sanic-security 1.11.6__py3-none-any.whl → 1.16.6__py3-none-any.whl

sanic_security/test/tests.py

@@ -7,28 +7,30 @@ import httpx
 from sanic_security.configuration import Config
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
 class RegistrationTest(TestCase):
-    """
-    Registration tests.
-    """
+    """Registration tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -58,9 +60,7 @@ class RegistrationTest(TestCase):
         return registration_response
 
     def test_registration(self):
-        """
-        Account registration and login.
-        """
+        """Account registration and login."""
         registration_response = self.register(
             "account_registration@register.test",
             "account_registration",
@@ -76,9 +76,7 @@ class RegistrationTest(TestCase):
         assert login_response.status_code == 200, login_response.text
 
     def test_invalid_registration(self):
-        """
-        Registration with an intentionally invalid email, username, and phone.
-        """
+        """Registration with an intentionally invalid email, username, and phone."""
         invalid_email_registration_response = self.register(
             "invalid_register.test", "invalid_register", False, True
         )
@@ -91,12 +89,6 @@ class RegistrationTest(TestCase):
         assert (
             invalid_phone_registration_response.status_code == 400
         ), invalid_phone_registration_response.text
-        invalid_username_registration_response = self.register(
-            "invalid_user@register.test", "_inVal!d_", False, True
-        )
-        assert (
-            invalid_username_registration_response.status_code == 400
-        ), invalid_username_registration_response.text
         too_many_characters_registration_response = self.register(
             "too_long_user@register.test",
             "this_username_is_too_long_to_be_registered_with",
@@ -108,9 +100,7 @@ class RegistrationTest(TestCase):
         ), too_many_characters_registration_response.text
 
     def test_registration_disabled(self):
-        """
-        Registration and login with a disabled account.
-        """
+        """Registration and login with a disabled account."""
         registration_response = self.register(
             "disabled@register.test", "disabled", True, True
         )
@@ -122,9 +112,7 @@ class RegistrationTest(TestCase):
         assert "DisabledError" in login_response.text, login_response.text
 
     def test_registration_unverified(self):
-        """
-        Registration and login with an unverified account.
-        """
+        """Registration and login with an unverified account."""
         registration_response = self.register(
             "unverified@register.test", "unverified", False, False
         )
@@ -136,9 +124,7 @@ class RegistrationTest(TestCase):
         assert "UnverifiedError" in login_response.text, login_response.text
 
     def test_registration_unverified_disabled(self):
-        """
-        Registration and login with an unverified and disabled account.
-        """
+        """Registration and login with an unverified and disabled account."""
         registration_response = self.register(
             "unverified_disabled@register.test", "unverified_disabled", True, False
         )
@@ -151,9 +137,7 @@ class RegistrationTest(TestCase):
 
 
 class LoginTest(TestCase):
-    """
-    Login tests.
-    """
+    """Login tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -162,9 +146,7 @@ class LoginTest(TestCase):
         self.client.close()
 
     def test_login(self):
-        """
-        Login with an email and password.
-        """
+        """Login with an email and password."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "email_pass@login.test", "username": "email_pass"},
@@ -180,9 +162,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 200, authenticate_response.text
 
     def test_login_with_username(self):
-        """
-        Login with a username instead of an email and password.
-        """
+        """Login with a username instead of an email and password."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "user_pass@login.test", "username": "user_pass"},
@@ -198,9 +178,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 200, authenticate_response.text
 
     def test_invalid_login(self):
-        """
-        Login with an intentionally incorrect password and into a non existent account.
-        """
+        """Login with an intentionally incorrect password and into a non-existent account."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "incorrect_pass@login.test", "username": "incorrect_pass"},
@@ -221,9 +199,7 @@ class LoginTest(TestCase):
         ), unavailable_account_login_response
 
     def test_logout(self):
-        """
-        Logout of logged in account and attempt to authenticate.
-        """
+        """Logout of logged in account and attempt to authenticate."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "logout@login.test", "username": "logout"},
@@ -240,9 +216,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 401, authenticate_response.text
 
