From 770b439c8495c3a0b16550c2f04740f31646d66b Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 10:36:29 +0100 Subject: WIP: add csrf token to every request --- service/test/support/integration/app_test_client.py | 4 ++-- service/test/support/integration/multi_user_client.py | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index d52c85c0..ee5a1df2 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -387,8 +387,8 @@ class AppTestClient(object): return res # TODO: remove - def delete_mail(self, mail_ident): - res, req = self.delete("/mail/%s" % mail_ident) + def delete_mail(self, mail_ident, csrf='token'): + res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf) return res def delete_mails(self, idents): diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py index 82acb210..fe8595fb 100644 --- a/service/test/support/integration/multi_user_client.py +++ b/service/test/support/integration/multi_user_client.py @@ -24,6 +24,7 @@ from pixelated.config.services import ServicesFactory from pixelated.config.sessions import LeapSessionFactory import pixelated.config.services +from pixelated.resources import IPixelatedSession from pixelated.resources.root_resource import RootResource from test.support.integration import AppTestClient from test.support.integration.app_test_client import AppTestAccount, StubSRPChecker @@ -57,7 +58,7 @@ class MultiUserClient(AppTestClient): else: when(Authenticator)._bonafide_auth(username, password).thenRaise(SRPAuthError) - def login(self, username='username', password='password'): + def login(self, username='username', password='password', from_request=None): session = Authentication(username, 'some_user_token', 'some_user_uuid', 'session_id', {'is_admin': False}) leap_session = self._test_account.leap_session leap_session.user_auth = session @@ -76,7 +77,10 @@ class MultiUserClient(AppTestClient): when(leap_session).initial_sync().thenAnswer(lambda: defer.succeed(None)) when(pixelated.config.services).Services(ANY()).thenReturn(self.services) - request = request_mock(path='/login', method="POST", body={'username': username, 'password': password}) + session = from_request.getSession() + csrftoken = IPixelatedSession(session).get_csrf_token() + request = request_mock(path='/login', method="POST", body={'username': username, 'password': password, 'csrftoken': csrftoken}, ajax=False) + request.session = session return self._render(request, as_json=False) def get(self, path, get_args='', as_json=True, from_request=None): -- cgit v1.2.3 From f0880aff32bbb30c6a8a0d4e078e563d24b97909 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 15:56:57 +0100 Subject: fix csrf for some integration tests --- service/test/support/integration/app_test_client.py | 19 +++++++++++++------ .../test/support/integration/multi_user_client.py | 21 +++++++++------------ 2 files changed, 22 insertions(+), 18 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index ee5a1df2..9ab74261 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -49,6 +49,7 @@ from pixelated.adapter.search import SearchEngine from pixelated.adapter.services.draft_service import DraftService from pixelated.adapter.services.mail_service import MailService from pixelated.resources.root_resource import RootResource +from pixelated.resources.session import IPixelatedSession from test.support.integration.model import MailBuilder from test.support.test_helper import request_mock from test.support.integration.model import ResponseMail @@ -278,17 +279,21 @@ class AppTestClient(object): request.args = get_args return self._render(request, as_json) - def post(self, path, body='', headers=None, ajax=True, csrf='token'): + def post(self, path, body='', headers=None, ajax=True, csrf='token', session=None): headers = headers or {'Content-Type': 'application/json'} request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf) + if session: + request.session = session return self._render(request) def put(self, path, body, ajax=True, csrf='token'): request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}, ajax=ajax, csrf=csrf) return self._render(request) - def delete(self, path, body="", ajax=True, csrf='token'): + def delete(self, path, body="", ajax=True, csrf='token', session=None): request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE", ajax=ajax, csrf=csrf) + if session: + request.session = session return self._render(request) @defer.inlineCallbacks @@ -387,12 +392,14 @@ class AppTestClient(object): return res # TODO: remove - def delete_mail(self, mail_ident, csrf='token'): - res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf) + def delete_mail(self, mail_ident, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf, session=session) return res - def delete_mails(self, idents): - res, req = self.post("/mails/delete", json.dumps({'idents': idents})) + def delete_mails(self, idents, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.post("/mails/delete", json.dumps({'idents': idents}), csrf=csrf, session=session) return