1 files changed, 211 insertions, 0 deletions

diff --git a/tests/test_auth_password.py b/tests/test_auth_password.py
new file mode 100644
index 0000000..7c2064a
--- /dev/null
+++ b/tests/test_auth_password.py
@@ -0,0 +1,211 @@
+import pytest
+from fxa.crypto import derive_key, quick_stretch_password
+from fxa.errors import ClientError
+
+from api import *
+
+@pytest.mark.parametrize("args", [
+    { 'email': "", 'oldAuthPW': '00' * 32 },
+    { 'email': "test0@test", 'oldAuthPW': '00' },
+    { 'email': "test0@test", 'oldAuthPW': '00' * 32, 'extra': 0 },
+])
+def test_change_start_invalid(account, args):
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/change/start", args)
+    assert e.value.details == {
+        'code': 400,
+        'errno': 107,
+        'error': 'Bad Request',
+        'message': 'invalid parameter in request body'
+    }
+
+def test_change_start_badaccount(account):
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/change/start", { 'email': "test0@test", 'oldAuthPW': '00' * 32 })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 102,
+        'error': 'Bad Request',
+        'message': 'unknown account'
+    }
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/change/start", { 'email': account.email.upper(), 'oldAuthPW': '00' * 32 })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 120,
+        'error': 'Bad Request',
+        'message': 'incorrect email case'
+    }
+
+def test_change_start_unverified(unverified_account):
+    with pytest.raises(ClientError) as e:
+        unverified_account.post_a("/password/change/start", {
+            'email': unverified_account.email,
+            'oldAuthPW': '00' * 32
+        })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 104,
+        'error': 'Bad Request',
+        'message': 'unverified account'
+    }
+
+def test_change_start_badpw(account):
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/change/start", { 'email': account.email, 'oldAuthPW': '00' * 32 })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 103,
+        'error': 'Bad Request',
+        'message': 'incorrect password'
+    }
+
+@pytest.fixture
+def change_token(account):
+    pw = auth_pw(account.email, "")
+    resp = account.post_a("/password/change/start", { 'email': account.email, 'oldAuthPW': pw })
+    assert 'keyFetchToken' in resp
+    return PasswordChange(account.client, resp['passwordChangeToken'])
+
+@pytest.mark.parametrize("args", [
+    { 'authPW': '00', 'wrapKb': '00' * 32, 'sessionToken': '00' * 32, },
+    { 'authPW': '00' * 32, 'wrapKb': '00', 'sessionToken': '00' * 32, },
+    { 'authPW': '00' * 32, 'wrapKb': '00' * 32, 'sessionToken': '00', },
+])
+def test_change_finish_invalid(change_token, args):
+    with pytest.raises(ClientError) as e:
+        change_token.post_a("/password/change/finish", args)
+    assert e.value.details == {
+        'code': 400,
+        'errno': 107,
+        'error': 'Bad Request',
+        'message': 'invalid parameter in request body'
+    }
+
+def test_change_finish(account, change_token, mail_server):
+    pw = auth_pw(account.email, "new")
+    change_token.post_a("/password/change/finish", {
+        'authPW': pw,
+        'wrapKb': '00' * 32,
+    })
+    account.password = "new" # for fixture teardown
+    (to, body) = mail_server.wait()
+    assert account.email in to
+    assert 'password has been changed' in body
+
+    # just do a login test to see that the password was really changed
+    account.login(account.email, "new")
+    with pytest.raises(ClientError) as e:
+        account.login(account.email, "")
+    assert e.value.details == {
+        'code': 400,
+        'errno': 103,
+        'error': 'Bad Request',
+        'message': 'incorrect password'
+    }
+
+def test_change_finish_twice(account, change_token, mail_server):
+    pw = auth_pw(account.email, "new")
+    change_token.post_a("/password/change/finish", {
+        'authPW': pw,
+        'wrapKb': '00' * 32,
+    })
+    account.password = "new" # for fixture teardown
+
+    with pytest.raises(ClientError) as e:
+        change_token.post_a("/password/change/finish", {
+                'authPW': pw,
+                'wrapKb': '00' * 32,
+        })
+    assert e.value.details == {
+        'code': 401,
+        'errno': 109,
+        'error': 'Unauthorized',
+        'message': 'invalid request signature'
+    }
+
+@pytest.mark.parametrize("args", [
+    { 'email': "" },
+    { 'email': "test0@test", 'extra': 0 },
+])
+def test_forgot_start_invalid(account, args):
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/forgot/send_code", args)
+    assert e.value.details == {
+        'code': 400,
+        'errno': 107,
+        'error': 'Bad Request',
+        'message': 'invalid parameter in request body'
+    }
+
+def test_change_forgot_badaccount(account):
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/forgot/send_code", { 'email': "test0@test" })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 102,
+        'error': 'Bad Request',
+        'message': 'unknown account'
+    }
+    with pytest.raises(ClientError) as e:
+        account.post_a("/password/forgot/send_code", { 'email': account.email.upper() })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 120,
+        'error': 'Bad Request',
+        'message': 'incorrect email case'
+    }
+
+def test_change_forgot_unverified(unverified_account):
+    with pytest.raises(ClientError) as e:
+        unverified_account.post_a("/password/forgot/send_code", { 'email': unverified_account.email })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 104,
+        'error': 'Bad Request',
+        'message': 'unverified account'
+    }
+
+@pytest.mark.parametrize("args", [
+    { 'code': '', 'extra': 0, },
+])
+def test_forgot_finish_invalid(change_token, args):
+    with pytest.raises(ClientError) as e:
+        change_token.post_a("/password/forgot/send_code", args)
+    assert e.value.details == {
+        'code': 400,
+        'errno': 107,
+        'error': 'Bad Request',
+        'message': 'invalid parameter in request body'
+    }
+
+def test_forgot_finish_badcode(account, forgot_token, mail_server):
+    (to, body) = mail_server.wait()
+    assert account.email in to
+    with pytest.raises(ClientError) as e:
+        resp = forgot_token.post_a("/password/forgot/verify_code", { 'code': '' })
+    assert e.value.details == {
+        'code': 400,
+        'errno': 105,
+        'error': 'Bad Request',
+        'message': 'invalid verification code'
+    }
+
+def test_forgot_finish(account, forgot_token, mail_server):
+    (to, body) = mail_server.wait()
+    assert account.email in to
+    resp = forgot_token.post_a("/password/forgot/verify_code", { 'code': body.strip() })
+    assert 'accountResetToken' in resp
+
+def test_forgot_finish_twice(account, forgot_token, mail_server):
+    (to, body) = mail_server.wait()
+    forgot_token.post_a("/password/forgot/verify_code", { 'code': body.strip() })
+
+    with pytest.raises(ClientError) as e:
+        forgot_token.post_a("/password/forgot/verify_code", { 'code': body.strip() })
+    assert e.value.details == {
+        'code': 401,
+        'errno': 109,
+        'error': 'Unauthorized',
+        'message': 'invalid request signature'
+    }