1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 from mediagoblin
.tests
.tools
import get_app
18 from mediagoblin
import mg_globals
21 def test_csrf_cookie_set():
22 test_app
= get_app(dump_old_app
=False)
23 cookie_name
= mg_globals
.app_config
['csrf_cookie_name']
26 response
= test_app
.get('/auth/login/')
28 # assert that the mediagoblin nonce cookie has been set
29 assert 'Set-Cookie' in response
.headers
30 assert cookie_name
in response
.cookies_set
32 # assert that we're also sending a vary header
33 assert response
.headers
.get('Vary', False) == 'Cookie'
36 def test_csrf_token_must_match():
37 # We need a fresh app for this test on webtest < 1.3.6.
38 # We do not understand why, but it fixes the tests.
39 # If we require webtest >= 1.3.6, we can switch to a non fresh app here.
40 test_app
= get_app(dump_old_app
=True)
42 # construct a request with no cookie or form token
43 assert test_app
.post('/auth/login/',
44 extra_environ
={'gmg.verify_csrf': True},
45 expect_errors
=True).status_int
== 403
47 # construct a request with a cookie, but no form token
48 assert test_app
.post('/auth/login/',
49 headers
={'Cookie': str('%s=foo' %
50 mg_globals
.app_config
['csrf_cookie_name'])},
51 extra_environ
={'gmg.verify_csrf': True},
52 expect_errors
=True).status_int
== 403
54 # if both the cookie and form token are provided, they must match
55 assert test_app
.post('/auth/login/',
56 {'csrf_token': 'blarf'},
57 headers
={'Cookie': str('%s=foo' %
58 mg_globals
.app_config
['csrf_cookie_name'])},
59 extra_environ
={'gmg.verify_csrf': True},
63 assert test_app
.post('/auth/login/',
64 {'csrf_token': 'foo'},
65 headers
={'Cookie': str('%s=foo' %
66 mg_globals
.app_config
['csrf_cookie_name'])},
67 extra_environ
={'gmg.verify_csrf': True}).\
70 def test_csrf_exempt():
71 test_app
= get_app(dump_old_app
=False)
72 # monkey with the views to decorate a known endpoint
73 import mediagoblin
.auth
.views
74 from mediagoblin
.meddleware
.csrf
import csrf_exempt
76 mediagoblin
.auth
.views
.login
= csrf_exempt(
77 mediagoblin
.auth
.views
.login
80 # construct a request with no cookie or form token
81 assert test_app
.post('/auth/login/',
82 extra_environ
={'gmg.verify_csrf': True},
83 expect_errors
=False).status_int
== 200
85 # restore the CSRF protection in case other tests expect it
86 mediagoblin
.auth
.views
.login
.csrf_enabled
= True