|
Pierre-Yves Chibon |
05aa81 |
# -*- coding: utf-8 -*-
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
"""
|
|
Pierre-Yves Chibon |
05aa81 |
(c) 2016 - Copyright Red Hat Inc
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
Authors:
|
|
Pierre-Yves Chibon |
05aa81 |
Pierre-Yves Chibon <pingou@pingoured.fr></pingou@pingoured.fr>
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
"""
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
__requires__ = ['SQLAlchemy >= 0.8']
|
|
Pierre-Yves Chibon |
05aa81 |
import pkg_resources
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import datetime
|
|
Pierre-Yves Chibon |
05aa81 |
import unittest
|
|
Pierre-Yves Chibon |
05aa81 |
import sys
|
|
Pierre-Yves Chibon |
05aa81 |
import time
|
|
Pierre-Yves Chibon |
05aa81 |
import os
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import flask
|
|
Pierre-Yves Chibon |
05aa81 |
import flask_wtf
|
|
Pierre-Yves Chibon |
05aa81 |
from mock import patch
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
sys.path.insert(0, os.path.join(os.path.dirname(
|
|
Pierre-Yves Chibon |
05aa81 |
os.path.abspath(__file__)), '..'))
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import pagure.forms
|
|
Pierre-Yves Chibon |
05aa81 |
import tests
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
class PagureFlaskFormTests(tests.Modeltests):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Tests for forms of the flask application """
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def setUpt(self):
|
|
Pierre-Yves Chibon |
05aa81 |
pagure.APP.config['TESTING'] = True
|
|
Pierre-Yves Chibon |
05aa81 |
pagure.APP.config['SERVER_NAME'] = 'pagure.org'
|
|
Pierre-Yves Chibon |
05aa81 |
pagure.SESSION = self.session
|
|
Pierre-Yves Chibon |
05aa81 |
self.app = pagure.APP.test_client()
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_no_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation if not CSRF is specified. """
|
|
Pierre-Yves Chibon |
05aa81 |
with pagure.APP.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_invalid_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with an invalid CSRF specified. """
|
|
Pierre-Yves Chibon |
05aa81 |
with pagure.APP.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
form.csrf_token.data = 'foobar'
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with a valid CSRF specified. """
|
|
Pierre-Yves Chibon |
05aa81 |
with pagure.APP.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
form.csrf_token.data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertTrue(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_expired_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with an expired CSRF specified. """
|
|
Pierre-Yves Chibon |
05aa81 |
with pagure.APP.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
# CSRF token expired
|
|
Pierre-Yves Chibon |
05aa81 |
if hasattr(flask_wtf, '__version__') and \
|
|
Pierre-Yves Chibon |
05aa81 |
tuple(flask_wtf.__version__.split('.')) >= (0,10,0):
|
|
Pierre-Yves Chibon |
05aa81 |
expires = time.time() - 1
|
|
Pierre-Yves Chibon |
05aa81 |
else:
|
|
Pierre-Yves Chibon |
05aa81 |
expires = (
|
|
Pierre-Yves Chibon |
05aa81 |
datetime.datetime.now() - datetime.timedelta(minutes=1)
|
|
Pierre-Yves Chibon |
05aa81 |
).strftime('%Y%m%d%H%M%S')
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
6b03d3 |
# Change the CSRF format
|
|
Pierre-Yves Chibon |
6b03d3 |
if hasattr(flask_wtf, '__version__') and \
|
|
Pierre-Yves Chibon |
6b03d3 |
tuple([int(e) for e in flask_wtf.__version__.split('.')]
|
|
Pierre-Yves Chibon |
6b03d3 |
) >= (0,14,0):
|
|
Pierre-Yves Chibon |
6b03d3 |
import itsdangerous
|
|
Pierre-Yves Chibon |
6b03d3 |
timestamp = itsdangerous.base64_encode(
|
|
Pierre-Yves Chibon |
6b03d3 |
itsdangerous.int_to_bytes(int(expires)))
|
|
Pierre-Yves Chibon |
6b03d3 |
print '*', data
|
|
Pierre-Yves Chibon |
6b03d3 |
part1, _, part2 = data.split('.', 2)
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '.'.join([part1, timestamp, part2])
|
|
Pierre-Yves Chibon |
6b03d3 |
else:
|
|
Pierre-Yves Chibon |
6b03d3 |
_, hmac_csrf = data.split('##', 1)
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '%s##%s' % (expires, hmac_csrf)
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_unexpiring_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with a CSRF not expiring. """
|
|
Pierre-Yves Chibon |
05aa81 |
pagure.APP.config['WTF_CSRF_TIME_LIMIT'] = None
|
|
Pierre-Yves Chibon |
05aa81 |
with pagure.APP.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
6b03d3 |
if hasattr(flask_wtf, '__version__') and \
|
|
Pierre-Yves Chibon |
6b03d3 |
tuple([int(e) for e in flask_wtf.__version__.split('.')]
|
|
Pierre-Yves Chibon |
6b03d3 |
) >= (0,14,0):
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = data
|
|
Pierre-Yves Chibon |
6b03d3 |
else:
|
|
Pierre-Yves Chibon |
6b03d3 |
_, hmac_csrf = data.split('##', 1)
|
|
Pierre-Yves Chibon |
6b03d3 |
# CSRF can no longer expire, they have no expiration info
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '##%s' % hmac_csrf
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertTrue(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
if __name__ == '__main__':
|
|
Pierre-Yves Chibon |
05aa81 |
SUITE = unittest.TestLoader().loadTestsFromTestCase(
|
|
Pierre-Yves Chibon |
05aa81 |
PagureFlaskFormTests)
|
|
Pierre-Yves Chibon |
05aa81 |
unittest.TextTestRunner(verbosity=2).run(SUITE)
|
|
Pierre-Yves Chibon |
05aa81 |
|