From 201efc924fb66d14592adaa229b87740043e13e2 Mon Sep 17 00:00:00 2001 From: Bast Date: Sat, 19 Sep 2020 12:15:22 -0700 Subject: Add feature to token_remover: log detected user ID, and ping if it's a user in the server Updated tests This comes with a change that a user ID must actually be able to be decoded into an integer to be considered a valid token --- tests/bot/cogs/test_token_remover.py | 45 +++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 6 deletions(-) (limited to 'tests') diff --git a/tests/bot/cogs/test_token_remover.py b/tests/bot/cogs/test_token_remover.py index 3349caa73..275350144 100644 --- a/tests/bot/cogs/test_token_remover.py +++ b/tests/bot/cogs/test_token_remover.py @@ -22,6 +22,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.msg = MockMessage(id=555, content="hello world") self.msg.channel.mention = "#lemonade-stand" + self.msg.guild.get_member = MagicMock(return_value="Bob") self.msg.author.__str__ = MagicMock(return_value=self.msg.author.name) self.msg.author.avatar_url_as.return_value = "picture-lemon.png" @@ -230,15 +231,41 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): results = [match[0] for match in results] self.assertCountEqual((token_1, token_2), results) - @autospec("bot.cogs.token_remover", "LOG_MESSAGE") - def test_format_log_message(self, log_message): + @autospec("bot.cogs.token_remover", "LOG_MESSAGE", "DECODED_LOG_MESSAGE") + def test_format_log_message(self, log_message, decoded_log_message): + """Should correctly format the log message with info from the message and token.""" + token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") + log_message.format.return_value = "Howdy" + decoded_log_message.format.return_value = " Partner" + + return_value = TokenRemover.format_log_message(self.msg, token, 472265943062413332, None) + + self.assertEqual( + return_value, + log_message.format.return_value + "\n" + decoded_log_message.format.return_value, + ) + log_message.format.assert_called_once_with( + author=self.msg.author, + author_id=self.msg.author.id, + channel=self.msg.channel.mention, + user_id=token.user_id, + timestamp=token.timestamp, + hmac="x" * len(token.hmac), + ) + + @autospec("bot.cogs.token_remover", "LOG_MESSAGE", "USER_TOKEN_MESSAGE") + def test_format_log_message_user_token(self, log_message, user_token_message): """Should correctly format the log message with info from the message and token.""" token = Token("NDY3MjIzMjMwNjUwNzc3NjQx", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") log_message.format.return_value = "Howdy" + user_token_message.format.return_value = "Partner" - return_value = TokenRemover.format_log_message(self.msg, token) + return_value = TokenRemover.format_log_message(self.msg, token, 467223230650777641, "Bob") - self.assertEqual(return_value, log_message.format.return_value) + self.assertEqual( + return_value, + log_message.format.return_value + "\n" + user_token_message.format.return_value, + ) log_message.format.assert_called_once_with( author=self.msg.author, author_id=self.msg.author.id, @@ -247,6 +274,10 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): timestamp=token.timestamp, hmac="x" * len(token.hmac), ) + user_token_message.format.assert_called_once_with( + user_id=467223230650777641, + user_name="Bob", + ) @mock.patch.object(TokenRemover, "mod_log", new_callable=mock.PropertyMock) @autospec("bot.cogs.token_remover", "log") @@ -256,6 +287,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): cog = TokenRemover(self.bot) mod_log = mock.create_autospec(ModLog, spec_set=True, instance=True) token = mock.create_autospec(Token, spec_set=True, instance=True) + token.user_id = "no-id" log_msg = "testing123" mod_log_property.return_value = mod_log @@ -268,7 +300,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): token_remover.DELETION_MESSAGE_TEMPLATE.format(mention=self.msg.author.mention) ) - format_log_message.assert_called_once_with(self.msg, token) + format_log_message.assert_called_once_with(self.msg, token, None, "Bob") logger.debug.assert_called_with(log_msg) self.bot.stats.incr.assert_called_once_with("tokens.removed_tokens") @@ -279,7 +311,8 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): title="Token removed!", text=log_msg, thumbnail=self.msg.author.avatar_url_as.return_value, - channel_id=constants.Channels.mod_alerts + channel_id=constants.Channels.mod_alerts, + ping_everyone=True, ) @mock.patch.object(TokenRemover, "mod_log", new_callable=mock.PropertyMock) -- cgit v1.2.3 From 83e17627d3fa4e0eb135b5039decd02eaf3d060c Mon Sep 17 00:00:00 2001 From: Bast Date: Sat, 19 Sep 2020 12:16:40 -0700 Subject: Make token_remover check basic HMAC validity (not low entropy) Handles cases like xxx.xxxxx.xxxxxxxx where a user has intentionally censored part of a token, and will not consider them "valid" --- bot/cogs/token_remover.py | 21 ++++++++++++++++++- tests/bot/cogs/test_token_remover.py | 40 +++++++++++++++++++++++++++++++----- 2 files changed, 55 insertions(+), 6 deletions(-) (limited to 'tests') diff --git a/bot/cogs/token_remover.py b/bot/cogs/token_remover.py index 93ceda6be..17778b415 100644 --- a/bot/cogs/token_remover.py +++ b/bot/cogs/token_remover.py @@ -1,5 +1,6 @@ import base64 import binascii +import collections import logging import re import typing as t @@ -153,7 +154,9 @@ class TokenRemover(Cog): # token check (e.g. `message.channel.send` also matches our token pattern) for match in TOKEN_RE.finditer(msg.content): token = Token(*match.groups()) - if cls.is_valid_user_id(token.user_id) and cls.is_valid_timestamp(token.timestamp): + if cls.is_valid_user_id(token.user_id) \ + and cls.is_valid_timestamp(token.timestamp) \ + and cls.is_maybevalid_hmac(token.hmac): # Short-circuit on first match return token @@ -214,6 +217,22 @@ class TokenRemover(Cog): log.debug(f"Invalid token timestamp '{b64_content}': smaller than Discord epoch") return False + @staticmethod + def is_maybevalid_hmac(b64_content: str) -> bool: + """ + Determine if a given hmac portion of a token is potentially valid. + + If the HMAC has 3 or less characters, it's probably a dummy value like "xxxxxxxxxx", + and thus the token can probably be skipped. + """ + unique = len(collections.Counter(b64_content.lower()).keys()) + if unique <= 3: + log.debug(f"Considering the hmac {b64_content} a dummy because it has {unique}" + " case-insensitively unique characters") + return False + else: + return True + def setup(bot: Bot) -> None: """Load the TokenRemover cog.""" diff --git a/tests/bot/cogs/test_token_remover.py b/tests/bot/cogs/test_token_remover.py index 275350144..56d269105 100644 --- a/tests/bot/cogs/test_token_remover.py +++ b/tests/bot/cogs/test_token_remover.py @@ -86,6 +86,34 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): result = TokenRemover.is_valid_timestamp(timestamp) self.assertFalse(result) + def test_is_valid_hmac_valid(self): + """Should consider hmac valid if it is a valid hmac with a variety of characters.""" + valid_hmacs = ( + "VXmErH7j511turNpfURmb0rVNm8", + "Ysnu2wacjaKs7qnoo46S8Dm2us8", + "sJf6omBPORBPju3WJEIAcwW9Zds", + "s45jqDV_Iisn-symw0yDRrk_jf4", + ) + + for hmac in valid_hmacs: + with self.subTest(msg=hmac): + result = TokenRemover.is_maybevalid_hmac(hmac) + self.assertTrue(result) + + def test_is_invalid_hmac_invalid(self): + """Should consider hmac invalid if it possesses too little variety.""" + invalid_hmacs = ( + ("xxxxxxxxxxxxxxxxxx", "Single character"), + ("XxXxXxXxXxXxXxXxXx", "Single character alternating case"), + ("ASFasfASFasfASFASsf", "Three characters alternating-case"), + ("asdasdasdasdasdasdasd", "Three characters one case"), + ) + + for hmac, msg in invalid_hmacs: + with self.subTest(msg=msg): + result = TokenRemover.is_maybevalid_hmac(hmac) + self.assertFalse(result) + def test_mod_log_property(self): """The `mod_log` property should ask the bot to return the `ModLog` cog.""" self.bot.get_cog.return_value = 'lemon' @@ -143,11 +171,11 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertIsNone(return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp") + @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybevalid_hmac") @autospec("bot.cogs.token_remover", "Token") @autospec("bot.cogs.token_remover", "TOKEN_RE") - def test_find_token_valid_match(self, token_re, token_cls, is_valid_id, is_valid_timestamp): - """The first match with a valid user ID and timestamp should be returned as a `Token`.""" + def test_find_token_valid_match(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybevalid_hmac): + """The first match with a valid user ID. timestamp and hmac should be returned as a `Token`.""" matches = [ mock.create_autospec(Match, spec_set=True, instance=True), mock.create_autospec(Match, spec_set=True, instance=True), @@ -161,21 +189,23 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): token_cls.side_effect = tokens is_valid_id.side_effect = (False, True) # The 1st match will be invalid, 2nd one valid. is_valid_timestamp.return_value = True + is_maybevalid_hmac.return_value = True return_value = TokenRemover.find_token_in_message(self.msg) self.assertEqual(tokens[1], return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp") + @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybevalid_hmac") @autospec("bot.cogs.token_remover", "Token") @autospec("bot.cogs.token_remover", "TOKEN_RE") - def test_find_token_invalid_matches(self, token_re, token_cls, is_valid_id, is_valid_timestamp): + def test_find_token_invalid_matches(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybevalid_hmac): """None should be returned if no matches have valid user IDs or timestamps.""" token_re.finditer.return_value = [mock.create_autospec(Match, spec_set=True, instance=True)] token_cls.return_value = mock.create_autospec(Token, spec_set=True, instance=True) is_valid_id.return_value = False is_valid_timestamp.return_value = False + is_maybevalid_hmac.return_value = False return_value = TokenRemover.find_token_in_message(self.msg) -- cgit v1.2.3 From 1b38ad4a16d17bacfe20513c9f33a58aa6ee1b56 Mon Sep 17 00:00:00 2001 From: Bast Date: Thu, 24 Sep 2020 10:03:24 -0700 Subject: Implement review-suggested changes userid -> user ID maybevalid -> maybe_valid remove collections import and added a new function that handles the "format user ID log message" and should_ping_everyone feature --- bot/exts/filters/token_remover.py | 71 ++++++++++++----------- tests/bot/exts/filters/test_token_remover.py | 87 +++++++++++++++++----------- 2 files changed, 91 