mediagoblin/tests/test_csrf_middleware.py

   1 # GNU MediaGoblin -- federated, autonomous media hosting
   2 # Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
   3 #
   4 # This program is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU Affero General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU Affero General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU Affero General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 from mediagoblin import mg_globals
  18
  19
  20 def test_csrf_cookie_set(test_app):
  21     cookie_name = mg_globals.app_config['csrf_cookie_name']
  22
  23     # get login page
  24     response = test_app.get('/auth/login/')
  25
  26     # assert that the mediagoblin nonce cookie has been set
  27     assert 'Set-Cookie' in response.headers
  28     assert cookie_name in test_app.cookies
  29
  30     # assert that we're also sending a vary header
  31     assert response.headers.get('Vary', False) == 'Cookie'
  32
  33
  34 # We need a fresh app for this test on webtest < 1.3.6.
  35 # We do not understand why, but it fixes the tests.
  36 # If we require webtest >= 1.3.6, we can switch to a non fresh app here.
  37 #
  38 # ... this comment might be irrelevant post-pytest-fixtures, but I'm not
  39 # removing it yet in case we move to module-level tests :)
  40 #   -- cwebber
  41 def test_csrf_token_must_match(test_app):
  42
  43     # construct a request with no cookie or form token
  44     assert test_app.post('/auth/login/',
  45                          extra_environ={'gmg.verify_csrf': True},
  46                          expect_errors=True).status_int == 403
  47
  48     # construct a request with a cookie, but no form token
  49     assert test_app.post('/auth/login/',
  50                          headers={'Cookie': str('%s=foo' %
  51                                   mg_globals.app_config['csrf_cookie_name'])},
  52                          extra_environ={'gmg.verify_csrf': True},
  53                          expect_errors=True).status_int == 403
  54
  55     # if both the cookie and form token are provided, they must match
  56     assert test_app.post('/auth/login/',
  57                          {'csrf_token': 'blarf'},
  58                          headers={'Cookie': str('%s=foo' %
  59                                   mg_globals.app_config['csrf_cookie_name'])},
  60                          extra_environ={'gmg.verify_csrf': True},
  61                          expect_errors=True).\
  62                          status_int == 403
  63
  64     assert test_app.post('/auth/login/',
  65                          {'csrf_token': 'foo'},
  66                          headers={'Cookie': str('%s=foo' %
  67                                   mg_globals.app_config['csrf_cookie_name'])},
  68                          extra_environ={'gmg.verify_csrf': True}).\
  69                          status_int == 200
  70
  71 def test_csrf_exempt(test_app):
  72     # monkey with the views to decorate a known endpoint
  73     import mediagoblin.auth.views
  74     from mediagoblin.meddleware.csrf import csrf_exempt
  75
  76     mediagoblin.auth.views.login = csrf_exempt(
  77         mediagoblin.auth.views.login
  78     )
  79
  80     # construct a request with no cookie or form token
  81     assert test_app.post('/auth/login/',
  82                          extra_environ={'gmg.verify_csrf': True},
  83                          expect_errors=False).status_int == 200
  84
  85     # restore the CSRF protection in case other tests expect it
  86     mediagoblin.auth.views.login.csrf_enabled = True