|
Pierre-Yves Chibon |
05aa81 |
# -*- coding: utf-8 -*-
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
"""
|
|
Pierre-Yves Chibon |
05aa81 |
(c) 2016 - Copyright Red Hat Inc
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
Authors:
|
|
Pierre-Yves Chibon |
05aa81 |
Pierre-Yves Chibon <pingou@pingoured.fr></pingou@pingoured.fr>
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
"""
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Aurélien Bompard |
626417 |
from __future__ import unicode_literals
|
|
Aurélien Bompard |
626417 |
|
|
Pierre-Yves Chibon |
05aa81 |
__requires__ = ['SQLAlchemy >= 0.8']
|
|
Pierre-Yves Chibon |
05aa81 |
import pkg_resources
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import datetime
|
|
Pierre-Yves Chibon |
05aa81 |
import unittest
|
|
Pierre-Yves Chibon |
05aa81 |
import sys
|
|
Pierre-Yves Chibon |
05aa81 |
import time
|
|
Pierre-Yves Chibon |
05aa81 |
import os
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import flask
|
|
Pierre-Yves Chibon |
05aa81 |
import flask_wtf
|
|
Pierre-Yves Chibon |
efbef7 |
from mock import patch, MagicMock
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
sys.path.insert(0, os.path.join(os.path.dirname(
|
|
Pierre-Yves Chibon |
05aa81 |
os.path.abspath(__file__)), '..'))
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
import pagure.forms
|
|
Pierre-Yves Chibon |
05aa81 |
import tests
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Clement Verna |
109c4b |
class PagureFlaskFormTests(tests.SimplePagureTest):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Tests for forms of the flask application """
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
e6f2ec |
@patch.dict('pagure.config.config', {'SERVER_NAME': 'pagure.org'})
|
|
Pierre-Yves Chibon |
6b81e9 |
def setUp(self):
|
|
Pierre-Yves Chibon |
6b81e9 |
super(PagureFlaskFormTests, self).setUp()
|
|
Pierre-Yves Chibon |
6b81e9 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_no_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation if not CSRF is specified. """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_invalid_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with an invalid CSRF specified. """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
form.csrf_token.data = 'foobar'
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with a valid CSRF specified. """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
form.csrf_token.data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertTrue(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_expired_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with an expired CSRF specified. """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
# CSRF token expired
|
|
Pierre-Yves Chibon |
05aa81 |
if hasattr(flask_wtf, '__version__') and \
|
|
Aurélien Bompard |
626417 |
tuple(
|
|
Aurélien Bompard |
626417 |
[int(v) for v in flask_wtf.__version__.split('.')]
|
|
Aurélien Bompard |
626417 |
) < (0, 10, 0):
|
|
Pierre-Yves Chibon |
05aa81 |
expires = time.time() - 1
|
|
Pierre-Yves Chibon |
05aa81 |
else:
|
|
Pierre-Yves Chibon |
05aa81 |
expires = (
|
|
Pierre-Yves Chibon |
05aa81 |
datetime.datetime.now() - datetime.timedelta(minutes=1)
|
|
Pierre-Yves Chibon |
05aa81 |
).strftime('%Y%m%d%H%M%S')
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
6b03d3 |
# Change the CSRF format
|
|
Pierre-Yves Chibon |
6b03d3 |
if hasattr(flask_wtf, '__version__') and \
|
|
Pierre-Yves Chibon |
6b03d3 |
tuple([int(e) for e in flask_wtf.__version__.split('.')]
|
|
Pierre-Yves Chibon |
6b03d3 |
) >= (0,14,0):
|
|
Pierre-Yves Chibon |
6b03d3 |
import itsdangerous
|
|
Pierre-Yves Chibon |
6b03d3 |
timestamp = itsdangerous.base64_encode(
|
|
Pierre-Yves Chibon |
6b03d3 |
itsdangerous.int_to_bytes(int(expires)))
|
|
Aurélien Bompard |
626417 |
timestamp = timestamp.decode("ascii")
|
|
Pierre-Yves Chibon |
6b03d3 |
part1, _, part2 = data.split('.', 2)
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '.'.join([part1, timestamp, part2])
|
|
Pierre-Yves Chibon |
6b03d3 |
else:
|
|
Pierre-Yves Chibon |
6b03d3 |
_, hmac_csrf = data.split('##', 1)
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '%s##%s' % (expires, hmac_csrf)
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertFalse(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Pierre-Yves Chibon |
05aa81 |
def test_csrf_form_w_unexpiring_input(self):
|
|
Pierre-Yves Chibon |
05aa81 |
""" Test the CSRF validation with a CSRF not expiring. """
|
|
Pierre-Yves Chibon |
b130e5 |
pagure.config.config['WTF_CSRF_TIME_LIMIT'] = None
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Pierre-Yves Chibon |
05aa81 |
form = pagure.forms.ConfirmationForm()
|
|
Pierre-Yves Chibon |
05aa81 |
data = form.csrf_token.current_token
|
|
Pierre-Yves Chibon |
6b03d3 |
|
|
Pierre-Yves Chibon |
6b03d3 |
if hasattr(flask_wtf, '__version__') and \
|
|
Pierre-Yves Chibon |
6b03d3 |
tuple([int(e) for e in flask_wtf.__version__.split('.')]