insertions(+), 67 deletions(-) (limited to 'tests') diff --git a/bot/exts/filters/token_remover.py b/bot/exts/filters/token_remover.py index a31912d5b..54f0bc034 100644 --- a/bot/exts/filters/token_remover.py +++ b/bot/exts/filters/token_remover.py @@ -1,6 +1,5 @@ import base64 import binascii -import collections import logging import re import typing as t @@ -98,14 +97,8 @@ class TokenRemover(Cog): await msg.channel.send(DELETION_MESSAGE_TEMPLATE.format(mention=msg.author.mention)) - user_name = None - user_id = self.extract_user_id(found_token.user_id) - user = msg.guild.get_member(user_id) - - if user: - user_name = str(user) - - log_message = self.format_log_message(msg, found_token, user_id, user_name) + log_message = self.format_log_message(msg, found_token) + userid_message, mention_everyone = self.format_userid_log_message(msg, found_token) log.debug(log_message) # Send pretty mod log embed to mod-alerts @@ -113,26 +106,35 @@ class TokenRemover(Cog): icon_url=Icons.token_removed, colour=Colour(Colours.soft_red), title="Token removed!", - text=log_message, + text=log_message + "\n" + userid_message, thumbnail=msg.author.avatar_url_as(static_format="png"), channel_id=Channels.mod_alerts, - ping_everyone=user_name is not None, + ping_everyone=mention_everyone, ) self.bot.stats.incr("tokens.removed_tokens") - @staticmethod - def format_log_message( - msg: Message, - token: Token, - user_id: int, - user_name: t.Optional[str] = None, - ) -> str: + @classmethod + def format_userid_log_message(cls, msg: Message, token: Token) -> t.Tuple[str, bool]: """ - Return the log message to send for `token` being censored in `msg`. + Format the potion of the log message that includes details about the detected user ID. - Additonally, mention if the token was decodable into a user id, and if that resolves to a user on the server. + Includes the user ID and, if present on the server, their name and a toggle to + mention everyone. + + Returns a tuple of (log_message, mention_everyone) """ + user_id = cls.extract_user_id(token.user_id) + user = msg.guild.get_member(user_id) + + if user: + return USER_TOKEN_MESSAGE.format(user_id=user_id, user_name=str(user)), True + else: + return DECODED_LOG_MESSAGE.format(user_id=user_id), False + + @staticmethod + def format_log_message(msg: Message, token: Token) -> str: + """Return the generic portion of the log message to send for `token` being censored in `msg`.""" message = LOG_MESSAGE.format( author=msg.author, author_id=msg.author.id, @@ -141,11 +143,8 @@ class TokenRemover(Cog): timestamp=token.timestamp, hmac='x' * len(token.hmac), ) - if user_name: - more = USER_TOKEN_MESSAGE.format(user_id=user_id, user_name=user_name) - else: - more = DECODED_LOG_MESSAGE.format(user_id=user_id) - return message + "\n" + more + + return message @classmethod def find_token_in_message(cls, msg: Message) -> t.Optional[Token]: @@ -154,9 +153,11 @@ class TokenRemover(Cog): # token check (e.g. `message.channel.send` also matches our token pattern) for match in TOKEN_RE.finditer(msg.content): token = Token(*match.groups()) - if cls.is_valid_user_id(token.user_id) \ - and cls.is_valid_timestamp(token.timestamp) \ - and cls.is_maybevalid_hmac(token.hmac): + if ( + cls.is_valid_user_id(token.user_id) + and cls.is_valid_timestamp(token.timestamp) + and cls.is_maybe_valid_hmac(token.hmac) + ): # Short-circuit on first match return token @@ -165,7 +166,7 @@ class TokenRemover(Cog): @staticmethod def extract_user_id(b64_content: str) -> t.Optional[int]: - """Return a userid integer from part of a potential token, or None if it couldn't be decoded.""" + """Return a user ID integer from part of a potential token, or None if it couldn't be decoded.""" b64_content = utils.pad_base64(b64_content) try: @@ -218,17 +219,19 @@ class TokenRemover(Cog): return False @staticmethod - def is_maybevalid_hmac(b64_content: str) -> bool: + def is_maybe_valid_hmac(b64_content: str) -> bool: """ - Determine if a given hmac portion of a token is potentially valid. + Determine if a given HMAC portion of a token is potentially valid. If the HMAC has 3 or less characters, it's probably a dummy value like "xxxxxxxxxx", and thus the token can probably be skipped. """ - unique = len(collections.Counter(b64_content.lower()).keys()) + unique = len(set(b64_content.lower())) if unique <= 3: - log.debug(f"Considering the hmac {b64_content} a dummy because it has {unique}" - " case-insensitively unique characters") + log.debug( + f"Considering the HMAC {b64_content} a dummy because it has {unique}" + " case-insensitively unique characters" + ) return False else: return True diff --git a/tests/bot/exts/filters/test_token_remover.py b/tests/bot/exts/filters/test_token_remover.py index 8742b73c5..92dce201b 100644 --- a/tests/bot/exts/filters/test_token_remover.py +++ b/tests/bot/exts/filters/test_token_remover.py @@ -87,7 +87,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertFalse(result) def test_is_valid_hmac_valid(self): - """Should consider hmac valid if it is a valid hmac with a variety of characters.""" + """Should consider an HMAC valid if it has at least 3 unique characters.""" valid_hmacs = ( "VXmErH7j511turNpfURmb0rVNm8", "Ysnu2wacjaKs7qnoo46S8Dm2us8", @@ -97,11 +97,11 