_create_refresh_token(user)
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
token = await manager.async_create_refresh_token(user, CLIENT_ID)
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
assert token is not None
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
assert token.client_id == CLIENT_ID
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
async def test_refresh_token_not_requires_client_for_system_user(hass):
"""Test that we can add a system user."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(hass, [], [])
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
user = await manager.async_create_system_user('Hass.io')
assert user.system_generated is True
Only create front-end client_id once (#15214) * Only create frontend client_id once * Check user and client_id before create refresh token * Lint * Follow code review comment * Minor clenaup * Update doc string
2018-07-01 17:36:50 +00:00
with pytest.raises(ValueError):
Use IndieAuth for client ID (#15369) * Use IndieAuth for client ID * Lint * Lint & Fix tests * Allow local IP addresses * Update comment
2018-07-09 16:24:46 +00:00
await manager.async_create_refresh_token(user, CLIENT_ID)
Add system generated users (#15291) * Add system generated users * Fix typing
2018-07-04 15:50:08 +00:00
token = await manager.async_create_refresh_token(user)
assert token is not None
assert token.client_id is None
Aware comments (#15480) * Make sure we cannot deactivate the owner * Use different error code when trying to fetch token for inactive user
2018-07-15 21:09:05 +00:00
async def test_cannot_deactive_owner(mock_hass):
"""Test that we cannot deactive the owner."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(mock_hass, [], [])
Aware comments (#15480) * Make sure we cannot deactivate the owner * Use different error code when trying to fetch token for inactive user
2018-07-15 21:09:05 +00:00
owner = MockUser(
is_owner=True,
).add_to_auth_manager(manager)
with pytest.raises(ValueError):
await manager.async_deactivate_user(owner)
Add support for revoking refresh tokens (#16095) * Add support for revoking refresh tokens * Lint * Split revoke logic in own method * Simplify * Update docs
2018-08-21 18:02:55 +00:00
async def test_remove_refresh_token(mock_hass):
"""Test that we can remove a refresh token."""
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
manager = await auth.auth_manager_from_config(mock_hass, [], [])
Add support for revoking refresh tokens (#16095) * Add support for revoking refresh tokens * Lint * Split revoke logic in own method * Simplify * Update docs
2018-08-21 18:02:55 +00:00
user = MockUser().add_to_auth_manager(manager)
refresh_token = await manager.async_create_refresh_token(user, CLIENT_ID)
access_token = manager.async_create_access_token(refresh_token)
await manager.async_remove_refresh_token(refresh_token)
assert (
await manager.async_get_refresh_token(refresh_token.id) is None
)
assert (
await manager.async_validate_access_token(access_token) is None
)
Add multi-factor authentication modules (#15489) * Get user after login flow finished * Add multi factor authentication support * Typings
2018-08-22 07:52:34 +00:00
async def test_login_with_auth_module(mock_hass):
"""Test login as existing user with auth module."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
'name': 'Test Name'
}],
}], [{
'type': 'insecure_example',
'data': [{
'user_id': 'mock-user',
'pin': 'test-pin'
}]
}])
mock_hass.auth = manager
ensure_auth_manager_loaded(manager)
# Add fake user with credentials for example auth provider.
user = MockUser(
id='mock-user',
is_owner=False,
is_active=False,
name='Paulus',
).add_to_auth_manager(manager)
user.credentials.append(auth_models.Credentials(
id='mock-id',
auth_provider_type='insecure_example',
auth_provider_id=None,
data={'username': 'test-user'},
is_new=False,
))
step = await manager.login_flow.async_init(('insecure_example', None))
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
# After auth_provider validated, request auth module input form
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
step = await manager.login_flow.async_configure(step['flow_id'], {
'pin': 'invalid-pin',
})
# Invalid auth error
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
assert step['errors'] == {'base': 'invalid_auth'}
step = await manager.login_flow.async_configure(step['flow_id'], {
'pin': 'test-pin',
})
# Finally passed, get user
assert step['type'] == data_entry_flow.RESULT_TYPE_CREATE_ENTRY
user = step['result']
assert user is not None
assert user.id == 'mock-user'
assert user.is_owner is False
assert user.is_active is False
assert user.name == 'Paulus'
async def test_login_with_multi_auth_module(mock_hass):
"""Test login as existing user with multiple auth modules."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
'name': 'Test Name'
}],
}], [{
'type': 'insecure_example',
'data': [{
'user_id': 'mock-user',
'pin': 'test-pin'
}]
}, {
'type': 'insecure_example',
'id': 'module2',
'data': [{
'user_id': 'mock-user',
'pin': 'test-pin2'
}]
}])
mock_hass.auth = manager
ensure_auth_manager_loaded(manager)
# Add fake user with credentials for example auth provider.
user = MockUser(
id='mock-user',
is_owner=False,
is_active=False,
name='Paulus',
).add_to_auth_manager(manager)
user.credentials.append(auth_models.Credentials(
id='mock-id',
auth_provider_type='insecure_example',
auth_provider_id=None,
data={'username': 'test-user'},
is_new=False,
))
step = await manager.login_flow.async_init(('insecure_example', None))
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
# After auth_provider validated, request select auth module
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'select_mfa_module'
step = await manager.login_flow.async_configure(step['flow_id'], {
'multi_factor_auth_module': 'module2',
})
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
step = await manager.login_flow.async_configure(step['flow_id'], {
'pin': 'test-pin2',
})
# Finally passed, get user
assert step['type'] == data_entry_flow.RESULT_TYPE_CREATE_ENTRY
user = step['result']
assert user is not None
assert user.id == 'mock-user'
assert user.is_owner is False
assert user.is_active is False
assert user.name == 'Paulus'
async def test_auth_module_expired_session(mock_hass):
"""Test login as existing user."""
manager = await auth.auth_manager_from_config(mock_hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
'name': 'Test Name'
}],
}], [{
'type': 'insecure_example',
'data': [{
'user_id': 'mock-user',
'pin': 'test-pin'
}]
}])
mock_hass.auth = manager
ensure_auth_manager_loaded(manager)
# Add fake user with credentials for example auth provider.
user = MockUser(
id='mock-user',
is_owner=False,
is_active=False,
name='Paulus',
).add_to_auth_manager(manager)
user.credentials.append(auth_models.Credentials(
id='mock-id',
auth_provider_type='insecure_example',
auth_provider_id=None,
data={'username': 'test-user'},
is_new=False,
))
step = await manager.login_flow.async_init(('insecure_example', None))
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
with patch('homeassistant.util.dt.utcnow',
return_value=dt_util.utcnow() + SESSION_EXPIRATION):
step = await manager.login_flow.async_configure(step['flow_id'], {
'pin': 'test-pin',
})
# Invalid auth due session timeout
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
assert step['errors']['base'] == 'login_expired'
# The second try will fail as well
step = await manager.login_flow.async_configure(step['flow_id'], {
'pin': 'test-pin',
})
assert step['type'] == data_entry_flow.RESULT_TYPE_FORM
assert step['step_id'] == 'mfa'
assert step['errors']['base'] == 'login_expired'
async def test_enable_mfa_for_user(hass, hass_storage):
"""Test enable mfa module for user."""
manager = await auth.auth_manager_from_config(hass, [{
'type': 'insecure_example',
'users': [{
'username': 'test-user',
'password': 'test-pass',
}]
}], [{
'type': 'insecure_example',
'data': [],
}])
step = await manager.login_flow.async_init(('insecure_example', None))
step = await manager.login_flow.async_configure(step['flow_id'], {
'username': 'test-user',
'password': 'test-pass',
})
user = step['result']
assert user is not None
# new user don't have mfa enabled
modules = await manager.async_get_enabled_mfa(user)
assert len(modules) == 0
module = manager.get_auth_mfa_module('insecure_example')
# mfa module don't have data
assert bool(module._data) is False
# test enable mfa for user
await manager.async_enable_user_mfa(user, 'insecure_example',
{'pin': 'test-pin'})
assert len(module._data) == 1
assert module._data[0] == {'user_id': user.id, 'pin': 'test-pin'}
# test get enabled mfa
modules = await manager.async_get_enabled_mfa(user)
assert len(modules) == 1
assert 'insecure_example' in modules
# re-enable mfa for user will override
await manager.async_enable_user_mfa(user, 'insecure_example',
{'pin': 'test-pin-new'})
assert len(module._data) == 1
assert module._data[0] == {'user_id': user.id, 'pin': 'test-pin-new'}
modules = await manager.async_get_enabled_mfa(user)
assert len(modules) == 1
assert 'insecure_example' in modules
# system user cannot enable mfa
system_user = await manager.async_create_system_user('system-user')
with pytest.raises(ValueError):
await manager.async_enable_user_mfa(system_user, 'insecure_example',
{'pin': 'test-pin'})
assert len(module._data) == 1
modules = await manager.async_get_enabled_mfa(system_user)
assert len(modules) == 0
# disable mfa for user
await manager.async_disable_user_mfa(user, 'insecure_example')
assert bool(module._data) is False
# test get enabled mfa
modules = await manager.async_get_enabled_mfa(user)
assert len(modules) == 0
# disable mfa for user don't enabled just silent fail
await manager.async_disable_user_mfa(user, 'insecure_example')