summaryrefslogtreecommitdiff
path: root/service/test/support
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-02-24 16:33:20 +0100
committerNavaL <mnandri@thoughtworks.com>2016-02-25 09:17:53 +0100
commit9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch)
tree228ca246c306bd44faa37c01e52c6d7aefec1531 /service/test/support
parentb79035b83e81e4fd654b587426083c6033e695ad (diff)
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612
Diffstat (limited to 'service/test/support')
-rw-r--r--service/test/support/integration/app_test_client.py20
-rw-r--r--service/test/support/test_helper.py13
2 files changed, 22 insertions, 11 deletions
diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py
index 8ab58397..a2360a4e 100644
--- a/service/test/support/integration/app_test_client.py
+++ b/service/test/support/integration/app_test_client.py
@@ -244,22 +244,22 @@ class AppTestClient(object):
time.sleep(1)
return lambda: process.terminate()
- def get(self, path, get_args='', as_json=True):
- request = request_mock(path)
+ def get(self, path, get_args='', as_json=True, ajax=True, csrf='token'):
+ request = request_mock(path, ajax=ajax, csrf=csrf)
request.args = get_args
return self._render(request, as_json)
- def post(self, path, body='', headers=None):
+ def post(self, path, body='', headers=None, ajax=True, csrf='token'):
headers = headers or {'Content-Type': 'application/json'}
- request = request_mock(path=path, method="POST", body=body, headers=headers)
+ request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf)
return self._render(request)
- def put(self, path, body):
- request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']})
+ def put(self, path, body, ajax=True, csrf='token'):
+ request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}, ajax=ajax, csrf=csrf)
return self._render(request)
- def delete(self, path, body=""):
- request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE")
+ def delete(self, path, body="", ajax=True, csrf='token'):
+ request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE", ajax=ajax, csrf=csrf)
return self._render(request)
@defer.inlineCallbacks
@@ -322,13 +322,13 @@ class AppTestClient(object):
defer.returnValue(mails)
@defer.inlineCallbacks
- def get_attachment(self, ident, encoding, filename=None, content_type=None):
+ def get_attachment(self, ident, encoding, filename=None, content_type=None, ajax=True, csrf='token'):
params = {'encoding': [encoding]}
if filename:
params['filename'] = [filename]
if content_type:
params['content_type'] = [content_type]
- deferred_result, req = self.get("/attachment/%s" % ident, params, as_json=False)
+ deferred_result, req = self.get("/attachment/%s" % ident, params, as_json=False, ajax=ajax, csrf=csrf)
res = yield deferred_result
defer.returnValue((res, req))
diff --git a/service/test/support/test_helper.py b/service/test/support/test_helper.py
index 77c74407..640baf6f 100644
--- a/service/test/support/test_helper.py
+++ b/service/test/support/test_helper.py
@@ -88,6 +88,7 @@ class PixRequestMock(DummyRequest):
DummyRequest.__init__(self, path)
self.content = None
self.code = None
+ self.cookies = {}
def getWrittenData(self):
if len(self.written):
@@ -97,8 +98,14 @@ class PixRequestMock(DummyRequest):
self.setResponseCode(302)
self.setHeader(b"location", url)
+ def addCookie(self, key, value):
+ self.cookies[key] = value
-def request_mock(path='', method='GET', body='', headers={}):
+ def getCookie(self, key):
+ return self.cookies.get(key)
+
+
+def request_mock(path='', method='GET', body='', headers={}, ajax=True, csrf='token'):
dummy = PixRequestMock(path.split('/'))
for name, val in headers.iteritems():
dummy.headers[name.lower()] = val
@@ -108,5 +115,9 @@ def request_mock(path='', method='GET', body='', headers={}):
else:
for key, val in body.items():
dummy.addArg(key, val)
+ if ajax:
+ dummy.headers['x-requested-with'] = 'XMLHttpRequest'
+ dummy.headers['x-xsrf-token'] = csrf
+ dummy.addCookie('XSRF-TOKEN', csrf)
return dummy