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): for hmac in valid_hmacs: with self.subTest(msg=hmac): - result = TokenRemover.is_maybevalid_hmac(hmac) + result = TokenRemover.is_maybe_valid_hmac(hmac) self.assertTrue(result) def test_is_invalid_hmac_invalid(self): - """Should consider hmac invalid if it possesses too little variety.""" + """Should consider an HMAC invalid if has fewer than 3 unique characters.""" invalid_hmacs = ( ("xxxxxxxxxxxxxxxxxx", "Single character"), ("XxXxXxXxXxXxXxXxXx", "Single character alternating case"), @@ -111,7 +111,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): for hmac, msg in invalid_hmacs: with self.subTest(msg=msg): - result = TokenRemover.is_maybevalid_hmac(hmac) + result = TokenRemover.is_maybe_valid_hmac(hmac) self.assertFalse(result) def test_mod_log_property(self): @@ -171,11 +171,11 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertIsNone(return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybevalid_hmac") + @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") @autospec("bot.exts.filters.token_remover", "Token") @autospec("bot.exts.filters.token_remover", "TOKEN_RE") - def test_find_token_valid_match(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybevalid_hmac): - """The first match with a valid user ID. timestamp and hmac should be returned as a `Token`.""" + def test_find_token_valid_match(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybe_valid_hmac): + """The first match with a valid user ID, timestamp, and HMAC should be returned as a `Token`.""" matches = [ mock.create_autospec(Match, spec_set=True, instance=True), mock.create_autospec(Match, spec_set=True, instance=True), @@ -189,23 +189,30 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): token_cls.side_effect = tokens is_valid_id.side_effect = (False, True) # The 1st match will be invalid, 2nd one valid. is_valid_timestamp.return_value = True - is_maybevalid_hmac.return_value = True + is_maybe_valid_hmac.return_value = True return_value = TokenRemover.find_token_in_message(self.msg) self.assertEqual(tokens[1], return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybevalid_hmac") + @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") @autospec("bot.exts.filters.token_remover", "Token") @autospec("bot.exts.filters.token_remover", "TOKEN_RE") - def test_find_token_invalid_matches(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybevalid_hmac): + def test_find_token_invalid_matches( + self, + token_re, + token_cls, + is_valid_id, + is_valid_timestamp, + is_maybe_valid_hmac, + ): """None should be returned if no matches have valid user IDs or timestamps.""" token_re.finditer.return_value = [mock.create_autospec(Match, spec_set=True, instance=True)] token_cls.return_value = mock.create_autospec(Token, spec_set=True, instance=True) is_valid_id.return_value = False is_valid_timestamp.return_value = False - is_maybevalid_hmac.return_value = False + is_maybe_valid_hmac.return_value = False return_value = TokenRemover.find_token_in_message(self.msg) @@ -261,18 +268,17 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): results = [match[0] for match in results] self.assertCountEqual((token_1, token_2), results) - @autospec("bot.exts.filters.token_remover", "LOG_MESSAGE", "DECODED_LOG_MESSAGE") - def test_format_log_message(self, log_message, decoded_log_message): + @autospec("bot.exts.filters.token_remover", "LOG_MESSAGE") + def test_format_log_message(self, log_message): """Should correctly format the log message with info from the message and token.""" token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") log_message.format.return_value = "Howdy" - decoded_log_message.format.return_value = " Partner" - return_value = TokenRemover.format_log_message(self.msg, token, 472265943062413332, None) + return_value = TokenRemover.format_log_message(self.msg, token) self.assertEqual( return_value, - log_message.format.return_value + "\n" + decoded_log_message.format.return_value, + log_message.format.return_value, ) log_message.format.assert_called_once_with( author=self.msg.author, @@ -283,26 +289,38 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): hmac="x" * len(token.hmac), ) - @autospec("bot.exts.filters.token_remover", "LOG_MESSAGE", "USER_TOKEN_MESSAGE") - def test_format_log_message_user_token(self, log_message, user_token_message): + @autospec("bot.exts.filters.token_remover", "DECODED_LOG_MESSAGE") + def test_format_userid_log_message_bot(self, decoded_log_message): + """ + Should correctly format the user ID portion of the log message when the user ID is + not found in the server. + """ + token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") + decoded_log_message.format.return_value = " Partner" + msg = MockMessage(id=555, content="hello world") + msg.guild.get_member = MagicMock(return_value=None) + + return_value = TokenRemover.format_userid_log_message(msg, token) + + self.assertEqual( + return_value, + (decoded_log_message.format.return_value, False), + ) + decoded_log_message.format.assert_called_once_with( + user_id=472265943062413332, + ) + + @autospec("bot.exts.filters.token_remover", "USER_TOKEN_MESSAGE") + def test_format_log_message_user_token_user(self, user_token_message): """Should