mediagoblin/tests/test_csrf_middleware.py

   1 # GNU MediaGoblin -- federated, autonomous media hosting
   2 # Copyright (C) 2011 MediaGoblin contributors.  See AUTHORS.
   3 #
   4 # This program is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU Affero General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU Affero General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU Affero General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 import urlparse
  18 import datetime
  19
  20 from nose.tools import assert_equal
  21
  22 from mediagoblin.tests.tools import setup_fresh_app
  23 from mediagoblin import mg_globals
  24
  25
  26 @setup_fresh_app
  27 def test_csrf_cookie_set(test_app):
  28
  29     cookie_name = mg_globals.app_config['csrf_cookie_name']
  30
  31     # get login page
  32     response = test_app.get('/auth/login/')
  33
  34     # assert that the mediagoblin nonce cookie has been set
  35     assert 'Set-Cookie' in response.headers
  36     assert cookie_name in response.cookies_set
  37
  38     # assert that we're also sending a vary header
  39     assert response.headers.get('Vary', False) == 'Cookie'
  40
  41
  42 @setup_fresh_app
  43 def test_csrf_token_must_match(test_app):
  44
  45     # construct a request with no cookie or form token
  46     assert test_app.post('/auth/login/',
  47                          extra_environ={'gmg.verify_csrf': True},
  48                          expect_errors=True).status_int == 403
  49
  50     # construct a request with a cookie, but no form token
  51     assert test_app.post('/auth/login/',
  52                          headers={'Cookie': str('%s=foo; ' %
  53                                   mg_globals.app_config['csrf_cookie_name'])},
  54                          extra_environ={'gmg.verify_csrf': True},
  55                          expect_errors=True).status_int == 403
  56
  57     # if both the cookie and form token are provided, they must match
  58     assert test_app.post('/auth/login/',
  59                          {'csrf_token': 'blarf'},
  60                          headers={'Cookie': str('%s=foo; ' %
  61                                   mg_globals.app_config['csrf_cookie_name'])},
  62                          extra_environ={'gmg.verify_csrf': True},
  63                          expect_errors=True).\
  64                          status_int == 403
  65
  66     assert test_app.post('/auth/login/',
  67                          {'csrf_token': 'foo'},
  68                          headers={'Cookie': str('%s=foo; ' %
  69                                   mg_globals.app_config['csrf_cookie_name'])},
  70                          extra_environ={'gmg.verify_csrf': True}).\
  71                          status_int == 200
  72
  73 @setup_fresh_app
  74 def test_csrf_exempt(test_app):
  75
  76     # monkey with the views to decorate a known endpoint
  77     import mediagoblin.auth.views
  78     from mediagoblin.meddleware.csrf import csrf_exempt
  79
  80     mediagoblin.auth.views.login = csrf_exempt(
  81         mediagoblin.auth.views.login
  82     )
  83
  84     # construct a request with no cookie or form token
  85     assert test_app.post('/auth/login/',
  86                          extra_environ={'gmg.verify_csrf': True},
  87                          expect_errors=False).status_int == 200
  88
  89     # restore the CSRF protection in case other tests expect it
  90     mediagoblin.auth.views.login.csrf_enabled = True