res def mark_many_as_unread(self, idents): diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py index fe8595fb..4b9b2864 100644 --- a/service/test/support/integration/multi_user_client.py +++ b/service/test/support/integration/multi_user_client.py @@ -58,44 +58,41 @@ class MultiUserClient(AppTestClient): else: when(Authenticator)._bonafide_auth(username, password).thenRaise(SRPAuthError) - def login(self, username='username', password='password', from_request=None): - session = Authentication(username, 'some_user_token', 'some_user_uuid', 'session_id', {'is_admin': False}) + def login(self, username='username', password='password', session=None): + auth_session = Authentication(username, 'some_user_token', 'some_user_uuid', 'session_id', {'is_admin': False}) leap_session = self._test_account.leap_session - leap_session.user_auth = session + leap_session.user_auth = auth_session config = mock() config.leap_home = 'some_folder' leap_session.config = config leap_session.fresh_account = False self.leap_session = leap_session self.services = self._test_account.services - self.user_auth = session + self.user_auth = auth_session self._mock_bonafide_auth(username, password) - when(LeapSessionFactory).create(username, password, session).thenReturn(leap_session) + when(LeapSessionFactory).create(username, password, auth_session).thenReturn(leap_session) with patch('mockito.invocation.AnswerSelector', AnswerSelector): when(leap_session).initial_sync().thenAnswer(lambda: defer.succeed(None)) when(pixelated.config.services).Services(ANY()).thenReturn(self.services) - session = from_request.getSession() csrftoken = IPixelatedSession(session).get_csrf_token() request = request_mock(path='/login', method="POST", body={'username': username, 'password': password, 'csrftoken': csrftoken}, ajax=False) request.session = session return self._render(request, as_json=False) - def get(self, path, get_args='', as_json=True, from_request=None): + def get(self, path, get_args='', as_json=True, session=None): request = request_mock(path) request.args = get_args - if from_request: - session = from_request.getSession() + if session: request.session = session return self._render(request, as_json) - def post(self, path, body='', headers=None, ajax=True, csrf='token', as_json=True, from_request=None): + def post(self, path, body='', headers=None, ajax=True, csrf='token', as_json=True, session=None): headers = headers or {'Content-Type': 'application/json'} request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf) - if from_request: - session = from_request.getSession() + if session: request.session = session return self._render(request, as_json) -- cgit v1.2.3 From 20b1922794d3179b32dd930706ec5693a3562464 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 18:08:12 +0100 Subject: fix csrf in drafts tests --- service/test/support/integration/app_test_client.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 9ab74261..f04f67fd 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -286,8 +286,10 @@ class AppTestClient(object): request.session = session return self._render(request) - def put(self, path, body, ajax=True, csrf='token'): + def put(self, path, body, ajax=True, csrf='token', session=None): request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}, ajax=ajax, csrf=csrf) + if session: + request.session = session return self._render(request) def delete(self, path, body="", ajax=True, csrf='token', session=None): @@ -375,8 +377,9 @@ class AppTestClient(object): res = yield deferred_result defer.returnValue((res, req)) - def put_mail(self, data): - res, req = self.put('/mails', data) + def put_mail(self, data, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.put('/mails', data, csrf=csrf, session=session) return res, req def post_tags(self, mail_ident, tags_json): -- cgit v1.2.3 From 05551265c641ac51d897a49e35f390fde7bc4d8c Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 18:20:38 +0100 Subject: fix csrf in mark as read/unread tests --- service/test/support/integration/app_test_client.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index f04f67fd..e5d42505 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -405,12 +405,14 @@ class AppTestClient(object): res, req = self.post("/mails/delete", json.dumps({'idents': idents}), csrf=csrf, session=session) return res - def mark_many_as_unread(self, idents): - res, req = self.post('/mails/unread', json.dumps({'idents': idents})) + def mark_many_as_unread(self, idents, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.post('/mails/unread', json.dumps({'idents': idents}), csrf=csrf, session=session) return res - def mark_many_as_read(self, idents): - res, req = self.post('/mails/read', json.dumps({'idents': idents})) + def mark_many_as_read(self, idents, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.post('/mails/read', json.dumps({'idents': idents}), csrf=csrf, session=session) return res def get_contacts(self, query): -- cgit v1.2.3 From 082d6a133a892226e6436aab26dd61f759cad30e Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 18:25:11 +0100 Subject: fix csrf in retrieve attachment test --- service/test/support/integration/app_test_client.