     def test_initial_admin_login(self):
-        """
-        Initial admin account login and authorization.
-        """
+        """Initial admin account login and authorization."""
         login_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/login",
             auth=("admin@login.test", "admin123"),
@@ -251,8 +225,8 @@ class LoginTest(TestCase):
         permitted_authorization_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/roles",
             data={
-                "role": "Head Admin",
-                "permissions_required": "perm1:create,add, perm2:*",
+                "role": "Root",
+                "permissions_required": ["perm1:create,add", "perm2:*"],
             },
         )
         assert (
@@ -260,9 +234,7 @@ class LoginTest(TestCase):
         ), permitted_authorization_response.text
 
     def test_two_factor_login(self):
-        """
-        Test login with two-factor authentication requirement.
-        """
+        """Test login with two-factor authentication requirement."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "two-factor@login.test", "username": "two-factor"},
@@ -290,11 +262,22 @@ class LoginTest(TestCase):
         )
         assert authenticate_response.status_code == 200, authenticate_response.text
 
+    def test_anonymous_login(self):
+        """Test login of anonymous user."""
+        anon_login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login/anon"
+        )
+        assert anon_login_response.status_code == 200, anon_login_response.text
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert authenticate_response.status_code == 200, authenticate_response.text
+        logout_response = self.client.post("http://127.0.0.1:8000/api/test/auth/logout")
+        assert logout_response.status_code == 200, logout_response.text
+
 
 class VerificationTest(TestCase):
-    """
-    Two-step verification and captcha tests.
-    """
+    """Two-step verification and captcha tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -303,9 +286,7 @@ class VerificationTest(TestCase):
         self.client.close()
 
     def test_captcha(self):
-        """
-        Captcha request and attempt.
-        """
+        """Captcha request and attempt."""
         captcha_request_response = self.client.get(
             "http://127.0.0.1:8000/api/test/capt/request"
         )
@@ -325,9 +306,7 @@ class VerificationTest(TestCase):
         ), captcha_attempt_response.text
 
     def test_two_step_verification(self):
-        """
-        Two-step verification request and attempt.
-        """
+        """Two-step verification request and attempt."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "two_step@verification.test", "username": "two_step"},
@@ -346,26 +325,26 @@ class VerificationTest(TestCase):
         assert (
             two_step_verification_invalid_attempt_response.status_code == 401
         ), two_step_verification_invalid_attempt_response.text
+        two_step_verification_no_email_request_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/two-step/request",
+        )
+        assert (
+            two_step_verification_no_email_request_response.status_code == 200
+        ), two_step_verification_no_email_request_response.text
         two_step_verification_attempt_response = self.client.post(
             "http://127.0.0.1:8000/api/test/two-step",
             data={
-                "code": json.loads(two_step_verification_request_response.text)["data"]
+                "code": json.loads(
+                    two_step_verification_no_email_request_response.text
+                )["data"]
             },
         )
         assert (
             two_step_verification_attempt_response.status_code == 200
         ), two_step_verification_attempt_response.text
-        two_step_verification_no_email_request_response = self.client.post(
-            "http://127.0.0.1:8000/api/test/two-step/request",
-        )
-        assert (
-            two_step_verification_no_email_request_response.status_code == 200
-        ), two_step_verification_no_email_request_response.text
 
     def test_account_verification(self):
-        """
-        Account registration and verification process with successful login.
-        """
+        """Account registration and verification process with successful login."""
         registration_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/register",
             data={
@@ -385,9 +364,7 @@ class VerificationTest(TestCase):
 
 
 class AuthorizationTest(TestCase):
-    """
-    Role and permissions based authorization tests.
-    """
+    """Role and permissions based authorization tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -396,9 +373,7 @@ class AuthorizationTest(TestCase):
         self.client.close()
 
