For SQLAlchemy to automatically understand updates from the
external world, it must use an `autocommit=True` in its session.
This change breaks how we were using commit previously, as
`autocommit=True` causes SQLAlchemy to commit when a
SessionTransaction context hits __exit__.
So, a refactoring was required of our tests: All usage of
any `db.{create,delete}` must be called **within** a
SessionTransaction context, created via new `db.begin()`.
From this point forward, we're going to require:
```
with db.begin():
db.create(...)
db.delete(...)
db.session.delete(object)
```
With this, we now get external DB modifications automatically
without reloading or restarting the FastAPI server, which we
absolutely need for production.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This function adds f"SameSite={value}" to each cookie's header
stored in response.
This is needed because starlette does not currently support
the `samesite` argument in Response.set_cookie. It is merged,
however, and waiting for next release.
Signed-off-by: Kevin Morris <kevr@0cost.org>
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.
Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.
This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.
We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Some of these tests were written before some of our convenient
tooling existed. Additionally, some of the tests were not
cooperating with PEP-8 guidelines or isorted.
This commit does the following:
- Replaces all calls to make_(user|session) with
aurweb.db.create(Model, ...).
- Replace calls to session.add(...) + session.commit() with
aurweb.db.create.
- Removes the majority of calls to (session|aurweb.db).delete(...).
- Replaces session.query calls with aurweb.db.query.
- Initializes all mutable globals in pytest fixture setup().
- Makes mutable global declarations more concise:
`var1, var2 = None, None` -> `var1 = var2 = None`
- Defines a warning exclusion for test/test_ssh_pub_key.py.
- Removes the aurweb.testing.models module.
- Removes some useless pytest.fixture yielding.
As of this commit, developers should use the following guidelines
when writing tests:
- Always use aurweb.db.(create|delete|query) for database
operations, where possible.
- Always define mutable globals in the style: `var1 = var2 = None`.
- `yield` the most dependent model in pytest setup fixture **iff**
you must delete records after test runs to maintain database
integrity. Example: test/test_account_type.py.
This all makes the test code look and behave much cleaner.
Previously, aurweb.testing.setup_test_db was buggy and leaving
objects around in SQLAlchemy's IdentityMap.
Signed-off-by: Kevin Morris <kevr@0cost.org>
Introduced `get|post` `/passreset` routes. These routes mimic the
behavior of the existing PHP implementation, with the exception of
HTTP status code returns.
Routes added:
GET /passreset
POST /passreset
Routers added:
aurweb.routers.accounts
* On an unknown user or mismatched resetkey (where resetkey must ==
user.resetkey), return HTTP status NOT_FOUND (404).
* On another error in the request, return HTTP status BAD_REQUEST (400).
Both `get|post` routes requires that the current user is **not**
authenticated, hence `@auth_required(False, redirect="/")`.
+ Added auth_required decorator to aurweb.auth.
+ Added some more utility to aurweb.models.user.User.
+ Added `partials/error.html` template.
+ Added `passreset.html` template.
+ Added aurweb.db.ConnectionExecutor functor for paramstyle logic.
Decoupling the executor logic from the database connection logic
is needed for us to easily use the same logic with a fastapi
database session, when we need to use aurweb.scripts modules.
At this point, notification configuration is now required to complete
tests involved with notifications properly, like passreset.
`conf/config.dev` has been modified to include [notifications] sendmail,
sender and reply-to overrides. Dockerfile and .gitlab-ci.yml have been
updated to setup /etc/hosts and start postfix before running tests.
* setup.cfg: ignore E741, C901 in aurweb.routers.accounts
These two warnings (shown in the commit) are not dangerous and a bi-product
of maintaining compatibility with our current code flow.
Signed-off-by: Kevin Morris <kevr@0cost.org>
+ Added route: GET `/login` via `aurweb.routers.auth.login_get`
+ Added route: POST `/login` via `aurweb.routers.auth.login_post`
+ Added route: GET `/logout` via `aurweb.routers.auth.logout`
+ Added route: POST `/logout` via `aurweb.routers.auth.logout_post`
* Modify archdev-navbar.html template to toggle displays on auth state
+ Added login.html template
Signed-off-by: Kevin Morris <kevr@0cost.org>
