mediagoblin/tests/test_csrf_middleware.py

   1 # GNU MediaGoblin -- federated, autonomous media hosting
   2 # Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
   3 #
   4 # This program is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU Affero General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU Affero General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU Affero General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 from mediagoblin.tests.tools import setup_fresh_app
  18 from mediagoblin import mg_globals
  19
  20
  21 @setup_fresh_app
  22 def test_csrf_cookie_set(test_app):
  23
  24     cookie_name = mg_globals.app_config['csrf_cookie_name']
  25
  26     # get login page
  27     response = test_app.get('/auth/login/')
  28
  29     # assert that the mediagoblin nonce cookie has been set
  30     assert 'Set-Cookie' in response.headers
  31     assert cookie_name in response.cookies_set
  32
  33     # assert that we're also sending a vary header
  34     assert response.headers.get('Vary', False) == 'Cookie'
  35
  36
  37 @setup_fresh_app
  38 def test_csrf_token_must_match(test_app):
  39
  40     # construct a request with no cookie or form token
  41     assert test_app.post('/auth/login/',
  42                          extra_environ={'gmg.verify_csrf': True},
  43                          expect_errors=True).status_int == 403
  44
  45     # construct a request with a cookie, but no form token
  46     assert test_app.post('/auth/login/',
  47                          headers={'Cookie': str('%s=foo; ' %
  48                                   mg_globals.app_config['csrf_cookie_name'])},
  49                          extra_environ={'gmg.verify_csrf': True},
  50                          expect_errors=True).status_int == 403
  51
  52     # if both the cookie and form token are provided, they must match
  53     assert test_app.post('/auth/login/',
  54                          {'csrf_token': 'blarf'},
  55                          headers={'Cookie': str('%s=foo; ' %
  56                                   mg_globals.app_config['csrf_cookie_name'])},
  57                          extra_environ={'gmg.verify_csrf': True},
  58                          expect_errors=True).\
  59                          status_int == 403
  60
  61     assert test_app.post('/auth/login/',
  62                          {'csrf_token': 'foo'},
  63                          headers={'Cookie': str('%s=foo; ' %
  64                                   mg_globals.app_config['csrf_cookie_name'])},
  65                          extra_environ={'gmg.verify_csrf': True}).\
  66                          status_int == 200
  67
  68 @setup_fresh_app
  69 def test_csrf_exempt(test_app):
  70
  71     # monkey with the views to decorate a known endpoint
  72     import mediagoblin.auth.views
  73     from mediagoblin.meddleware.csrf import csrf_exempt
  74
  75     mediagoblin.auth.views.login = csrf_exempt(
  76         mediagoblin.auth.views.login
  77     )
  78
  79     # construct a request with no cookie or form token
  80     assert test_app.post('/auth/login/',
  81                          extra_environ={'gmg.verify_csrf': True},
  82                          expect_errors=False).status_int == 200
  83
  84     # restore the CSRF protection in case other tests expect it
  85     mediagoblin.auth.views.login.csrf_enabled = True