🎨 [#1637] added disable_admin_mfa directly in tests

open-zaak · Jun 4, 2024 · 26749c7 · 26749c7
1 parent 37ad034
commit 26749c7
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 25 deletions.
diff --git a/src/nrc/accounts/tests/factories.py b/src/nrc/accounts/tests/factories.py
@@ -1,14 +1,49 @@
 import factory
+from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
+from django_otp.util import random_hex
+
+
+class TOTPDeviceFactory(factory.django.DjangoModelFactory):
+    user = factory.SubFactory("nrc.accounts.tests.factories.UserFactory")
+    key = factory.LazyAttribute(lambda o: random_hex())
+
+    class Meta:
+        model = "otp_totp.TOTPDevice"
 
 
 class UserFactory(factory.django.DjangoModelFactory):
     username = factory.Sequence(lambda n: f"user-{n}")
     password = factory.PostGenerationMethodCall("set_password", "secret")
 
+    class Params:
+        with_totp_device = factory.Trait(
+            device=factory.RelatedFactory(
+                TOTPDeviceFactory,
+                "user",
+                name="default",
+            )
+        )
+
     class Meta:
         model = "accounts.User"
 
 
 class SuperUserFactory(UserFactory):
     is_staff = True
     is_superuser = True
+
+
+class RecoveryDeviceFactory(factory.django.DjangoModelFactory):
+    user = factory.SubFactory("nrc.accounts.tests.factories.UserFactory")
+    name = "backup"
+
+    class Meta:
+        model = StaticDevice
+
+
+class RecoveryTokenFactory(factory.django.DjangoModelFactory):
+    device = factory.SubFactory(RecoveryDeviceFactory)
+    token = factory.LazyFunction(StaticToken.random_token)
+
+    class Meta:
+        model = StaticToken
diff --git a/src/nrc/accounts/tests/test_admin.py b/src/nrc/accounts/tests/test_admin.py
@@ -0,0 +1,45 @@
+from django.test import override_settings, tag
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext
+
+from django_webtest import WebTest
+
+from nrc.accounts.tests.factories import RecoveryTokenFactory, SuperUserFactory
+
+LOGIN_URL = reverse_lazy("admin:login")
+
+
+@override_settings(
+    USE_OIDC_FOR_ADMIN_LOGIN=False,
+    MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS=[],  # enforce MFA
+)
+class RecoveryTokenTests(WebTest):
+    @tag("gh-4072")
+    def test_can_enter_recovery_token(self):
+        user = SuperUserFactory.create(
+            with_totp_device=True,
+            username="admin",
+            password="admin",
+        )
+        recovery_token = RecoveryTokenFactory.create(device__user=user).token
+        login_page = self.app.get(LOGIN_URL, auto_follow=True)
+
+        # log in with credentials
+        form = login_page.forms["login-form"]
+        form["auth-username"] = "admin"
+        form["auth-password"] = "admin"
+        response = form.submit()
+
+        # we should now be on the enter-your-token page
+        form = response.forms["login-form"]
+        self.assertIn("token-otp_token", form.fields)
+
+        # do not enter a token, but follow the link to use a recovery token
+        link_name = gettext("Use a recovery token")
+        recovery_page = response.click(description=link_name)
+        self.assertEqual(recovery_page.status_code, 200)
+
+        recovery_form = recovery_page.forms[0]
+        recovery_form["backup-otp_token"] = recovery_token
+        admin_index = recovery_form.submit().follow()
+        self.assertEqual(admin_index.request.path, reverse("admin:index"))
diff --git a/src/nrc/accounts/tests/test_oidc.py b/src/nrc/accounts/tests/test_oidc.py
@@ -1,11 +1,12 @@
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
+from django_webtest import WebTest
+from maykin_2fa.test import disable_admin_mfa
 from mozilla_django_oidc_db.models import OpenIDConnectConfig
 
-from nrc.utils.webtest import WebTest
-
 
+@disable_admin_mfa()
 class OIDCLoginButtonTestCase(WebTest):
     def test_oidc_button_disabled(self):
         config = OpenIDConnectConfig.get_solo()

diff --git a/src/nrc/templates/maykin_2fa/base.html b/src/nrc/templates/maykin_2fa/base.html
diff --git a/src/nrc/templates/maykin_2fa/login.html b/src/nrc/templates/maykin_2fa/login.html
@@ -16,8 +16,3 @@
     {% trans 'Contact support to start the account recovery process' %}
 </li>
 {% endblock extra_recovery_options %}
-
-{# Do not show any version information #}
-{% block footer %}
-    <div id="footer"></div>
-{% endblock %}
diff --git a/src/nrc/tests/admin/test_notifications.py b/src/nrc/tests/admin/test_notifications.py
@@ -6,7 +6,9 @@
 from django.urls import reverse
 from django.utils.timezone import now
 
+from django_webtest import WebTest
 from freezegun import freeze_time
+from maykin_2fa.test import disable_admin_mfa
 
 from nrc.accounts.tests.factories import SuperUserFactory
 from nrc.datamodel.models import Notificatie, NotificatieResponse
@@ -17,9 +19,9 @@
     NotificatieFactory,
     NotificatieResponseFactory,
 )
-from nrc.utils.webtest import WebTest
 
 
+@disable_admin_mfa()
 @freeze_time("2022-01-01T12:00:00")
 @override_settings(
     LOG_NOTIFICATIONS_IN_DB=True,

diff --git a/src/nrc/tests/test_oidc_middleware.py b/src/nrc/tests/test_oidc_middleware.py
@@ -3,12 +3,14 @@
 
 from django.urls import reverse
 
+from django_webtest import WebTest
+from maykin_2fa.test import disable_admin_mfa
 from mozilla_django_oidc_db.models import OpenIDConnectConfig
 
 from nrc.accounts.tests.factories import SuperUserFactory
-from nrc.utils.webtest import WebTest
 
 
+@disable_admin_mfa()
 class AdminSessionRefreshMiddlewareTests(WebTest):
     @patch(
         "mozilla_django_oidc_db.mixins.OpenIDConnectConfig.get_solo",

diff --git a/src/nrc/utils/webtest.py b/src/nrc/utils/webtest.py