     def test_permissions_authorization(self):
-        """
-        Authorization with permissions.
-        """
+        """Authorization with permissions."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "permissions@authorization.test", "username": "permissions"},
@@ -411,24 +386,45 @@ class AuthorizationTest(TestCase):
             "http://127.0.0.1:8000/api/test/auth/roles/assign",
             data={
                 "name": "AuthTestPerms",
-                "permissions": "perm1:create,add, perm2:delete",
+                "permissions": "perm1:create,update, perm2:delete,retrieve, perm3:*",
+            },
+        )
+        permitted_authorization_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/roles",
+            data={
+                "role": "AuthTestPerms",
+                "permissions_required": "perm1:create,update, perm3:retrieve",
             },
         )
+        assert (
+            permitted_authorization_response.status_code == 200
+        ), permitted_authorization_response.text
         permitted_authorization_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/roles",
             data={
                 "role": "AuthTestPerms",
-                "permissions_required": "perm1:create,add, perm2:*",
+                "permissions_required": "perm1:retrieve, perm2:delete",
             },
         )
         assert (
             permitted_authorization_response.status_code == 200
         ), permitted_authorization_response.text
+
+        prohibited_authorization_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/roles",
+            data={
+                "role": "AuthTestPerms",
+                "permissions_required": "perm1:create,retrieve",
+            },
+        )
+        assert (
+            prohibited_authorization_response.status_code == 403
+        ), prohibited_authorization_response.text
         prohibited_authorization_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/roles",
             data={
                 "role": "AuthTestPerms",
-                "permissions_required": "perm2:add, perm1:delete",
+                "permissions_required": "perm1:delete, perm2:create",
             },
         )
         assert (
@@ -436,9 +432,7 @@ class AuthorizationTest(TestCase):
         ), prohibited_authorization_response.text
 
     def test_roles_authorization(self):
-        """
-        Authorization with roles.
-        """
+        """Authorization with roles."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "roles@authorization.test", "username": "roles"},
@@ -468,11 +462,27 @@ class AuthorizationTest(TestCase):
             prohibited_authorization_response.status_code == 403
         ), prohibited_authorization_response.text
 
+    def test_anonymous_authorization(self):
+        """Authorization with anonymous client."""
+        anon_login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login/anon"
+        )
+        assert anon_login_response.status_code == 200, anon_login_response.text
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert authenticate_response.status_code == 200, authenticate_response.text
+        prohibited_authorization_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/roles",
+            data={"role": "AuthTestPerms"},
+        )
+        assert (
+            prohibited_authorization_response.status_code == 403
+        ), prohibited_authorization_response.text
+
 
 class MiscTest(TestCase):
-    """
-    Miscellaneous tests that cannot be categorized.
-    """
+    """Miscellaneous tests that cannot be categorized."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -481,18 +491,14 @@ class MiscTest(TestCase):
         self.client.close()
 
     def test_environment_variable_load(self):
-        """
-        Config loads environment variables.
-        """
+        """Config loads environment variables."""
         os.environ["SANIC_SECURITY_SECRET"] = "test-secret"
         security_config = Config()
         security_config.load_environment_variables()
         assert security_config.SECRET == "test-secret"
 
     def test_get_associated_sessions(self):
-        """
-        Retrieve sessions associated to logged in account.
-        """
+        """Retrieve sessions associated to logged in account."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={
@@ -505,9 +511,37 @@ class MiscTest(TestCase):
             auth=("get_associated_sessions@misc.test", "password"),
         )
         assert login_response.status_code == 200, login_response.text
-        retrieve_associated_response = self.client.post(
+        retrieve_associated_response = self.client.get(
             "http://127.0.0.1:8000/api/test/auth/associated"
         )
         assert (
             retrieve_associated_response.status_code == 200
         ), retrieve_associated_response.text
+
+    def test_authentication_refresh(self):
+        """Test automatic authentication refresh."""
+        self.client.post(
+            "http://127.0.0.1:8000/api/test/account",
+            data={
+                "email": "refreshed@misc.test",
+                "username": "refreshed",
+            },
+        )
+        login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login",
+            auth=("refreshed@misc.test", "password"),
+        )
+        assert login_response.status_code == 200, login_response.text
+        expire_response = self.client.post("http://127.0.0.1:8000/api/test/auth/expire")
+        assert expire_response.status_code == 200, expire_response.text
+        authenticate_refresh_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert (
+            authenticate_refresh_response.status_code == 200
+        ), authenticate_refresh_response.text
+        assert json.loads(authenticate_refresh_response.text)["data"]["refresh"] is True
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )  # Since session refresh handling is complete, it will be returned as a regular session now.
+        assert authenticate_response.status_code == 200, authenticate_response.text