correctly format the log message with info from the message and token.""" token = Token("NDY3MjIzMjMwNjUwNzc3NjQx", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") - log_message.format.return_value = "Howdy" user_token_message.format.return_value = "Partner" - return_value = TokenRemover.format_log_message(self.msg, token, 467223230650777641, "Bob") + return_value = TokenRemover.format_userid_log_message(self.msg, token) self.assertEqual( return_value, - log_message.format.return_value + "\n" + user_token_message.format.return_value, - ) - log_message.format.assert_called_once_with( - author=self.msg.author, - author_id=self.msg.author.id, - channel=self.msg.channel.mention, - user_id=token.user_id, - timestamp=token.timestamp, - hmac="x" * len(token.hmac), + (user_token_message.format.return_value, True), ) user_token_message.format.assert_called_once_with( user_id=467223230650777641, @@ -311,17 +329,19 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): @mock.patch.object(TokenRemover, "mod_log", new_callable=mock.PropertyMock) @autospec("bot.exts.filters.token_remover", "log") - @autospec(TokenRemover, "format_log_message") - async def test_take_action(self, format_log_message, logger, mod_log_property): + @autospec(TokenRemover, "format_log_message", "format_userid_log_message") + async def test_take_action(self, format_log_message, format_userid_log_message, logger, mod_log_property): """Should delete the message and send a mod log.""" cog = TokenRemover(self.bot) mod_log = mock.create_autospec(ModLog, spec_set=True, instance=True) token = mock.create_autospec(Token, spec_set=True, instance=True) token.user_id = "no-id" log_msg = "testing123" + userid_log_message = "userid-log-message" mod_log_property.return_value = mod_log format_log_message.return_value = log_msg + format_userid_log_message.return_value = (userid_log_message, True) await cog.take_action(self.msg, token) @@ -330,7 +350,8 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): token_remover.DELETION_MESSAGE_TEMPLATE.format(mention=self.msg.author.mention) ) - format_log_message.assert_called_once_with(self.msg, token, None, "Bob") + format_log_message.assert_called_once_with(self.msg, token) + format_userid_log_message.assert_called_once_with(self.msg, token) logger.debug.assert_called_with(log_msg) self.bot.stats.incr.assert_called_once_with("tokens.removed_tokens") @@ -339,7 +360,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): icon_url=constants.Icons.token_removed, colour=Colour(constants.Colours.soft_red), title="Token removed!", - text=log_msg, + text=log_msg + "\n" + userid_log_message, thumbnail=self.msg.author.avatar_url_as.return_value, channel_id=constants.Channels.mod_alerts, ping_everyone=True, -- cgit v1.2.3 From b62db241766e20d54093273a7457cc52d34e3f75 Mon Sep 17 00:00:00 2001 From: Bast Date: Thu, 24 Sep 2020 10:26:45 -0700 Subject: Add BOT vs USER token detection, properly handling bot tokens for bots in the current server Also adjust the naming and purposes of the format messages to KNOWN and UNKNOWN token messages. --- bot/exts/filters/token_remover.py | 14 ++++++--- tests/bot/exts/filters/test_token_remover.py | 46 +++++++++++++++++++++++----- 2 files changed, 47 insertions(+), 13 deletions(-) (limited to 'tests') diff --git a/bot/exts/filters/token_remover.py b/bot/exts/filters/token_remover.py index 54f0bc034..87d4aa135 100644 --- a/bot/exts/filters/token_remover.py +++ b/bot/exts/filters/token_remover.py @@ -18,10 +18,10 @@ LOG_MESSAGE = ( "Censored a seemingly valid token sent by {author} (`{author_id}`) in {channel}, " "token was `{user_id}.{timestamp}.{hmac}`" ) -DECODED_LOG_MESSAGE = "The token user_id decodes into {user_id}." -USER_TOKEN_MESSAGE = ( +UNKNOWN_USER_LOG_MESSAGE = "The token user_id decodes into {user_id}." +KNOWN_USER_LOG_MESSAGE = ( "The token user_id decodes into {user_id}, " - "which matches `{user_name}` and means this is a valid USER token." + "which matches `{user_name}` and means this is a valid {kind} token." ) DELETION_MESSAGE_TEMPLATE = ( "Hey {mention}! I noticed you posted a seemingly valid Discord API " @@ -128,9 +128,13 @@ class TokenRemover(Cog): user = msg.guild.get_member(user_id) if user: - return USER_TOKEN_MESSAGE.format(user_id=user_id, user_name=str(user)), True + return KNOWN_USER_LOG_MESSAGE.format( + user_id=user_id, + user_name=str(user), + kind="BOT" if user.bot else "USER", + ), not user.bot else: - return DECODED_LOG_MESSAGE.format(user_id=user_id), False + return UNKNOWN_USER_LOG_MESSAGE.format(user_id=user_id), False @staticmethod def format_log_message(msg: Message, token: Token) -> str: diff --git a/tests/bot/exts/filters/test_token_remover.py b/tests/bot/exts/filters/test_token_remover.py index 92dce201b..90d40d1df 100644 --- a/tests/bot/exts/filters/test_token_remover.py +++ b/tests/bot/exts/filters/test_token_remover.py @@ -22,7 +22,12 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.msg = MockMessage(id=555, content="hello world") self.msg.channel.mention = "#lemonade-stand" - self.msg.guild.get_member = MagicMock(return_value="Bob") + self.msg.guild.get_member = MagicMock( + return_value=MagicMock( + bot=False, + __str__=MagicMock(return_value="Woody"), + ), + ) self.msg.author.