From 6a87753a4fb272b0a3c433ebc5b8ceedf92e45d2 Mon Sep 17 00:00:00 2001
From: djmore4 <dj@kasisto.com>
Date: Sat, 15 Oct 2022 13:53:12 -0400
Subject: [PATCH] Using assertEquals and an exception to test where the logic
 is going wrong

---
 defender/data.py  |  3 +--
 defender/tests.py | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/defender/data.py b/defender/data.py
index ea4057a..b6ffcf6 100644
--- a/defender/data.py
+++ b/defender/data.py
@@ -55,7 +55,6 @@ def get_approx_account_lockouts_from_login_attempts(ip_address=None, username=No
     else:
         # If we've made it this far and didn't hit one of the other if or elif
         # conditions, we're in an inappropriate context.
-        # TODO: Maybe we should throw an exception here instead of returning 0?
-        return 0
+        raise Exception("Invalid state requested")
 
     return AccessAttempt.objects.filter(q).count() // failure_limit
\ No newline at end of file
diff --git a/defender/tests.py b/defender/tests.py
index 61cd993..8ee952a 100644
--- a/defender/tests.py
+++ b/defender/tests.py
@@ -950,15 +950,20 @@ class AccessAttemptTest(DefenderTestCase):
         self.assertRaises(Exception)
 
     @patch("defender.config.LOCKOUT_COOLOFF_TIMES", [3, 6])
+    @patch("defender.config.IP_FAILURE_LIMIT", 3)
     def test_lockout_cooloff_correctly_scales_with_ip_when_set(self):
         self.test_ip_failure_limit()
         self.assertTrue(AccessAttempt.objects.filter(
             Q(attempt_time__gte=datetime.now() - timedelta(hours=config.ACCESS_ATTEMPT_EXPIRATION)) &
             Q(ip_address="127.0.0.1")
-        ).count() > 1)
+        ).count() >= 3)
         self.assertEqual(utils.get_lockout_cooloff_time(ip_address="127.0.0.1"), 3)
         utils.reset_failed_attempts(ip_address="127.0.0.1")
         self.test_ip_failure_limit()
+        self.assertTrue(AccessAttempt.objects.filter(
+            Q(attempt_time__gte=datetime.now() - timedelta(hours=config.ACCESS_ATTEMPT_EXPIRATION)) &
+            Q(ip_address="127.0.0.1")
+        ).count() >= 6)
         self.assertEqual(utils.get_lockout_cooloff_time(ip_address="127.0.0.1"), 6)
         time.sleep(config.LOCKOUT_COOLOFF_TIMES[1])
         if config.MOCK_REDIS:
@@ -967,15 +972,20 @@ class AccessAttemptTest(DefenderTestCase):
         self.test_valid_login()
 
     @patch("defender.config.LOCKOUT_COOLOFF_TIMES", [3, 6])
+    @patch("defender.config.USERNAME_FAILURE_LIMIT", 3)
     def test_lockout_cooloff_correctly_scales_with_username_when_set(self):
         self.test_username_failure_limit()
         self.assertTrue(AccessAttempt.objects.filter(
             Q(attempt_time__gte=datetime.now() - timedelta(hours=config.ACCESS_ATTEMPT_EXPIRATION)) &
             Q(username=VALID_USERNAME)
-        ).count() > 1)
+        ).count() >= 3)
         self.assertEqual(utils.get_lockout_cooloff_time(username=VALID_USERNAME), 3)
         utils.reset_failed_attempts(username=VALID_USERNAME)
         self.test_username_failure_limit()
+        self.assertTrue(AccessAttempt.objects.filter(
+            Q(attempt_time__gte=datetime.now() - timedelta(hours=config.ACCESS_ATTEMPT_EXPIRATION)) &
+            Q(username=VALID_USERNAME)
+        ).count() >= 6)
         self.assertEqual(utils.get_lockout_cooloff_time(username=VALID_USERNAME), 6)
         time.sleep(config.LOCKOUT_COOLOFF_TIMES[1])
         if config.MOCK_REDIS: