From 241bdb189b454d90c06f56fe9f1e985bbbbedc03 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 23 Jan 2020 01:32:48 +0100
Subject: [PATCH 4/4] more determinism in ratelimit tests

---
 tests/test_idp_oidc.py | 65 ++++++++++++++----------------------------
 1 file changed, 22 insertions(+), 43 deletions(-)

diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py
index fd0c2b67..ee100fed 100644
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@@ -1168,7 +1168,7 @@ def test_filter_api_users(app, oidc_client, admin, simple_user, role_random):
     assert len(response.json['results']) == count
 
 
-def test_resource_owner_password_credential_grant(app, oidc_client, admin, simple_user):
+def test_credentials_grant(app, oidc_client, admin, simple_user):
     cache.clear()
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.scope = 'openid'
@@ -1214,8 +1214,10 @@ def test_resource_owner_password_credential_grant(app, oidc_client, admin, simpl
     assert all(claims.values())
 
 
-def test_resource_owner_password_credential_grant_ratelimitation_invalid_client(
-        app, oidc_client, admin, simple_user, oidc_settings):
+def test_credentials_grant_ratelimitation_invalid_client(
+        app, oidc_client, admin, simple_user, oidc_settings, freezer):
+    freezer.move_to('2020-01-01')
+
     cache.clear()
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
@@ -1227,29 +1229,19 @@ def test_resource_owner_password_credential_grant_ratelimitation_invalid_client(
         'username': simple_user.username,
         'password': simple_user.username,
     }
-    attempts = 0
-    dummy_post = RequestFactory().post('/dummy')
-    while attempts < 1000:
-        attempts += 1
-        ratelimited = is_ratelimited(
-            request=dummy_post, group='test-ro-cred-grant', increment=True,
-            key=lambda x, y: '127.0.0.1',
-            rate=oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT)
+    for i in range(int(oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT.split('/')[0])):
         response = app.post(token_url, params=params, status=400)
-        if not ratelimited:
-            assert response.json['error'] == 'invalid_client'
-            assert 'client authentication failed' in response.json['error_description']
-            continue
-        else:
-            assert response.json['error'] == 'invalid_request'
-            assert 'reached rate limitation' in response.json['error_description']
-            break
-    if not ratelimited:
-        assert 0
+        assert response.json['error'] == 'invalid_client'
+        assert 'client authentication failed' in response.json['error_description']
+    response = app.post(token_url, params=params, status=400)
+    assert response.json['error'] == 'invalid_request'
+    assert 'reached rate limitation' in response.json['error_description']
 
 
 def test_credentials_grant_ratelimitation_valid_client(
-        app, oidc_client, admin, simple_user, oidc_settings):
+        app, oidc_client, admin, simple_user, oidc_settings, freezer):
+    freezer.move_to('2020-01-01')
+
     cache.clear()
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
@@ -1261,28 +1253,17 @@ def test_credentials_grant_ratelimitation_valid_client(
         'username': simple_user.username,
         'password': simple_user.username,
     }
-    attempts = 0
-    dummy_post = RequestFactory().post('/dummy')
-    while attempts < 1000:
-        before = now()
-        attempts += 1
-        ratelimited = is_ratelimited(
-                request=dummy_post, group='test-ro-cred-grant', increment=True,
-                key=lambda x, y: oidc_client.client_id,
-                rate=oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT)
-        if ratelimited:
-            response = app.post(token_url, params=params, status=400)
-            assert response.json['error'] == 'invalid_request'
-            assert 'reached rate limitation' in response.json['error_description']
-            break
-        else:
-            response = app.post(token_url, params=params)
-    if not ratelimited:
-        assert 0
+    for i in range(int(oidc_settings.A2_IDP_OIDC_PASSWORD_GRANT_RATELIMIT.split('/')[0])):
+        app.post(token_url, params=params)
+    response = app.post(token_url, params=params, status=400)
+    assert response.json['error'] == 'invalid_request'
+    assert 'reached rate limitation' in response.json['error_description']
 
 
 def test_credentials_grant_retrytimout(
         app, oidc_client, admin, simple_user, settings, freezer):
+    freezer.move_to('2020-01-01')
+
     cache.clear()
     settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION = 2
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
@@ -1304,9 +1285,7 @@ def test_credentials_grant_retrytimout(
             assert 'too many attempts with erroneous RO password' in response.json['error_description']
 
     # freeze some time after backoff delay expiration
-    today = datetime.date.today()
-    dayafter = today + datetime.timedelta(days=2)
-    freezer.move_to(dayafter.strftime('%Y-%m-%d'))
+    freezer.move_to(datetime.timedelta(days=2))
 
     # obtain a successful login
     params['password'] = simple_user.username
-- 
2.24.0