__str__ = MagicMock(return_value=self.msg.author.name) self.msg.author.avatar_url_as.return_value = "picture-lemon.png" @@ -289,14 +294,14 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): hmac="x" * len(token.hmac), ) - @autospec("bot.exts.filters.token_remover", "DECODED_LOG_MESSAGE") - def test_format_userid_log_message_bot(self, decoded_log_message): + @autospec("bot.exts.filters.token_remover", "UNKNOWN_USER_LOG_MESSAGE") + def test_format_userid_log_message_unknown(self, unknown_user_log_message): """ Should correctly format the user ID portion of the log message when the user ID is not found in the server. """ token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") - decoded_log_message.format.return_value = " Partner" + unknown_user_log_message.format.return_value = " Partner" msg = MockMessage(id=555, content="hello world") msg.guild.get_member = MagicMock(return_value=None) @@ -304,13 +309,37 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertEqual( return_value, - (decoded_log_message.format.return_value, False), + (unknown_user_log_message.format.return_value, False), + ) + unknown_user_log_message.format.assert_called_once_with( + user_id=472265943062413332, ) - decoded_log_message.format.assert_called_once_with( + + @autospec("bot.exts.filters.token_remover", "KNOWN_USER_LOG_MESSAGE") + def test_format_userid_log_message_bot(self, known_user_log_message): + """ + Should correctly format the user ID portion of the log message when the user ID is + not found in the server. + """ + token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") + known_user_log_message.format.return_value = " Partner" + msg = MockMessage(id=555, content="hello world") + msg.guild.get_member = MagicMock(return_value=MagicMock(__str__=MagicMock(return_value="Sam"), bot=True)) + + return_value = TokenRemover.format_userid_log_message(msg, token) + + self.assertEqual( + return_value, + (known_user_log_message.format.return_value, False), + ) + + known_user_log_message.format.assert_called_once_with( user_id=472265943062413332, + user_name="Sam", + kind="BOT", ) - @autospec("bot.exts.filters.token_remover", "USER_TOKEN_MESSAGE") + @autospec("bot.exts.filters.token_remover", "KNOWN_USER_LOG_MESSAGE") def test_format_log_message_user_token_user(self, user_token_message): """Should correctly format the log message with info from the message and token.""" token = Token("NDY3MjIzMjMwNjUwNzc3NjQx", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") @@ -324,7 +353,8 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): ) user_token_message.format.assert_called_once_with( user_id=467223230650777641, - user_name="Bob", + user_name="Woody", + kind="USER", ) @mock.patch.object(TokenRemover, "mod_log", new_callable=mock.PropertyMock) -- cgit v1.2.3 From ce80892eb3928c7c312a221c9d0271698f1563f4 Mon Sep 17 00:00:00 2001 From: Bast Date: Thu, 24 Sep 2020 14:16:10 -0700 Subject: Change the mod alert message component for the user token detection Clean up mock usage, docstrings, unnecessarily split-lined function calls --- bot/exts/filters/token_remover.py | 18 +++++----- tests/bot/exts/filters/test_token_remover.py | 51 ++++++++-------------------- 2 files changed, 23 insertions(+), 46 deletions(-) (limited to 'tests') diff --git a/bot/exts/filters/token_remover.py b/bot/exts/filters/token_remover.py index 87d4aa135..87072e161 100644 --- a/bot/exts/filters/token_remover.py +++ b/bot/exts/filters/token_remover.py @@ -18,10 +18,10 @@ LOG_MESSAGE = ( "Censored a seemingly valid token sent by {author} (`{author_id}`) in {channel}, " "token was `{user_id}.{timestamp}.{hmac}`" ) -UNKNOWN_USER_LOG_MESSAGE = "The token user_id decodes into {user_id}." +UNKNOWN_USER_LOG_MESSAGE = "Decoded user ID: `{user_id}` (Not present in server)." KNOWN_USER_LOG_MESSAGE = ( - "The token user_id decodes into {user_id}, " - "which matches `{user_name}` and means this is a valid {kind} token." + "Decoded user ID: `{user_id}` **(Present in server)**.\n" + "This matches `{user_name}` and means this is likely a valid **{kind}** token." ) DELETION_MESSAGE_TEMPLATE = ( "Hey {mention}! I noticed you posted a seemingly valid Discord API " @@ -117,10 +117,12 @@ class TokenRemover(Cog): @classmethod def format_userid_log_message(cls, msg: Message, token: Token) -> t.Tuple[str, bool]: """ - Format the potion of the log message that includes details about the detected user ID. + Format the portion of the log message that includes details about the detected user ID. - Includes the user ID and, if present on the server, their name and a toggle to - mention everyone. + If the user is resolved to a member, the format includes the user ID, name, and the + kind of user detected. + + If we resolve to a member and it is not a bot, we also return True to ping everyone. Returns a tuple of (log_message, mention_everyone) """ @@ -139,7 +141,7 @@ class TokenRemover(Cog): @staticmethod def format_log_message(msg: Message, token: Token) -> str: """Return the generic portion of the log message to send for `token` being censored in `msg`.""" - message = LOG_MESSAGE.format( + return LOG_MESSAGE.format( author=msg.author, author_id=msg.author.id, channel=msg.channel.mention, @@ -148,8 +150,6 @@ class