From f2d300927989acf9bcff35e8b0b284d6e96caea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dlouh=C3=BD?= Date: Thu, 24 Nov 2022 14:11:17 +0100 Subject: [PATCH] add user_agent test, fix get_client_parameters tests --- tests/test_helpers.py | 5 ++--- tests/test_login.py | 21 +++++++++++++++++---- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/tests/test_helpers.py b/tests/test_helpers.py index 30a216d7..1da372d5 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -329,7 +329,7 @@ def test_get_filter_kwargs_user_or_ip(self): def test_get_filter_kwargs_ip_and_agent(self): self.assertEqual( get_client_parameters(self.username, self.ip_address, self.user_agent), - [{"ip_address": self.ip_address}, {"user_agent": self.user_agent}], + [{"ip_address": self.ip_address, "user_agent": self.user_agent}], ) @override_settings( @@ -341,8 +341,7 @@ def test_get_filter_kwargs_user_ip_agent(self): self.assertEqual( get_client_parameters(self.username, self.ip_address, self.user_agent), [ - {"username": self.username, "ip_address": self.ip_address}, - {"user_agent": self.user_agent}, + {"username": self.username, "ip_address": self.ip_address, "user_agent": self.user_agent}, ], ) diff --git a/tests/test_login.py b/tests/test_login.py index 07d5a458..29211e29 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -86,7 +86,7 @@ class DatabaseLoginTestCase(AxesTestCase): ALLOWED = 302 BLOCKED = 403 - def _login(self, username, password, ip_addr="127.0.0.1", **kwargs): + def _login(self, username, password, ip_addr="127.0.0.1", user_agent="test-browser", **kwargs): """ Login a user and get the response. @@ -101,13 +101,13 @@ def _login(self, username, password, ip_addr="127.0.0.1", **kwargs): reverse("admin:login"), post_data, REMOTE_ADDR=ip_addr, - HTTP_USER_AGENT="test-browser", + HTTP_USER_AGENT=user_agent, ) - def _lockout_user_from_ip(self, username, ip_addr): + def _lockout_user_from_ip(self, username, ip_addr, user_agent="test-browser"): for _ in range(settings.AXES_FAILURE_LIMIT): response = self._login( - username=username, password=self.WRONG_PASSWORD, ip_addr=ip_addr + username=username, password=self.WRONG_PASSWORD, ip_addr=ip_addr, user_agent=user_agent, ) return response @@ -368,6 +368,19 @@ def test_lockout_by_user_and_ip_with_empty_username_allows_other_users_without_c response = self.client.get(reverse("admin:login"), REMOTE_ADDR=self.IP_1) self.assertContains(response, self.LOGIN_FORM_KEY, status_code=200, html=True) + @override_settings(AXES_USE_USER_AGENT=True) + def test_lockout_by_user_still_allows_login_with_differnet_user_agent(self): + # User with empty username is locked out with "test-browser" user agent. + self._lockout_user_from_ip(username="username", ip_addr=self.IP_1, user_agent="test-browser") + + # Test he is locked: + response = self._login("username", self.VALID_PASSWORD, ip_addr=self.IP_1, user_agent="test-browser") + self.assertEqual(response.status_code, self.BLOCKED) + + # Test with another user agent: + response = self._login("username", self.VALID_PASSWORD, ip_addr=self.IP_1, user_agent="test-browser-2") + self.assertEqual(response.status_code, self.ATTEMPT_NOT_BLOCKED) + # Test for true and false positives when blocking by IP *OR* user (default) # With cache enabled. Default criteria. def test_lockout_by_ip_blocks_when_same_user_same_ip_using_cache(self):