sanic_security/utils.py

@@ -1,29 +1,44 @@
 import datetime
 import random
-import string
+from string import ascii_uppercase, digits
 
+from argon2 import PasswordHasher
+from captcha.audio import AudioCaptcha
+from captcha.image import ImageCaptcha
 from sanic.request import Request
 from sanic.response import json as sanic_json, HTTPResponse
+from sanic.utils import str_to_bool as sanic_str_to_bool
 
+from sanic_security.configuration import config
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-Present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
+image_generator: ImageCaptcha = ImageCaptcha(
+    190, 90, fonts=config.CAPTCHA_FONT.replace(" ", "").split(",")
+)
+audio_generator: AudioCaptcha = AudioCaptcha(voicedir=config.CAPTCHA_VOICE)
+password_hasher: PasswordHasher = PasswordHasher()
+
 
 def get_ip(request: Request) -> str:
     """
@@ -38,31 +53,33 @@ def get_ip(request: Request) -> str:
     return request.remote_addr or request.ip
 
 
-def get_code() -> str:
+def get_code(digits_only: bool = False) -> str:
     """
     Generates random code to be used for verification.
 
+    Args:
+        digits_only: Determines if code should only contain digits.
+
     Returns:
         code
     """
-    return "".join(random.choices(string.digits + string.ascii_uppercase, k=6))
+    return "".join(
+        random.choice(("" if digits_only else ascii_uppercase) + digits)
+        for _ in range(6)
+    )
 
 
-def json(message: str, data, status_code: int = 200) -> HTTPResponse:
+def is_expired(date):
     """
-    A preformatted Sanic json response.
+    Checks if current date has surpassed the date passed into the function.
 
     Args:
-        message (int): Message describing data or relaying human-readable information.
-        data (Any): Raw information to be used by client.
-        status_code (int): HTTP response code.
+        date: The date being checked for expiration.
 
     Returns:
-        json
+        is_expired
     """
-    return sanic_json(
-        {"message": message, "code": status_code, "data": data}, status=status_code
-    )
+    return date and datetime.datetime.now(datetime.timezone.utc) >= date
 
 
 def get_expiration_date(seconds: int) -> datetime.datetime:
@@ -76,7 +93,29 @@ def get_expiration_date(seconds: int) -> datetime.datetime:
         expiration_date
     """
     return (
-        datetime.datetime.utcnow() + datetime.timedelta(seconds=seconds)
+        datetime.datetime.now(datetime.UTC) + datetime.timedelta(seconds=seconds)
         if seconds > 0
         else None
     )
+
+
+def str_to_bool(val: str) -> bool:
+    """Returns false if val is None instead of raising ValueError (Sanic's implementation)."""
+    return sanic_str_to_bool(val) if val else False
+
+
+def json(message: str, data, status_code: int = 200) -> HTTPResponse:
+    """
+    A preformatted Sanic json response.
+
+    Args:
+        message (str): Message describing data or relaying human-readable information.
+        data (Any): Raw information to be used by client.
+        status_code (int): HTTP response code.
+
+    Returns:
+        json
+    """
+    return sanic_json(
+        {"message": message, "code": status_code, "data": data}, status=status_code
+    )