|
|
Pierre-Yves Chibon |
6b03d3 |
) >= (0,14,0):
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = data
|
|
Pierre-Yves Chibon |
6b03d3 |
else:
|
|
Pierre-Yves Chibon |
6b03d3 |
_, hmac_csrf = data.split('##', 1)
|
|
Pierre-Yves Chibon |
6b03d3 |
# CSRF can no longer expire, they have no expiration info
|
|
Pierre-Yves Chibon |
6b03d3 |
form.csrf_token.data = '##%s' % hmac_csrf
|
|
Pierre-Yves Chibon |
05aa81 |
self.assertTrue(form.validate_on_submit())
|
|
Pierre-Yves Chibon |
05aa81 |
|
|
Vivek Anand |
2b440e |
def test_add_user_form(self):
|
|
Vivek Anand |
2b440e |
""" Test the AddUserForm of pagure.forms """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Vivek Anand |
2b440e |
form = pagure.forms.AddUserForm()
|
|
Vivek Anand |
2b440e |
form.csrf_token.data = form.csrf_token.current_token
|
|
Vivek Anand |
2b440e |
# No user or access given
|
|
Vivek Anand |
2b440e |
self.assertFalse(form.validate_on_submit())
|
|
Vivek Anand |
2b440e |
# No access given
|
|
Vivek Anand |
2b440e |
form.user.data = 'foo'
|
|
Vivek Anand |
2b440e |
self.assertFalse(form.validate_on_submit())
|
|
Vivek Anand |
2b440e |
form.access.data = 'admin'
|
|
Vivek Anand |
2b440e |
self.assertTrue(form.validate_on_submit())
|
|
Vivek Anand |
2b440e |
|
|
Vivek Anand |
2b440e |
def test_add_user_to_group_form(self):
|
|
Vivek Anand |
2b440e |
""" Test the AddUserToGroup form of pagure.forms """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Vivek Anand |
2b440e |
form = pagure.forms.AddUserToGroupForm()
|
|
Vivek Anand |
2b440e |
form.csrf_token.data = form.csrf_token.current_token
|
|
Vivek Anand |
2b440e |
# No user given
|
|
Vivek Anand |
2b440e |
self.assertFalse(form.validate_on_submit())
|
|
Vivek Anand |
2b440e |
form.user.data = 'foo'
|
|
Vivek Anand |
2b440e |
# Everything given
|
|
Vivek Anand |
2b440e |
self.assertTrue(form.validate_on_submit())
|
|
Vivek Anand |
2b440e |
|
|
Vivek Anand |
3944f0 |
def test_add_group_form(self):
|
|
Vivek Anand |
3944f0 |
""" Test the AddGroupForm form of pagure.forms """
|
|
Pierre-Yves Chibon |
b130e5 |
with self.app.application.test_request_context(method='POST'):
|
|
Pierre-Yves Chibon |
efbef7 |
flask.g.session = MagicMock()
|
|
Vivek Anand |
3944f0 |
form = pagure.forms.AddGroupForm()
|
|
Vivek Anand |
3944f0 |
form.csrf_token.data = form.csrf_token.current_token
|
|
Vivek Anand |
3944f0 |
# No group given
|
|
Vivek Anand |
3944f0 |
self.assertFalse(form.validate_on_submit())
|
|
Vivek Anand |
3944f0 |
# No access given
|
|
Vivek Anand |
3944f0 |
form.group.data = 'gname'
|
|
Vivek Anand |
3944f0 |
self.assertFalse(form.validate_on_submit())
|
|
Vivek Anand |
3944f0 |
form.access.data = 'admin'
|
|
Vivek Anand |
3944f0 |
self.assertTrue(form.validate_on_submit())
|
|
Vivek Anand |
3944f0 |
|
|
Vivek Anand |
3944f0 |
|
|
Pierre-Yves Chibon |
05aa81 |
if __name__ == '__main__':
|
|
Pierre-Yves Chibon |
393f31 |
unittest.main(verbosity=2)
|
|
Pierre-Yves Chibon |
05aa81 |
|