diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
---|---|---|
committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /service/test/unit/resources | |
parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'service/test/unit/resources')
-rw-r--r-- | service/test/unit/resources/test_root_resource.py | 82 |
1 files changed, 81 insertions, 1 deletions
diff --git a/service/test/unit/resources/test_root_resource.py b/service/test/unit/resources/test_root_resource.py index 3b0846ee..53481f56 100644 --- a/service/test/unit/resources/test_root_resource.py +++ b/service/test/unit/resources/test_root_resource.py @@ -1,11 +1,13 @@ import unittest import re + +from mock import MagicMock, patch from mockito import mock, when, any as ANY from pixelated.application import UserAgentMode from test.unit.resources import DummySite from twisted.web.test.requesthelper import DummyRequest -from pixelated.resources.root_resource import RootResource +from pixelated.resources.root_resource import RootResource, MODE_STARTUP, MODE_RUNNING class TestRootResource(unittest.TestCase): @@ -25,9 +27,11 @@ class TestRootResource(unittest.TestCase): root_resource._html_template = "<html><head><title>$account_email</title></head></html>" root_resource._mode = root_resource self.web = DummySite(root_resource) + self.root_resource = root_resource def test_render_GET_should_template_account_email(self): request = DummyRequest(['']) + request.addCookie = lambda key, value: 'stubbed' d = self.web.get(request) @@ -38,3 +42,79 @@ class TestRootResource(unittest.TestCase): d.addCallback(assert_response) return d + + def _test_should_renew_xsrf_cookie(self): + request = DummyRequest(['']) + request.addCookie = MagicMock() + generated_csrf_token = 'csrf_token' + mock_sha = MagicMock() + mock_sha.hexdigest = MagicMock(return_value=generated_csrf_token) + + with patch('hashlib.sha256', return_value=mock_sha): + d = self.web.get(request) + + def assert_csrf_cookie(_): + request.addCookie.assert_called_once_with('XSRF-TOKEN', generated_csrf_token) + + d.addCallback(assert_csrf_cookie) + return d + + def test_should_renew_xsrf_cookie_on_startup_mode(self): + self.root_resource._mode = MODE_STARTUP + self._test_should_renew_xsrf_cookie() + + def test_should_renew_xsrf_cookie_on_running_mode(self): + self.root_resource._mode = MODE_RUNNING + self._test_should_renew_xsrf_cookie() + + def _mock_ajax_csrf(self, request, csrf_token): + request.headers['x-requested-with'] = 'XMLHttpRequest' + request.headers['x-xsrf-token'] = csrf_token + + def test_should_unauthorize_child_resource_ajax_requests_when_csrf_mismatch(self): + request = DummyRequest(['/child']) + self._mock_ajax_csrf(request, 'stubbed csrf token') + + request.getCookie = MagicMock(return_value='mismatched csrf token') + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(401, request.responseCode) + self.assertEqual("Unauthorized!", request.written[0]) + + d.addCallback(assert_unauthorized) + return d + + def test_should_authorize_child_resource_non_ajax_GET_requests(self): + request = DummyRequest(['features']) + + request.getCookie = MagicMock(return_value='irrelevant -- stubbed') + self.root_resource.initialize() + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(200, request.code) + + d.addCallback(assert_unauthorized) + return d + + def test_should_unauthorize_child_resource_non_ajax_POST_requests_when_csrf_input_mismatch(self): + request = DummyRequest(['mails']) + request.method = 'POST' + request.addArg('csrftoken', 'some csrf token') + mock_content = MagicMock() + mock_content.read = MagicMock(return_value={}) + request.content = mock_content + + request.getCookie = MagicMock(return_value='mismatched csrf token') + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(401, request.responseCode) + self.assertEqual("Unauthorized!", request.written[0]) + + d.addCallback(assert_unauthorized) + return d |