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index e5d42505..0bc2eacb 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -372,8 +372,9 @@ class AppTestClient(object): defer.returnValue((res, req)) @defer.inlineCallbacks - def post_attachment(self, data, headers): - deferred_result, req = self.post('/attachment', body=data, headers=headers) + def post_attachment(self, data, headers, session): + csrf = IPixelatedSession(session).get_csrf_token() + deferred_result, req = self.post('/attachment', body=data, headers=headers, csrf=csrf, session=session) res = yield deferred_result defer.returnValue((res, req)) -- cgit v1.2.3 From 688a8b42e8ab7c6d4529b6dda66f40eead07ad02 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 18:30:25 +0100 Subject: fix csrf in tags tests --- service/test/support/integration/app_test_client.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 0bc2eacb..4e3758c5 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -383,8 +383,9 @@ class AppTestClient(object): res, req = self.put('/mails', data, csrf=csrf, session=session) return res, req - def post_tags(self, mail_ident, tags_json): - res, req = self.post("/mail/%s/tags" % mail_ident, tags_json) + def post_tags(self, mail_ident, tags_json, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.post("/mail/%s/tags" % mail_ident, tags_json, csrf=csrf, session=session) return res def get_tags(self, **kwargs): -- cgit v1.2.3 From b14833fbb56bcd5bff0750c16fd9214009b955be Mon Sep 17 00:00:00 2001 From: Zara Gebru Date: Fri, 2 Dec 2016 15:25:23 +0100 Subject: [refactor] move app dir into public dir --- service/test/support/integration/app_test_client.py | 5 +++-- service/test/support/integration/multi_user_client.py | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 4e3758c5..c611fbd0 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -38,7 +38,7 @@ from leap.soledad.client import Soledad from leap.bitmask.mail.adaptors.soledad import SoledadMailAdaptor from pixelated.adapter.mailstore.leap_attachment_store import LeapAttachmentStore from pixelated.adapter.services.feedback_service import FeedbackService -from pixelated.application import UserAgentMode, set_up_protected_resources +from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder, get_templates_folder from pixelated.config.sessions import LeapSession from pixelated.config.services import Services, ServicesFactory, SingleUserServicesFactory from pixelated.config.site import PixelatedSite @@ -218,10 +218,11 @@ class AppTestClient(object): services = self._test_account.services self.service_factory.add_session('someuserid', services) - self.resource = RootResource(self.service_factory) + self.resource = RootResource(self.service_factory, get_templates_folder(), get_static_folder()) provider = mock() self.resource.initialize(provider) else: + # TODO: write test for me (= self.service_factory = StubServicesFactory(self.accounts, mode) provider = mock() bonafide_checker = StubAuthenticator(provider) diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py index 4b9b2864..d7ab77a0 100644 --- a/service/test/support/integration/multi_user_client.py +++ b/service/test/support/integration/multi_user_client.py @@ -19,7 +19,7 @@ from mockito import mock, when, any as ANY from pixelated.authentication import Authenticator, Authentication from twisted.internet import defer -from pixelated.application import UserAgentMode, set_up_protected_resources +from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder, get_templates_folder from pixelated.config.services import ServicesFactory from pixelated.config.sessions import LeapSessionFactory @@ -46,7 +46,7 @@ class MultiUserClient(AppTestClient): self.service_factory = ServicesFactory(UserAgentMode(is_single_user=False)) - root_resource = RootResource(self.service_factory) + root_resource = RootResource(self.service_factory, get_templates_folder(), get_static_folder()) leap_provider = mock() self.credentials_checker = StubSRPChecker(leap_provider) self.resource = set_up_protected_resources(root_resource, leap_provider, self.service_factory) -- cgit v1.2.3 From ae871e84f6de213f01299f2754fb2e68d4a3afe2 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Mon, 5 Dec 2016 10:56:24 +0100 Subject: remove templates folder from root resource parameters --- service/test/support/integration/app_test_client.py | 4 ++-- service/test/support/integration/multi_user_client.