[mediagoblin.git] / mediagoblin / tests / test_csrf_middleware.py

# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from mediagoblin.tests.tools import get_app
from mediagoblin import mg_globals


def test_csrf_cookie_set():
    test_app = get_app(dump_old_app=False)
    cookie_name = mg_globals.app_config['csrf_cookie_name']

    # get login page
    response = test_app.get('/auth/login/')

    # assert that the mediagoblin nonce cookie has been set
    assert 'Set-Cookie' in response.headers
    assert cookie_name in response.cookies_set

    # assert that we're also sending a vary header
    assert response.headers.get('Vary', False) == 'Cookie'


def test_csrf_token_must_match():
    # We need a fresh app for this test on webtest < 1.3.6.
    # We do not understand why, but it fixes the tests.
    # If we require webtest >= 1.3.6, we can switch to a non fresh app here.
    test_app = get_app(dump_old_app=True)

    # construct a request with no cookie or form token
    assert test_app.post('/auth/login/',
                         extra_environ={'gmg.verify_csrf': True},
                         expect_errors=True).status_int == 403

    # construct a request with a cookie, but no form token
    assert test_app.post('/auth/login/',
                         headers={'Cookie': str('%s=foo' %
                                  mg_globals.app_config['csrf_cookie_name'])},
                         extra_environ={'gmg.verify_csrf': True},
                         expect_errors=True).status_int == 403

    # if both the cookie and form token are provided, they must match
    assert test_app.post('/auth/login/',
                         {'csrf_token': 'blarf'},
                         headers={'Cookie': str('%s=foo' %
                                  mg_globals.app_config['csrf_cookie_name'])},
                         extra_environ={'gmg.verify_csrf': True},
                         expect_errors=True).\
                         status_int == 403

    assert test_app.post('/auth/login/',
                         {'csrf_token': 'foo'},
                         headers={'Cookie': str('%s=foo' %
                                  mg_globals.app_config['csrf_cookie_name'])},
                         extra_environ={'gmg.verify_csrf': True}).\
                         status_int == 200

def test_csrf_exempt():
    test_app = get_app(dump_old_app=False)
    # monkey with the views to decorate a known endpoint
    import mediagoblin.auth.views
    from mediagoblin.meddleware.csrf import csrf_exempt

    mediagoblin.auth.views.login = csrf_exempt(
        mediagoblin.auth.views.login
    )

    # construct a request with no cookie or form token
    assert test_app.post('/auth/login/',
                         extra_environ={'gmg.verify_csrf': True},
                         expect_errors=False).status_int == 200

    # restore the CSRF protection in case other tests expect it
    mediagoblin.auth.views.login.csrf_enabled = True
Commit	Line	Data
4f475d30	1	# GNU MediaGoblin -- federated, autonomous media hosting
cf29e8a8	2	# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4f475d30 NY	3	#
	4	# This program is free software: you can redistribute it and/or modify
	5	# it under the terms of the GNU Affero General Public License as published by
	6	# the Free Software Foundation, either version 3 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU Affero General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16
1be247b3	17	from mediagoblin.tests.tools import get_app
4f475d30 NY	18	from mediagoblin import mg_globals
	19
	20
b97144dc	21	def test_csrf_cookie_set():
1be247b3	22	test_app = get_app(dump_old_app=False)
adf79450	23	cookie_name = mg_globals.app_config['csrf_cookie_name']
ca9ebfe2	24
4f475d30 NY	25	# get login page
	26	response = test_app.get('/auth/login/')
	27
	28	# assert that the mediagoblin nonce cookie has been set
	29	assert 'Set-Cookie' in response.headers
adf79450	30	assert cookie_name in response.cookies_set
4f475d30 NY	31
	32	# assert that we're also sending a vary header
	33	assert response.headers.get('Vary', False) == 'Cookie'
	34
	35
b97144dc	36	def test_csrf_token_must_match():
6de8b42e E	37	# We need a fresh app for this test on webtest < 1.3.6.
	38	# We do not understand why, but it fixes the tests.
	39	# If we require webtest >= 1.3.6, we can switch to a non fresh app here.
1be247b3	40	test_app = get_app(dump_old_app=True)
6de8b42e	41
4f475d30 NY	42	# construct a request with no cookie or form token
	43	assert test_app.post('/auth/login/',
	44	extra_environ={'gmg.verify_csrf': True},
	45	expect_errors=True).status_int == 403
	46
	47	# construct a request with a cookie, but no form token
	48	assert test_app.post('/auth/login/',
d24a8297	49	headers={'Cookie': str('%s=foo' %
4f475d30 NY	50	mg_globals.app_config['csrf_cookie_name'])},
	51	extra_environ={'gmg.verify_csrf': True},
	52	expect_errors=True).status_int == 403
	53
	54	# if both the cookie and form token are provided, they must match
	55	assert test_app.post('/auth/login/',
	56	{'csrf_token': 'blarf'},
d24a8297	57	headers={'Cookie': str('%s=foo' %
4f475d30 NY	58	mg_globals.app_config['csrf_cookie_name'])},
	59	extra_environ={'gmg.verify_csrf': True},
	60	expect_errors=True).\
	61	status_int == 403
	62
	63	assert test_app.post('/auth/login/',
	64	{'csrf_token': 'foo'},
d24a8297	65	headers={'Cookie': str('%s=foo' %
4f475d30 NY	66	mg_globals.app_config['csrf_cookie_name'])},
	67	extra_environ={'gmg.verify_csrf': True}).\
	68	status_int == 200
ca9ebfe2	69
b97144dc	70	def test_csrf_exempt():
1be247b3	71	test_app = get_app(dump_old_app=False)
ca9ebfe2 NY	72	# monkey with the views to decorate a known endpoint
	73	import mediagoblin.auth.views
	74	from mediagoblin.meddleware.csrf import csrf_exempt
	75
	76	mediagoblin.auth.views.login = csrf_exempt(
	77	mediagoblin.auth.views.login
	78	)
	79
	80	# construct a request with no cookie or form token
	81	assert test_app.post('/auth/login/',
	82	extra_environ={'gmg.verify_csrf': True},
	83	expect_errors=False).status_int == 200
	84
	85	# restore the CSRF protection in case other tests expect it
	86	mediagoblin.auth.views.login.csrf_enabled = True