mediagoblin/tests/test_csrf_middleware.py

   1 # GNU MediaGoblin -- federated, autonomous media hosting
   2 # Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
   3 #
   4 # This program is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU Affero General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU Affero General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU Affero General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 from mediagoblin.tests.tools import get_app
  18 from mediagoblin import mg_globals
  19
  20
  21 def test_csrf_cookie_set():
  22     test_app = get_app(dump_old_app=False)
  23     cookie_name = mg_globals.app_config['csrf_cookie_name']
  24
  25     # get login page
  26     response = test_app.get('/auth/login/')
  27
  28     # assert that the mediagoblin nonce cookie has been set
  29     assert 'Set-Cookie' in response.headers
  30     assert cookie_name in response.cookies_set
  31
  32     # assert that we're also sending a vary header
  33     assert response.headers.get('Vary', False) == 'Cookie'
  34
  35
  36 def test_csrf_token_must_match():
  37     # We need a fresh app for this test on webtest < 1.3.6.
  38     # We do not understand why, but it fixes the tests.
  39     # If we require webtest >= 1.3.6, we can switch to a non fresh app here.
  40     test_app = get_app(dump_old_app=True)
  41
  42     # construct a request with no cookie or form token
  43     assert test_app.post('/auth/login/',
  44                          extra_environ={'gmg.verify_csrf': True},
  45                          expect_errors=True).status_int == 403
  46
  47     # construct a request with a cookie, but no form token
  48     assert test_app.post('/auth/login/',
  49                          headers={'Cookie': str('%s=foo' %
  50                                   mg_globals.app_config['csrf_cookie_name'])},
  51                          extra_environ={'gmg.verify_csrf': True},
  52                          expect_errors=True).status_int == 403
  53
  54     # if both the cookie and form token are provided, they must match
  55     assert test_app.post('/auth/login/',
  56                          {'csrf_token': 'blarf'},
  57                          headers={'Cookie': str('%s=foo' %
  58                                   mg_globals.app_config['csrf_cookie_name'])},
  59                          extra_environ={'gmg.verify_csrf': True},
  60                          expect_errors=True).\
  61                          status_int == 403
  62
  63     assert test_app.post('/auth/login/',
  64                          {'csrf_token': 'foo'},
  65                          headers={'Cookie': str('%s=foo' %
  66                                   mg_globals.app_config['csrf_cookie_name'])},
  67                          extra_environ={'gmg.verify_csrf': True}).\
  68                          status_int == 200
  69
  70 def test_csrf_exempt():
  71     test_app = get_app(dump_old_app=False)
  72     # monkey with the views to decorate a known endpoint
  73     import mediagoblin.auth.views
  74     from mediagoblin.meddleware.csrf import csrf_exempt
  75
  76     mediagoblin.auth.views.login = csrf_exempt(
  77         mediagoblin.auth.views.login
  78     )
  79
  80     # construct a request with no cookie or form token
  81     assert test_app.post('/auth/login/',
  82                          extra_environ={'gmg.verify_csrf': True},
  83                          expect_errors=False).status_int == 200
  84
  85     # restore the CSRF protection in case other tests expect it
  86     mediagoblin.auth.views.login.csrf_enabled = True