TokenRemover(Cog): hmac='x' * len(token.hmac), ) - return message - @classmethod def find_token_in_message(cls, msg: Message) -> t.Optional[Token]: """Return a seemingly valid token found in `msg` or `None` if no token is found.""" diff --git a/tests/bot/exts/filters/test_token_remover.py b/tests/bot/exts/filters/test_token_remover.py index 90d40d1df..5f28ab571 100644 --- a/tests/bot/exts/filters/test_token_remover.py +++ b/tests/bot/exts/filters/test_token_remover.py @@ -22,12 +22,8 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.msg = MockMessage(id=555, content="hello world") self.msg.channel.mention = "#lemonade-stand" - self.msg.guild.get_member = MagicMock( - return_value=MagicMock( - bot=False, - __str__=MagicMock(return_value="Woody"), - ), - ) + self.msg.guild.get_member.return_value.bot = False + self.msg.guild.get_member.return_value.__str__.return_value = "Woody" self.msg.author.__str__ = MagicMock(return_value=self.msg.author.name) self.msg.author.avatar_url_as.return_value = "picture-lemon.png" @@ -212,7 +208,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): is_valid_timestamp, is_maybe_valid_hmac, ): - """None should be returned if no matches have valid user IDs or timestamps.""" + """None should be returned if no matches have valid user IDs, HMACs, and timestamps.""" token_re.finditer.return_value = [mock.create_autospec(Match, spec_set=True, instance=True)] token_cls.return_value = mock.create_autospec(Token, spec_set=True, instance=True) is_valid_id.return_value = False @@ -281,10 +277,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): return_value = TokenRemover.format_log_message(self.msg, token) - self.assertEqual( - return_value, - log_message.format.return_value, - ) + self.assertEqual(return_value, log_message.format.return_value) log_message.format.assert_called_once_with( author=self.msg.author, author_id=self.msg.author.id, @@ -296,42 +289,29 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): @autospec("bot.exts.filters.token_remover", "UNKNOWN_USER_LOG_MESSAGE") def test_format_userid_log_message_unknown(self, unknown_user_log_message): - """ - Should correctly format the user ID portion of the log message when the user ID is - not found in the server. - """ + """Should correctly format the user ID portion when the actual user it belongs to is unknown.""" token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") unknown_user_log_message.format.return_value = " Partner" msg = MockMessage(id=555, content="hello world") - msg.guild.get_member = MagicMock(return_value=None) + msg.guild.get_member.return_value = None return_value = TokenRemover.format_userid_log_message(msg, token) - self.assertEqual( - return_value, - (unknown_user_log_message.format.return_value, False), - ) - unknown_user_log_message.format.assert_called_once_with( - user_id=472265943062413332, - ) + self.assertEqual(return_value, (unknown_user_log_message.format.return_value, False)) + unknown_user_log_message.format.assert_called_once_with(user_id=472265943062413332) @autospec("bot.exts.filters.token_remover", "KNOWN_USER_LOG_MESSAGE") def test_format_userid_log_message_bot(self, known_user_log_message): - """ - Should correctly format the user ID portion of the log message when the user ID is - not found in the server. - """ + """Should correctly format the user ID portion when the ID belongs to a known bot.""" token = Token("NDcyMjY1OTQzMDYyNDEzMzMy", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") known_user_log_message.format.return_value = " Partner" msg = MockMessage(id=555, content="hello world") - msg.guild.get_member = MagicMock(return_value=MagicMock(__str__=MagicMock(return_value="Sam"), bot=True)) + msg.guild.get_member.return_value.__str__.return_value = "Sam" + msg.guild.get_member.return_value.bot = True return_value = TokenRemover.format_userid_log_message(msg, token) - self.assertEqual( - return_value, - (known_user_log_message.format.return_value, False), - ) + self.assertEqual(return_value, (known_user_log_message.format.return_value, False)) known_user_log_message.format.assert_called_once_with( user_id=472265943062413332, @@ -341,16 +321,13 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): @autospec("bot.exts.filters.token_remover", "KNOWN_USER_LOG_MESSAGE") def test_format_log_message_user_token_user(self, user_token_message): - """Should correctly format the log message with info from the message and token.""" + """Should correctly format the user ID portion when the ID belongs to a known user.""" token = Token("NDY3MjIzMjMwNjUwNzc3NjQx", "XsySD_", "s45jqDV_Iisn-symw0yDRrk_jf4") user_token_message.format.return_value = "Partner" return_value = TokenRemover.format_userid_log_message(self.msg, token) - self.assertEqual( - return_value, - (user_token_message.format.return_value, True), - ) + self.assertEqual(return_value, (user_token_message.format.return_value, True)) user_token_message.format.assert_called_once_with( user_id=467223230650777641, user_name="Woody", -- cgit v1.2.3 From 840a3c504138ef601583cdf489908b2b6b30691f Mon Sep 17 00:00:00 2001 From: Bast Date: Fri, 25 Sep 2020 07:50:37 -0700 Subject: Remove redundant is_valid_userid function extract_user_id(id) is not None does the same job and is not worth the extra function --- bot/exts/filters/token_remover.py | 15 +--------- tests/bot/exts/filters/test_token_remover.py | 45 ++++++++++++++++------------ 2 files changed, 27 insertions(+), 33 deletions(-) (limited to 'tests') diff --git a/bot/exts/filters/token_remover.py b/bot/exts/filters/token_remover.py index 87072e161..3eb68c13c 100644 --- a/bot/exts/filters/token_remover.py +++ b/bot/exts/filters/token_remover.py @@ -158,7 +158,7 @@ class TokenRemover(Cog): for match in TOKEN_RE.finditer(msg.content): token = Token(*match.groups()) if ( - cls.is_valid_user_id(token.user_id) + (cls.extract_user_id(token.user_id) is not None) and cls.is_valid_timestamp(token.timestamp) and cls.is_maybe_valid_hmac(token.hmac) ): @@ -184,19 +184,6 @@ class TokenRemover(Cog): except (binascii.Error, ValueError): return None - @classmethod - def is_valid_user_id(cls, b64_content: str) -> bool: - """ - Check potential token to see if it contains a valid Discord user ID. - - See: https://discordapp.com/developers/docs/reference#snowflakes - """ - decoded_id = cls.extract_user_id(b64_content) - if not decoded_id: - return False - - return True - @staticmethod def is_valid_timestamp(b64_content: str) -> bool: """ diff --git a/tests/bot/exts/filters/test_token_remover.py b/tests/bot/exts/filters/test_token_remover.py index 5f28ab571..f14780b02 100644 --- a/tests/bot/exts/filters/test_token_remover.py +++ b/tests/bot/exts/filters/test_token_remover.py @@ -27,20 +27,20 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.msg.author.__str__ = MagicMock(return_value=self.msg.author.name) self.msg.author.avatar_url_as.return_value = "picture-lemon.png" - def test_is_valid_user_id_valid(self): - """Should consider user IDs valid if they decode entirely to ASCII digits.""" - ids = ( - "NDcyMjY1OTQzMDYyNDEzMzMy", - "NDc1MDczNjI5Mzk5NTQ3OTA0", - "NDY3MjIzMjMwNjUwNzc3NjQx", + def test_extract_user_id_valid(self): + """Should consider user IDs valid if they decode into an integer ID.""" + id_pairs = ( + ("NDcyMjY1OTQzMDYyNDEzMzMy", 472265943062413332), + ("NDc1MDczNjI5Mzk5NTQ3OTA0", 475073629399547904), + ("NDY3MjIzMjMwNjUwNzc3NjQx", 467223230650777641), ) - for user_id in ids: - with self.subTest(user_id=user_id): - result = TokenRemover.is_valid_user_id(user_id) - self.assertTrue(result) + for token_id, user_id in id_pairs: + with self.subTest(token_id=token_id): + result = TokenRemover.extract_user_id(token_id) + self.assertEqual(result, user_id) - def test_is_valid_user_id_invalid(self): + def test_extract_user_id_invalid(self): """Should consider non-digit and non-ASCII IDs invalid.""" ids = ( ("SGVsbG8gd29ybGQ", "non-digit ASCII"), @@ -54,8 +54,8 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): for user_id, msg in ids: with self.subTest(msg=msg): - result = TokenRemover.is_valid_user_id(user_id) - self.assertFalse(result) + result = TokenRemover.extract_user_id(user_id) + self.assertIsNone(result) def test_is_valid_timestamp_valid(self): """Should consider timestamps valid if they're greater than the Discord epoch.""" @@ -172,10 +172,17 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertIsNone(return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") + @autospec(TokenRemover, "extract_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") @autospec("bot.exts.filters.token_remover", "Token") @autospec("bot.exts.filters.token_remover", "TOKEN_RE") - def test_find_token_valid_match(self, token_re, token_cls, is_valid_id, is_valid_timestamp, is_maybe_valid_hmac): + def test_find_token_valid_match( + self, + token_re, + token_cls, + extract_user_id, + is_valid_timestamp, + is_maybe_valid_hmac, + ): """The first match with a valid user ID, timestamp, and HMAC should be returned as a `Token`.""" matches = [ mock.create_autospec(Match, spec_set=True, instance=True), @@ -188,7 +195,7 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): token_re.finditer.return_value = matches token_cls.side_effect = tokens - is_valid_id.side_effect = (False, True) # The 1st match will be invalid, 2nd one valid. + extract_user_id.side_effect = (None, True) # The 1st match will be invalid, 2nd one valid. is_valid_timestamp.return_value = True is_maybe_valid_hmac.return_value = True @@ -197,21 +204,21 @@ class TokenRemoverTests(unittest.IsolatedAsyncioTestCase): self.assertEqual(tokens[1], return_value) token_re.finditer.assert_called_once_with(self.msg.content) - @autospec(TokenRemover, "is_valid_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") + @autospec(TokenRemover, "extract_user_id", "is_valid_timestamp", "is_maybe_valid_hmac") @autospec("bot.exts.filters.token_remover", "Token") @autospec("bot.exts.filters.token_remover", "TOKEN_RE") def test_find_token_invalid_matches( self, token_re, token_cls, - is_valid_id, + extract_user_id, is_valid_timestamp, is_maybe_valid_hmac, ): """None should be returned if no matches have valid user IDs, HMACs, and timestamps.""" token_re.finditer.return_value = [mock.create_autospec(Match, spec_set=True, instance=True)] token_cls.return_value = mock.create_autospec(Token, spec_set=True, instance=True) - is_valid_id.return_value = False + extract_user_id.return_value = None is_valid_timestamp.return_value = False is_maybe_valid_hmac.return_value = False -- cgit v1.2.3