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index c611fbd0..1421b96b 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -38,7 +38,7 @@ from leap.soledad.client import Soledad from leap.bitmask.mail.adaptors.soledad import SoledadMailAdaptor from pixelated.adapter.mailstore.leap_attachment_store import LeapAttachmentStore from pixelated.adapter.services.feedback_service import FeedbackService -from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder, get_templates_folder +from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder from pixelated.config.sessions import LeapSession from pixelated.config.services import Services, ServicesFactory, SingleUserServicesFactory from pixelated.config.site import PixelatedSite @@ -218,7 +218,7 @@ class AppTestClient(object): services = self._test_account.services self.service_factory.add_session('someuserid', services) - self.resource = RootResource(self.service_factory, get_templates_folder(), get_static_folder()) + self.resource = RootResource(self.service_factory, get_static_folder()) provider = mock() self.resource.initialize(provider) else: diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py index d7ab77a0..de272e16 100644 --- a/service/test/support/integration/multi_user_client.py +++ b/service/test/support/integration/multi_user_client.py @@ -19,7 +19,7 @@ from mockito import mock, when, any as ANY from pixelated.authentication import Authenticator, Authentication from twisted.internet import defer -from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder, get_templates_folder +from pixelated.application import UserAgentMode, set_up_protected_resources, get_static_folder from pixelated.config.services import ServicesFactory from pixelated.config.sessions import LeapSessionFactory @@ -46,7 +46,7 @@ class MultiUserClient(AppTestClient): self.service_factory = ServicesFactory(UserAgentMode(is_single_user=False)) - root_resource = RootResource(self.service_factory, get_templates_folder(), get_static_folder()) + root_resource = RootResource(self.service_factory, get_static_folder()) leap_provider = mock() self.credentials_checker = StubSRPChecker(leap_provider) self.resource = set_up_protected_resources(root_resource, leap_provider, self.service_factory) -- cgit v1.2.3 From 784eab38fb5794ef1bac41ae3aeb58520ff48590 Mon Sep 17 00:00:00 2001 From: Zara Gebru Date: Tue, 6 Dec 2016 11:17:11 +0100 Subject: fix parameter for root resource --- service/test/support/integration/app_test_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 1421b96b..892b73af 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -228,7 +228,7 @@ class AppTestClient(object): bonafide_checker = StubAuthenticator(provider) bonafide_checker.add_user('username', 'password') - self.resource = set_up_protected_resources(RootResource(self.service_factory), provider, self.service_factory, authenticator=bonafide_checker) + self.resource = set_up_protected_resources(RootResource(self.service_factory, get_static_folder()), provider, self.service_factory, authenticator=bonafide_checker) @defer.inlineCallbacks def create_user(self, account_name): -- cgit v1.2.3 From 206423b83b910308bd9c314af03cf82e9a821974 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Tue, 6 Dec 2016 11:55:52 +0100 Subject: remove some TODO's --- service/test/support/integration/app_test_client.py | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'service/test/support') diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index 892b73af..fa695708 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -222,7 +222,6 @@ class AppTestClient(object): provider = mock() self.resource.initialize(provider) else: - # TODO: write test for me (= self.service_factory = StubServicesFactory(self.accounts, mode) provider = mock() bonafide_checker = StubAuthenticator(provider) @@ -307,7 +306,6 @@ class AppTestClient(object): def account_for(self, username): return self.accounts[username] - # TODO: remove def add_mail_to_user_inbox(self, input_mail, username): return self.account_for(username).mail_store.add_mail('INBOX', input_mail.raw) @@ -336,10 +334,6 @@ class AppTestClient(object): mail_sender.sendmail.side_effect = lambda mail: succeed(mail) return mail_sender - # TODO: remove - def _generate_soledad_test_folder_name(self, soledad_test_folder='/tmp/soledad-test/test'): - return os.path.join(soledad_test_folder, str(uuid.uuid4())) - def get_mails_by_tag(self, tag, page=1, window=100): tags = 'tag:%s' % tag return self.search(tags, page, window) @@ -354,13 +348,6 @@ class AppTestClient(object): res = yield res defer.returnValue([ResponseMail(m) for m in res['mails']]) - # TODO: remove - @defer.inlineCallbacks - def get_mails_by_mailbox_name(self, mbox_name): - mail_ids = yield self.mail_store.get_mailbox_mail_ids(mbox_name) - mails = yield self.mail_store.get_mails(mail_ids) - defer.returnValue(mails) - @defer.inlineCallbacks def get_attachment(self, ident, encoding, filename=None, content_type=None, ajax=True, csrf='token'): params = {'encoding': [encoding]} @@ -397,7 +384,6 @@ class AppTestClient(object): res, req = self.get('/mail/%s' % mail_ident) return res - # TODO: remove def delete_mail(self, mail_ident, session): csrf = IPixelatedSession(session).get_csrf_token() res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf, session=session) -- cgit v1.2.3